You can use the syslog-ng utilities to collect logs. After the logs are collected, you can use the syslog protocol to upload the logs to Simple Log Service. This topic describes how to upload logs to SImple Log Service by using the syslog protocol.
Syslog logs must be stored based on the RFC 5424 protocol. For other Syslog protocols, refer to Collect syslogs.
The maximum size of each log is 64 KB.
Transport Layer Security (TLS) 1.2 must be used to ensure the security of data transmission.
In most cases, you cannot use the TLS protocol or RFC 5424 protocol to collect log data from devices such as on-premises VPNs and routers. We recommend that you use the syslog plug-in of Logtail to collect data from the devices. For more information, see Collect syslogs.
If you upload logs by using the syslog protocol, you must specify the endpoint to which you want to upload the logs. The address is in the <Project name>.<Log Service endpoint>:<Syslog protocol port number>
format. Example: Specify an endpoint based on the region where your SImple Log Service project resides. For more information, see Endpoints. The syslog port is 10009. You must also specify a Simple Log Service project, a Logstore, and an AccessKey pair in the STRUCTURED-DATA field. The following table describes the parameters.
Parameter | Description | Example |
Parameter | Description | Example |
STRUCTURED-DATA | The value is set to logservice. | logservice |
Project | The name of a project. Before you can collect logs, you must create a project. For more information, see Create a project. | test-project-1 |
Logstore | The name of a Logstore. Before you can collect logs, you must create a Logstore. For more information, see Create a Logstore. | test-logstore-1 |
access-key-id | The AccessKey ID that is used to access Simple Log Service. We recommend that you use the AccessKey pair of a RAM user. For more information, see Create a RAM user and authorize the RAM user to access Log Service. | LT****9k |
access-key-secret | The AccessKey secret that is used to access Simple Log Service. We recommend that you use the AccessKey pair of a RAM user. For more information, see Create a RAM user and authorize the RAM user to access Log Service. | Wp****bA |
Example: Use the syslog-ng utility to upload syslog logs to Simple Log Service
Syslog-ng is an open source utility that runs on UNIX and UNIX-like systems. This utility is based on the syslog protocol. You can run the sudo yum install syslog-ng command or sudo apt-get install syslog-ng command to install the syslog-ng utility.
The rsyslog utility is pre-installed on Linux servers. This utility is incompatible with the syslog-ng utility. Before you use the syslog-ng utility, you must uninstall the rsyslog utility.
Open the syslog-ng configuration file.
The default path of the syslog-ng configuration file is /etc/syslog-ng/syslog-ng.conf.
Configure the following settings and append the configurations to your syslog-ng configuration file:
### Syslog-ng Logging Config for LogService ### template LogServiceFormat { template("<${PRI}>1 ${ISODATE} ${HOST:--} ${PROGRAM:--} ${PID:--} ${MSGID:--} [logservice project=\"test-project-1\" logstore=\"test-logstore-1\" access-key-id=\"<yourAccessKeyId>\" access-key-secret=\"<yourAccessKeySecret>\"] $MSG\n"); template_escape(no); }; destination d_logservice{ tcp("" port(10009) tls(peer-verify(required-untrusted)) template(LogServiceFormat)); }; log { source(s_sys); # default use s_sys destination(d_logservice); }; ### END Syslog-ng Logging Config for LogService ###
Restart the syslog-ng utility.
Run the sudo /etc/init.d/syslog-ng restart command, sudo service syslog-ng restart command, or sudo systemctl restart syslog-ng command to restart the syslog-ng utility.
Run the logger command to generate test logs.
For example, you can run the logger hello world! command to generate logs.
Sample logs
After you upload logs to Simple Log Service, you must configure indexes for the logs. Then, you can view the logs in the Simple Log Service console. For more information, see Create indexes.
For information about log fields, see RFC 5424 protocol.
By default, Simple Log Service deletes the Logservice field to ensure that your AccessKey pair is not leaked.
Log field | Description |
Log field | Description |
__source__ | The hostname in the raw log. |
__topic__ | The value is set to syslog-forwarder. |
__facility__ | The facility information, such as the information of the device and module. |
__program__ | The name of the process. |
__serverity__ | The severity level of the syslog log. |
__priority__ | The priority of the syslog log. |
__unixtimestamp__ | The UNIX timestamp of the raw log. Unit: nanoseconds. |
content | The msg field in the raw log. |
How do I simulate log uploading?
You can use Netcat to simulate log uploading. This way, you can check whether the network connection is normal and whether the AccessKey pair is authorized to send syslog logs.
Log on to the server on which you want to simulate log uploading.
Run the following command to install Netcat:
sudo yum install nmap-ncat
Run the following command to connect to Simple Log Service:
ncat --ssl <yourProject>.<yourEndpoint> 10009
ncat --ssl 10009
Netcat does not check whether network connections are interrupted. After you run a ncat command, enter the information that you want to send and press the Enter key in 30 seconds.
<34>1 2019-03-28T03:00:15.003Z su - ID47 [logservice project="<yourProject>" logstore="<yourLogstore>" access-key-id="<yourAccessKeyID>" access-key-secret="<yourAccessKeySecret>"] this is a test message
<34>1 2019-03-28T03:00:15.003Z su - ID47 [logservice project="trace-doc-test" logstore="doc-test-001-logs" access-key-id="LTAI4***" access-key-secret="HfJEw***"] this is a test message
After you send the syslog log, you can preview the log in the Simple Log Service console.
For more information, see Preview logs.
What do I do if logs fail to be uploaded?
Troubleshoot the failure based on the error message. For more information, see How do I view Logtail collection errors?.