rsyslog

The Rsyslog log processor is very popular and is being shipped with most popular Linux distributions, including Ubuntu and CentOS. Rsyslog provides a long list of plugins, most importantly the Elastic search output plugin, which is supported by Humio.

Self-hosted users will have to enable the ElasticSearch bulk endpoint on port 9200. See ELASTIC_PORT.

Configuration

We recommend some minimal configuration for forwarding all logs to Humio. You’ll need to create a file named /etc/rsyslog.d/33-humio.conf with the following contents.

In the example below, for an on-premise installation, please ensure the $YOUR_HUMIO_URL is the URL of your Humio instance. For Humio Cloud, it should either be https://cloud.humio.com for E.U. Cloud or https://cloud.us.humio.com for U.S. Cloud. For example, if you are sending data to Humio EU Cloud your server URL should look like this https://cloud.humio.com/api/v1/ingest/elastic-bulk.

module(load="omelasticsearch")

template(name="humiotemplate" type="list" option.json="on") {
  constant(value="{")
    constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
    constant(value="\",\"message\":\"") property(name="msg")
    constant(value="\",\"host\":\"") property(name="hostname")
    constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
    constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
    constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
    constant(value="\",\"name\":\"") property(name="programname")
    constant(value="\",\"pid\":\"") property(name="procid")
  constant(value="\"}")
}

*.* action(type="omelasticsearch"
           server="$YOUR_HUMIO_URL/api/v1/ingest/elastic-bulk"
           template="humiotemplate"
           uid="any-organization"
           pwd="$INGEST_TOKEN"
           bulkmode="on"
           usehttps="on")

The $INGEST_TOKEN in this example should be the ingest token for your repository. Thebulkmode and usehttps have to be set to on for Humio Cloud and for self-hosted installations in which Humio is behind an HTTPS proxy.

When you’ve finished with this configuration file, restart rsyslog from the command-line like so:

systemctl restart rsyslog.service

By now, your logs should start populating into your repository and can be found with a simple search in Humio:

syslogtag=*

If logs don’t begin loading into your repository, check the status of the rsyslog service (i.e., systemctl status rsyslog.service) to see if the Elasticsearch module failed to load. In most cases this can be corrected by installing the module using apt-get install rsyslog-elasticsearch on Ubuntu or yum install rsyslog-elasticsearch on CentOS/RHEL.