Rsyslog Integration
Forward system logs via rsyslog with template-based field extraction to TigerOps. Configure reliable disk-backed queues and structured JSON templates for complete log observability.
How It Works
Install rsyslog omhttp Module
Install rsyslog-doc and rsyslog-omhttp on your system. The omhttp module enables JSON-formatted HTTP forwarding with TLS support and configurable retry queues.
Define a TigerOps Template
Create an rsyslog template that formats log events as JSON with fields for timestamp, hostname, app-name, severity, and message. Add custom property substitutions for structured app logs.
Configure omhttp Action
Add an omhttp action block pointing to the TigerOps log ingestion endpoint. Configure disk-backed queues for reliability and TLS certificate validation for secure forwarding.
Validate and Monitor
Use rsyslog impstats to monitor forwarding performance. TigerOps live tail confirms events arrive with correct field mappings. Set up rsyslog health alerts in TigerOps.
What You Get Out of the Box
Template-Based JSON Formatting
Use rsyslog templates to structure log fields as JSON before forwarding. Extract syslog properties (PRI, HOSTNAME, PROGRAMNAME, MSGID) and custom app fields into named JSON keys.
omhttp and omfwd Module Support
TigerOps works with both omhttp (JSON over HTTP) and omfwd (TCP/UDP syslog forwarding) output modules. Use omhttp for structured JSON or omfwd for raw RFC 5424 forwarding.
Disk-Backed Queue Reliability
Configure rsyslog linked-list or disk queues with configurable size, high watermark, and low watermark settings. Logs persist on disk during TigerOps unavailability and replay automatically.
RuleSet-Based Log Routing
Use rsyslog rulesets to route different log streams (auth, kern, mail, application) to separate TigerOps workspaces or apply different templates per facility or severity.
mmnormalize Field Extraction
Pair rsyslog with the mmnormalize module and liblognorm rules to extract structured fields from unstructured log messages before forwarding. TigerOps receives pre-parsed, queryable data.
impstats Forwarding Metrics
Enable rsyslog impstats to collect queue depth, message drop counts, and forwarding latency. TigerOps ingests these internal metrics alongside your logs for complete rsyslog health visibility.
rsyslog omhttp Configuration
Forward rsyslog events to TigerOps as structured JSON via the omhttp module.
# rsyslog omhttp forwarding to TigerOps
module(load="omhttp")
# JSON template for structured log forwarding
template(name="TigerOpsJSON" type="list") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"app\":\"") property(name="app-name")
constant(value="\",\"pid\":\"") property(name="procid")
constant(value="\",\"severity\":") property(name="syslogseverity")
constant(value=",\"facility\":") property(name="syslogfacility")
constant(value=",\"message\":\"") property(name="msg" format="json")
constant(value="\"}")
}
# Disk-backed queue for reliability
action(
type="omhttp"
server="ingest.atatus.net"
serverport="443"
useHttps="on"
template="TigerOpsJSON"
httpcontenttype="application/json"
httpheaderkey.1="Authorization"
httpheadervalue.1="Bearer ${TIGEROPS_API_KEY}"
queue.type="disk"
queue.filename="tigerops-omhttp"
queue.maxdiskspace="512m"
queue.size="100000"
queue.saveonshutdown="on"
action.resumeRetryCount="-1"
)Common Questions
What is the recommended rsyslog output module for TigerOps?
Use omhttp for structured JSON forwarding. It supports TLS, HTTP/2, custom headers for API key auth, and disk-backed queuing. Alternatively, use omfwd with TCP and octet-counted framing for raw syslog delivery.
How do I handle log delivery during network outages?
Configure rsyslog disk queues (queue.type="disk") with queue.maxDiskSpace and queue.saveOnShutdown="on". Messages are spooled to disk during outages and forwarded to TigerOps automatically when connectivity is restored.
Can I filter sensitive logs before forwarding to TigerOps?
Yes. Use rsyslog property-based filters (if $programname == "sensitive-app" then stop) or discard actions to prevent specific log streams from reaching TigerOps. Apply mmanon for IP address anonymization.
How do I monitor rsyslog forwarding health?
Enable impstats with interval=60 and send stats to a separate TigerOps workspace. Key metrics include queue.size, queue.discarded.full, and actions.*.procesed. TigerOps alerts you when queue depth grows unsustainably.
Does TigerOps support rsyslog multi-line log parsing?
Yes. Use the imfile module with multi-line rules (readMode=1 or 2) to capture Java stack traces and multi-line application logs. rsyslog assembles the complete event before forwarding to TigerOps as a single log entry.
Reliable Rsyslog Forwarding with Zero Log Loss
Disk-backed queues, structured JSON templates, and AI anomaly detection. Configure in minutes.