Enabling the Syslog Log

I’m working with the latest nightly builds, and trying to get the syslog plugin working without much success. Running it on my Mac, I get no entries from syslog. I also tried enabling the tail plugin and pointing it to /usr/local/var/log/**.log as suggested in the Telegraf config file, but all that served to do was create massive telegraf.log files due to all the parse errors.

I’ve also tried enabling this on a linux variant, but with equally unsatisfying results. In reading through the config file, it looks like the syslog plugin is looking to read from a specific port for syslog data, so I enabled a ‘remote’ syslog output at 127.0.0.1 but still see no logs gathered.

Pointers to what I’m doing wrong would be greatly appreciated.

dg

For parsing logfiles that are not in one of the input formats you will need to use the logparser input instead of tail. I’m not sure if anyone has setup instructions for a Mac, but did you try following the rsyslog integration instructions in the readme?

This is how i was able to get it to work on my Mac:

  1. install rsyslog via brew: brew install rsyslog
  2. create (or edit) the rsyslog conf file probably located at /usr/local/etc/rsyslog.conf
$WorkDirectory /tmp/rsyslog # temporary directory for storing data
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
$ModLoad imudp #loads the udp module
#listen for messages on udp localhost:514
$UDPServerAddress localhost
$UDPServerRun 514

*.* @@(o)127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format
  1. Start rsyslog using brew services start rsyslog
  2. If you want syslog messages to flow in, you will need to add this line to /etc/syslog.conf
*.*	@localhost:514
  1. Add this configuration in your Telegraf 1.7 conf file:
[[inputs.syslog]]
  server = "tcp://127.0.0.1:6514"
  1. You can try to restart syslogd using sudo pkill syslogd or just restart your mac
  2. Start InfluxDB, Chronograf Nightly, and Telegraf 1.7

That should get everything flowing.

1 Like

@russ_savage’s answer is the correct one. It now collects log information on my Mac. About to try the same thing on my (embedded) Linux box which also runs rsyslog.

Thanks Russ!

dg

Hi,

Not sure if you tried to do this using Ubuntu yet, but i’ve managed to get the syslog plugin working on Ubuntu 16.04 in a virtual box VM using the instructions above and the instructions on the plugin read me page that daniel linked.

Just thought id confirm = does work! nice.

1 Like

Thanks @philb! I did try it on my Linux box and it does indeed work! This is all great!

dg

I have noticed in the telegraf logs:

2018-06-21T12:36:54Z E! Error in plugin [inputs.syslog]: found EOF, expecting a MSGLEN

I’m not sure if i have something configured incorrectly. @davidgs do you see the same message in telegraf logs? if not then i’ll assume it is my set up that is incorrect.

Thanks

PhilB

This sounds like a bug, especially if it otherwise is working. Do you think you could open a bug report on the Telegraf github?

Sure thing. I hadn’t before now because i was unsure if it was just my set up. I’m at work at the moment but i will do it this afternoon.

EDIT: I’ve added an issue to GitHub. Hopefully I’ve filled it out correctly but if i’ve missed anything or if you guys want any more info let me kow.

GitHub Issue

Regards

Phil

Heads up to others who may arrive here, I folllowed @russ_savage’s directions, but was still not finding success.

Investigating, I looked at my rsyslogd.log file to see what it said: tail -f /url/local/rsyslogd.log. There were two messages in there that required action:

  1. /tmp/rsyslog can not be accessed – so I created that directory;
  2. /usr/local/var/run/rsyslogd.pid could not be written to – so I created that directory;

Then I had to use sudo brew services restart rsyslog to give it the permissions it needed, presumably since it uses a port in the <1000 range (514, specifically).

Then I was finally up and running. I verified this by tailing the log file again. And then actually I was able to view logs in Chronograf!

Thanks to all in this thread!

1 Like