You can use the rsyslog and syslog-ng utilities to collect logs, and then upload the logs to Log Service by using the syslog protocol. This topic describes how to upload logs to Log Service by using the syslog protocol.
Limits
- Syslog logs must conform to the RFC 5424 protocol.
- The maximum size of each log entry is 64 KB.
- Transport Layer Security (TLS) 1.2 must be used for secure data transfer.
Configurations
If you upload logs by using the syslog protocol, you must configure the address to
which the logs are uploaded. The address is in the project name. Log Service endpoint:syslog port
format, for example, test-project-1.cn-hangzhou-intranet.log.aliyuncs.com:10009. Specify an endpoint based on the region where your Log Service project resides.
For more information, see Endpoints. The syslog port is 10009. In addition, you must specify a Log Service project, Logstore,
and AccessKey pair in the STRUCTURED-DATA field. The following table describes the
fields.
Field | Description | Example |
---|---|---|
STRUCTURED-DATA | Set the value to Logservice. | Logservice |
Project | The name of a project. The project must be available in Log Service before you collect logs. | test-project-1 |
Logstore | The name of a Logstore. The Logstore must be available in Log Service before you collect logs. | test-logstore-1 |
access-key-id | The AccessKey ID. We recommend that you use the AccessKey ID of a RAM user. For more information, see Authorize a RAM user to connect to Log Service. | <yourAccessKeyId> |
access-key-secret | The AccessKey secret. We recommend that you use the AccessKey secret of a RAM user. For more information, see Authorize a RAM user to connect to Log Service. | <yourAccessKeySecret> |
Example 1: Use the rsyslog utility to upload syslog logs to Log Service
Example 2: Use the syslog-ng utility to upload syslog logs to Log Service
Sample log entries

Field | Description |
---|---|
__source__ | The hostname in the raw log entry. |
__topic__ | The value is syslog-forwarder. |
__facility__ | The facility information, such as the information of the device and module. |
__program__ | The name of the process. |
__serverity__ | The severity level of the syslog log entry. |
__priority__ | The priority of the syslog log entry. |
__unixtimestamp__ | The UNIX timestamp of the raw log entry. Unit: nanoseconds. |
content | The msg field in the raw log entry. |
FAQ
- How can I send syslog logs to Log Service?
You can run an Ncat command to simulate log uploading. This way, you can check whether the network connection is normal and whether the AccessKey pair is authorized to send syslog logs. If Ncat is not installed on your server, you can run the sudo yum install nmap-ncat command to install Ncat.
Note- The timestamp of syslog logs is in UTC+0, for example, 2019-03-28T03:00:15.003Z. In UTC+8, the timestamp is 2019-03-28T11:00:15.003.
- Ncat commands cannot determine whether network connections are interrupted. After you run an Ncat command, you must enter the information to be sent and press the Enter key within 30 seconds.
For example, you can run the following command to send a syslog log entry to Log Service. The project in Log Service is named test-project-1 and the Logstore is named test-logstore-1. The project resides in the China (Hangzhou) region. A RAM user that has the write permissions is used to send the syslog log entry. The AccessKey ID of the RAM user is <yourAccessKeyId>, and the AccessKey secret is <yourAccessKeySecret>.
After you send the syslog log entry, you can preview the log entry in the Log Service console. For more information, see Preview logs.[root@iZbp145dd9fccuidd7g**** ~]# ncat --ssl test-project-1.cn-hangzhou.log.aliyuncs.com 10009 <34>1 2019-03-28T03:00:15.003Z mymachine.example.com su - ID47 [logservice project="test-project-1" logstore="test-logstore-1" access-key-id="<yourAccessKeyId>" access-key-secret="<yourAccessKeySecret>"] this is a test message
- What can I do if I fail to upload logs?
Troubleshoot the failure based on the error message. For more information, see Diagnose collection errors.
- How do I view rsyslog error logs?
You can run the vim command to view the logs. By default, rsyslog error logs are stored in the /var/log/message directory.
- Error message 1
dlopen: /usr/lib64/rsyslog/lmnsd_gtls.so: cannot open shared object file: No such file or directory
This error message is returned because the rsyslog-gnutls module is not installed. You can run the sudo apt-get install rsyslog-gnutls or sudo yum install rsyslog-gnutls command to install the module. Restart the rsyslog utility after the installation is completed.
- Error message 2
unexpected GnuTLS error -53 - this could be caused by a broken connection. GnuTLS reports:Error in the push function
This error message is returned because the TCP connection is ended due to a long period of inactivity. You can ignore this error because rsyslog will re-establish the connection.
- Error message 1
- How do I view syslog-ng error logs?
You can run the systemctl status syslog-ng.service or journalctl-xe command to view the error logs. By default, syslog-ng error logs are stored in journal logs.
If the following error message is returned, check whether the configuration file format is valid or whether configuration conflicts exist. For example, you cannot configure multipleinternal()
sources.Job for syslog-ng.service failed because the control process exited with error code. See "systemctl status syslog-ng.service" and "journalctl -xe" for details