Whether your system generates syslog messages in rfc3164
or rfc5424
format, or lets you transform them to a custom format, seamlessly send your syslogs to Coralogix.
To accommodate many different systems, this tutorial provides configuration options in rfc3164
, rfc5424
, and custom format.
Regardless of format, each syslog message sent to Coralogix is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level.
You are required to input the following parameters in your configuration, determined by the system sending your syslogs.
Parameter | Description |
---|---|
Private Key | Coralogix Send-Your-Data API Key |
Application Name | Application name |
SubSystem Name | Subsystem name |
SyslogEndpoint | TLS/TCP syslog endpoint associated with your Coralogix domain |
The platform running your applications will typically support only some set of syslog formats with some customization possibilities, making it impossible send logs in one predefined, fixed format. As such, Coralogix supports various formats and associated structures to pass the needed additional data with the syslog message.
Format | Structure |
---|---|
rfc3164 | key-value pairs |
rfc5424 | key-value pairs or structured data |
JSON | JSON fields |
rfc5424
Structured DataAssuming the system sending your syslog messages supports rfc5424
format, we highly recommend using it. If the configuration allows, add structured data in the format shown in the example.
Example
<134>1 2022-11-23T07:03:31.402569Z pg-454f526-1 postgres 285528 - [coralogix@1 application_name="..." private_key="..." subsystem_name="..."] pid=285528,user=postgres,db=defaultdb, client=[local] LOG: disconnection: session time: 0:00:00.005 user=postgres database=defaultdb host=[local]
Notes:
coralogix@1
, the values inside are not prefixed with cx_
.[coralogix@1 ...]
segment allows adding structured data to any message. This is important for sending syslog metadata to Coralogix.Depending on your system, it may be possible to add key-value pairs to the message body. In this case, add the values prefixed with cx_
.
Example
cx_application_name="..." cx_private_key="..." cx_subsystem_name="..."
If the system sending your syslog messages supports custom format, transform the message to JSON along with additional fields. The example below consists of the contents of the file /etc/rsyslog
, instructing syslog how to send messages.
Example
$template CoralogixSyslogFormat,"{\\"fields\\": {\\"private_key\\":\\"...\\", \\"application_name\\":\\"...\\", \\"subsystem_name\\":\\"...\\"}, \\"message\\": {\\"message\\":\\"%msg:::json%\\" }}\\n" @@syslog.coralogix.com:6514;CoralogixSyslogFormat
Note: This requires that rsyslog is configured to support TLS connections.
To test your connection, send a message from the terminal with the command below.
echo '<14>1 2023-04-03T07:48:26.086Z hostname appname - msg_id - Message cx_private_key="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" cx_application_name="app" cx_subsystem_name="sub" Something happened' | openssl s_client -connect syslog.coralogix.com:6514
Note: Be aware that one extra space in the command will render it invalid.
View your syslog messages as rendered structured logs in your Coralogix dashboard. In your navigation bar, click on Explore > logs tab.
{ appname:logforwarder msg: Failed password for user123 from 192.168.0.1 port 12345 ssh2 facility:user hostname:stream-logfwd20 msgid:panwlogs }
As with all the logs ingested into Coralogix, you have the ability to modify their format using parsing rules.
Documentation | Syslog using OpenTelemetry |
Blog | Syslog 101 |
Need help?
Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.
Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].