Configuring remote syslog from Unix/Linux and BSD/OS X

To log from a Unix system, edit the system’s syslog daemon config file. These instructions are a reference. Papertrail will provide more specific instructions (including a log destination) when you add a system.

Note: Some apps write logs directly to text files, bypassing the syslog daemon. To collect logs from these apps, use remote_syslog2 instead. The instructions below may still be useful, to include operating system logs, for example.

Determine System Logger

See which logger your system uses. Run:

ls -d /etc/*syslog*

Which filename is listed? rsyslog.conf, syslog-ng.conf, syslog.conf, or none.

Configuration: rsyslog.conf

rsyslog is often seen on: Debian; Fedora; SuSE; Ubuntu; most other Linux distributions.

1. Configure rsyslog

As root, edit /etc/rsyslog.conf or /etc/syslog.conf with a text editor (like pico or vi). Paste a line like this at the end of the file:

*.*                       @<host>.papertrailapp.com:<port>

Note: Replace <host>.papertrailapp.com with the hostname from Papertrail’s Web interface. If Papertrail provided a port, replace <port> with the port. Typically these are on Add Systems.

2. Activate change

Tell rsyslog to activate the change (on most OS’s):

sudo killall -HUP rsyslog rsyslogd

On Ubuntu:

sudo service rsyslog restart

Log messages should begin appearing in Papertrail. Optionally, configure encrypted logging with TLS.

By default, rsyslog sends messages from the system’s hostname (such as www42). To change this behavior and choose your own hostname or use the FQDN, see How can I override the hostname?.

Configuration: syslog-ng.conf

syslog-ng is often seen on: Gentoo 2005.0+; SuSE 9.3+.

1. Configure syslog-ng

As root, edit /etc/syslog-ng.conf with a text editor. Find a line starting with source. For example: source s_sys {..}.

At the end of the file, paste this configuration. Replace s_sys with the source name above, typically s_sys, src, s_all, or s_local:

destination d_papertrail {
  udp("<host>.papertrailapp.com" port(<port>));
};

<a name="replace-"s_sys"-with-the-name-you-found"></a>

# replace "s_sys" with the name you found:
log { source(s_sys); destination(d_papertrail); };

Note: Replace <host>.papertrailapp.com with the hostname from Papertrail’s Web interface. If Papertrail provided a port, replace <port> with the port. Typically these are on Add Systems.

2. Activate change

Tell syslog-ng to activate the change:

sudo killall -HUP syslog-ng

Log messages should begin appearing in Papertrail. Optionally, configure encrypted logging with TLS.

Configuration: syslog.conf

syslogd and sysklogd are often seen on: BSDs; CentOS; Gentoo 2004.3 and older; Mac OS X; RHEL; Slackware; Solaris; most other Unices.

remote_syslog2 can also be used in lieu of syslogd.

1. Register your system’s source IP.

Provide Papertrail with the source IP on Add System. Registering the source IP is only necessary because this daemon only supports logging to the default syslog port, 514.

2. Configure syslogd

As root, edit /etc/syslog.conf with a text editor (like pico or vi). Paste this line at the end of the file:

*.*                                         @logs.papertrailapp.com

3. Activate change

Tell syslog to activate the change (on most OS’s):

sudo killall -HUP syslog syslogd

Log messages should begin appearing in Papertrail.


Test (optional)

To confirm messages are being sent and received, you can generate a test message by running: logger “Testing Papertrail message delivery”

The test message should appear on the system’s event history almost immediately. If it doesn’t arrive, try sending a standalone test message.

Configuration: None

If ls -d /etc/*syslog* did not find any matching files, try these:

Troubleshooting

Logs not appearing?

The most common cause is a local or external firewall blocking outbound UDP traffic. Solve this by adding an allow rule based on the port number shown under the Log Destinations tab.

For more generic troubleshooting information, see Troubleshooting remote syslog reachability.