We offer a wide range of solutions to get your log data into New Relic. But in other situations where you don't have log forwarders (such as CDNs, hardware devices, or managed services), you can use syslog protocols via a TCP endpoint. You can forward your logs to New Relic using syslog clients such as rsyslog
and syslog-ng
.
Compatibility and requirements
To forward logs to New Relic using a syslog client, you need:
- A valid New Relic license key for the account you want to send logs to
- Some minor changes to the syslog client's configuration, as explained in this document
Configure rsyslog
To forward logs to New Relic with rsyslog
:
Install packages required to allow
rsyslog
to send logs using TLS encryption:sudo yum install rsyslog-gnutls ca-certificatesOptional: Configure
rsyslog
to tail log files and forward their contents to New Relic. Add the following to the/etc/rsyslog.conf
file in order to enable its text file input module:module(load="imfile"PollingInterval="10"statefile.directory="/var/spool/rsyslog")In the
/etc/rsyslog.d/
directory, create a text file namednewrelic.conf
.Explicitly include the newly created
newrelic.conf
to the/etc/rsyslog.d/
file:include(file="/etc/rsyslog.conf.d/newrelic.conf")Add the following to
newrelic.conf
, replacingYOUR_LICENSE_KEY
with your New Relic license key:## Specify each of the files to be tailed in case step 1 is doneinput(type="imfile" ruleset="infiles" Tag="<YOUR_FILE_TAG>" File="<PATH_TO_FILE>" StateFile="<UNIQUE_STATEFILE_NAME >")## Template expected by the New Relic Syslog endpointtemplate(name="newrelic-rfc5424"type="string"string="<YOUR_LICENSE_KEY> <%pri%>%protocol-version% %timestamp:::date-rfc3339% %hostname% %app-name% %procid% %msgid% %structured-data% %msg%\n")## Configure TLS and log forwardingglobal(DefaultNetstreamDriver="gtls"DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt")action(type="omfwd"Target="newrelic.syslog.nr-data.net"Port="6514"Protocol="tcp"Template="newrelic-rfc5424"ResendLastMSGOnReconnect="on"StreamDriver="gtls"StreamDriverAuthMode="x509/name"StreamDriverPermittedPeers="*.syslog.nr-data.net"StreamDriverMode="1")Restart the
rsyslog
service by running:sudo systemctl restart rsyslogCheck your New Relic account for logs.
Legacy config file for rsyslog 7 or earlier
If you are using rsyslog version 7 or below, the configuration files need to be adapted to the obsolete legacy format. This format is only kept for retro compatibility purposes. We strongly recommend to avoid using it, as stated in the rsyslog documentation.
Install packages required to allow
rsyslog
to send logs using TLS encryption:sudo yum install rsyslog-gnutls ca-certificatesOptional: Configure
rsyslog
to tail log files and forward their contents to New Relic. Add the following to the/etc/rsyslog.conf
file in order to enable its text file input module:$ModLoad imfile$InputFilePollInterval 10$PrivDropToGroup adm$WorkDirectory /var/spool/rsyslogIn the
/etc/rsyslog.d/
directory, create a text file namednewrelic.conf
.Explicitly include the newly created
newrelic.conf
to the/etc/rsyslog.d/
file:$IncludeConfig /etc/rsyslog.conf.d/newrelic.confAdd the following to
newrelic.conf
, replacing `YOUR_LICENSE_KEY with your New Relic license key:## Template expected by the New Relic Syslog endpoint$template NRLogFormat,"YOUR_LICENSE_KEY <%pri%>%protocol-version% %timestamp:::date-rfc3339% %hostname% %app-name% %procid% %msgid% %structured-data% %msg%\n"## Specify each of the files to be tailed in case step 1 is done$InputFileName /path/to/file$InputFileTag <YOUR_FILE_TAG>$InputFileStateFile <UNIQUE_STATEFILE_NAME>$InputFileSeverity info$InputRunFileMonitor## Configure TLS and log forwarding$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt$ActionSendStreamDriver gtls$ActionSendStreamDriverMode 1$ActionSendStreamDriverAuthMode x509/name$ActionSendStreamDriverPermittedPeer *.syslog.nr-data.net*.* @@newrelic.syslog.nr-data.net:6514;NRLogFormatRestart the
rsyslog
service by running:sudo systemctl restart rsyslogCheck your New Relic account for logs.
Configure syslog-ng
To forward logs to New Relic with syslog-ng
:
Install
ca-certificates
required to allowsyslog-ng
to send logs using TLS encryption:sudo yum install ca-certificatesOpen the
syslog-ng
configuration file (/etc/syslog-ng/syslog-ng.conf
) in a text editor.Define the sources to be monitored by adding:
source s_src {internal();};Optional: Configure
syslog-ng
to tail files by adding the following to theSources
configuration block:source s_files {file("<PATH_TO_FILE>");};Define the New Relic
syslog
format and add your New Relic license key:template NRFormat { template("YOUR_LICENSE_KEY <${PRI}>1 ${ISODATE} ${HOST:--} ${PROGRAM:--} ${PID:--} ${MSGID:--} ${SDATA:--} $MSG\n"); template_escape(no); };
Add the New Relic Syslog endpoint:
destination d_newrelic {network("newrelic.syslog.nr-data.net" port(6514)transport("tls")tls(peer-verify(no))template(NRFormat));};Add the following output to the log path configuration block:
log {source(s_src);source(s_files); ## in case step 4 is implemented.destination(d_newrelic);};Restart
syslog-ng
by running:sudo service syslog-ng restartCheck your New Relic account for logs.
Tip
If you are running syslog-ng from a Docker container and experience issues, check balait/syslog image documentation.