Secure Syslog/Rsyslog Server

We strongly suggest to follow the instructions below to send logs to Wrble using TLS encrypted TCP. If you cannot do that for some reason, here are instructions for unencrypted sending.

  1. Add TLS Support to Rsyslog

sudo apt-get install rsyslog-gnutls

  1. Configure Rsyslog

Note the version of rsyslog you are using:

rsyslogd -v

Open or create a new Wrble configuration file for rsyslog:

sudo vim /etc/rsyslog.d/wrble.conf

If you are using rsyslogd version 6.x or lower, paste in this configuration:

## Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

# Wrble line format and sending
$template WrbleFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [LOGKEY@56006 tag=\"EXAMPLE_TAG\"] %msg%\n"

#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.wrble.com
*.* @@ingest.wrble.com:6514;WrbleFormat

If you are using rsyslogd version 7.x or higher, paste in this configuration:

# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

#Enable TLS
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt

# Wrble line format and sending
template(name="WrbleFormat" type="string"
string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [LOGKEY@56006 tag=\"EXAMPLE_TAG\"] %msg%\n")

# Send messages to Wrble over TCP+TLS using the template.
action(type="omfwd" protocol="tcp" target="ingest.wrble.com" port="6514" template="WrbleFormat" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="*.wrble.com")

Replace these variables in your wrble.conf file:

  • LOGKEY: Replace with your logging key, available in project properties

  • EXAMPLE_TAG: Replace with a tag that describes the syslog source.

  1. Edit /etc/rsyslog.conf to set a maximum message size

Open your /etc/rsyslog.conf and modify the $MaxMessageSize with

$MaxMessageSize 128k

If $MaxMessageSize is not present then add it in your configuration. For this to work perfectly, add it in the top of the configuration file.

  1. Restart rsyslogd

sudo service rsyslog restart

  1. Send A Test Event
    Use Logger to send a test event. Alternatively, use the automatic verification option in configure-syslog

logger 'Hello Wrble!'

  1. Verify

Verify it shows up in Wrble by doing a search over the past hour. If it doesn’t work, contact our ingestion support team at ingest@wrble.com