Our next-gen architecture is built to help you make sense of your ever-growing data Watch a 4-min demo video!

Back to All Integrations

Rsyslog Rsyslog

Last Updated: Feb. 07, 2023

Open /etc/rsyslog.d/ and create a file named coralogix.rsyslog.conf

Paste the lines below in this file. Change your application name, private key and company Id.

 $template CoralogixSyslogFormat,"{\"fields\": {\"private_key\":\"put-your-private-key\",\"company_id\":\"company-id\",\"app_name\":\"name-for-application\",\"subsystem_name\":\"%programname%\"},\"message\": {\"message\":\"%msg:::json%\",\"program_name\":\"%programname%\",\"pri_text\":\"%pri-text%\",\"hostname\":\"%HOSTNAME%\"}}"
*.* @@syslogserver.coralogix.com:5142;CoralogixSyslogFormat

In the example above, we are using the Coralogix Syslog endpoint for a Team located in the EU cluster (.coralogix.com). To choose the correct endpoint for your Team, please refer to the table below.

Please match the last few characters of your Coralogix Team’s name URL (.coralogix.com, .eu2.coralogix.com, etc.) to the table below, to determine the correct Syslog Endpoint to use:

ClusterAPI Endpoint

Once done restart your rsyslog and you are all set.
Make sure that port 5142 is open in your firewall to allow connection.

Note: In the Coralogix rsyslog integration configuration “hostname”:”%HOSTNAME%” does not correspond to a “hostname” field that will appear in the syslog messages sent to Coralogix. This is actually the name of the server sending the messages.

To see the “hostname” in the Explore screen, please select the “Computer” field as a column, from the list of available fields.

To do so, please click “COLUMNS” on the top right of the UI:

And drag the “Computer” field to the list of fields “In Use” on the right, followed by “APPLY”.

If you want to send your logs via UDP or set a manual installation, please continue to read below.

UDP Installation

Determining Syslog type

Coralogix only supports rsyslog, not syslog-ng.

  1. Open your terminal window and type:
ls -d /etc/*syslog*

If you see rsyslog.d, you are using rsyslog. If you see syslog-ng, you are using syslog-ng which has been deprecated.

If you don’t see any of these options then please install rsyslog. Most Linux distributions already have this syslog package included, so you should refer to the documentation of your Linux distribution for installation guidelines.

Rsyslog configuration

Open your terminal window and open the file rsyslog.conf with your favorite editor.

vi /etc/rsyslog.conf

Locate a line containing the parameter $RepeatedMsgReduction. If it is configured to ‘on’ then please turn it off. If the line is commented then please uncomment it. If you can’t find this parameter then you should add it. After the modification it should look like this:

$RepeatedMsgReduction off

Download the coralogix rsyslog configuration file rsyslog.conf (right click link + save as) and save it in /etc/rsyslog.d/ folder

cd /etc/rsyslog.d && wget


vi /etc/rsyslog.d/coralogix.rsyslog.conf

Template configuration

Navigate to the template section and update the CoralogixSyslogFormat parameter with your specific values. You should change only the values in BOLD:

#                        TEMPLATE SECTION                         #
$template CoralogixSyslogFormat,"{"<wbr>fields": {"private_key":"YOUR COMPANY KEY","company_id":"YOUR COMPANY ID","app_name":"YOUR APPLICATION NAME","subsystem_name":"<wbr>YOUR APPLICATION SUBSYSTEM NAME"},"message": {&nbsp; &nbsp; &nbsp; &nbsp; "message":"%msg:::json%","<wbr>program_name":"%programname%<wbr>","pri_text":"%pri-text%"<wbr>,"hostname":"%HOSTNAME%",<wbr>"tag":"%syslogtag%"}}n"

[YOUR COMPANY ID]: A unique ID that represents your company. The private key can be found under ‘settings’->’ send your logs’. It is located in the upper left corner.

[YOUR COMPANY KEY]: You can locate your company key in the Coralogix dashboard. Please navigate to Settings->SEND YOUR LOGS

[YOUR APPLICATION NAME]: The Application name parameter allows you to split between the different sources of your data, whether it’s different environments or complete different applications.

[YOUR APPLICATION SUBSYSTEM NAME]: Your application probably has multiple subsystems, for example: Backend servers, Middleware, Frontend servers etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.

If you have several applications or subsystem components writing to the same syslog then you should create this template for each and one of them and give each a unique name. For instance, if you have an application with the name myapp and under that application you have 2 subsystems: mydal and and myclient (2 different processes running on the same host). An appropriate template configuration would be:

$template CoralogixSyslogForma1,"{"<wbr>fields": {"private_key":"530e925d-<wbr>be9e-****-****-75884f54efbe",<wbr>"company_id":"****","app_<wbr>name":"prod","subsystem_<wbr>name":"nginx"},"message": {&nbsp; &nbsp; &nbsp; &nbsp; "message":"%msg:::json%","<wbr>program_name":"%programname%<wbr>","pri_text":"%pri-text%"<wbr>,"hostname":"%HOSTNAME%",<wbr>"tag":"%syslogtag%"}}n"

Filter configuration

Navigate to the filter section of the file

#                        FILTER SECTION                           #
#Filter messages and send only the relevant one
#For more information and other filter options please refer to:
#This will filter messages and send only the one with program name equal to: myApp
#:programname, isequal, "myapp" 
#This will filter messages and send only the one with facility equal to: user
#:syslogfacility-text, isequal, "user"

You should configure syslog to send logs only from your application rather than entire messages coming from your Linux OS. Using rsyslog filters you can forward only those messages that successfully pass your filter. You can define many different filters. For example:

To filter only application with the name myapp:

:programname, isequal, "myapp"

To filter only applications writing to facility user:

:syslogfacility-text, isequal, "user"

You can also filter by other parameters and you can use regular expressions as well. For more information on filtering please refer to: rsyslog filters

In case you do want to send the entire syslog data, you can ignore the filter section.

Destination configuration

Navigate to destination section.

#                      DESTINATION SECTION                        #
#Send with UDP
*.* @syslogserver.coralogix.com:<wbr>5140;CoralogixSyslogFormat
#Print messages locally. Great for debugging #*.* /var/log/messages;CoralogixSyslogFormat

You can configure rsyslog to send logs via UDP protocol using port 5140.

In addition, you can redirect your syslog messages to your local file. This is useful if you want to see the exact data that is being sent to Coralogix. This option is great for debugging. If you are having troubles sending your syslog data to Coralogix, then you should first check how logs are written locally. Another good example can be in case you want to filter your syslog data based on your application name but you are not sure the exact name of the process. If you want to use this option then just uncomment this line:

*.* /var/log/messages;CoralogixSyslogFormat

Here is an example for the log output of an application myapp sending log: Hello World!:

[email protected]:~$ tail -f /var/log/messages
Nov 10 21:10:06 crx=1 crxversion=1 crxtype=syslog crxcompid=1
crxpkey=11111111-1111-1111-1111-1111111111 crxapp=myapp crxsubsys=mydal crxhostname=hostname1
crxtag='' &lt;CRX.TIME_STAMP=1478812206820706&gt; &lt;CRX.PRI=daemon.err&gt; &lt;CRX.CATEGORY_REWRITE=''&gt;
&lt;CRX.SEVERITY_REWRITE=''&gt; &lt;CRX.MSG_REWRITE=''&gt; &lt;CRX.PROGRAM_NAME=my-app1&gt; &lt;CRX.MSG=Hello World!&gt;

crxapp=myapp – This is the name of the application as you defined it in the template.

<CRX.PROGRAM_NAME=my-app1> – This is the process/program name that sent the log line to syslog.

If you defined several templates for each program/process name then instead of using one generic redirect rule:

*.* @@syslogserver.coralogix.com:5140;CoralogixSyslogFormat

You should use a conditional redirect. For instance:

if $programname == 'mydal' then @@syslogserver.coralogix.com:5140;CoralogixSyslogFormat1
if $programname == 'myclient' then @@syslogserver.coralogix.com:5140;CoralogixSyslogFormat2

By default syslog listens for messages on a LOCAL Unix domain socket. In case you are sending messages to your local syslog using UDP, you need to enable this option. Please read rsyslog source documentation to enable this option.

*** Save the file and restart rsyslog. The command to restart rsyslog daemon can vary from one Linux distribution to another but in most cases this would be:

sudo service rsyslog restart

Testing configuration

At this point you should be ready to test your configuration. To send a test message you can use the Linux logger command:

logger -p info Hello World!

This should send a message “Hello World!” with severity info. If you enabled the option to redirect your syslog messages to a local file then you should see this message with the command:

tail -f /var/log/messages

If you don’t see the message then please check your configuration.

Next, navigate to ‘Log Query’ menu in the Coralogix Explore UI and press the Go button to search for the last 15 minutes logs. If you see your logs, then CONGRATULATIONS! You are now connected to Coralogix.

Still not viewing your logs ?, book your implementation session, and we’ll ensure your logs are right where they should be.

Docker syslog configuration

Docker provides several log drivers that can redirect console output logs to a log server. For a complete list of log drivers please refer to: Docker log drivers

This section describes how to work with Docker syslog driver and redirect your messages to Coralogix server.

  • Make sure that the host running your Docker container has a syslog daemon up and running.

ps aux | grep syslog

  • Configure your syslog to forward messages to Coralogix server. Please refer to the configuration steps shared earlier in this document.
  • Run your docker with the –log-driveroption, for instance:

docker run -d –log-driver=syslog ubuntu /bin/sh -c “while true; do echo hello world; sleep 1; done”

  • If you are using docker-compose V2 you can alternatively use:


image: ubuntu

entrypoint: /bin/sh -c “while true; do echo hello world; sleep 1; done”


driver: “syslog”

That’s it. Your logs should now appear in Coralogix dashboard.
Need help? We love to assist our customers, simply reach out via the in-app chat. For more information about getting started with Coralogix, schedule a meeting with one of our experts.

On this page