Learn how to send Logs from your Linux instance to Logs Data Platform.
Do you have a server, a Raspberry Pi, a cloud instance, or something else running on Linux and you want to follow your Logs, the easy way? Have you never installed a log collector and you're new to Graylog? Then this tutorial is for you!
Requirements
- a Linux-based instance (server, VPS, Cloud instance, Raspberry Pi, etc.). Command lines will be for DEBIAN 12 in this tutorial
- a root access to this instance
- an activated Logs Data Platform account
- at least one Stream and its token
Instructions
Why?
On Linux, logs are generated automatically for a variety of actions such as excessive resource usage, file downloads, login attempts, network failure, and many more. However, logs can be difficult to read without proper tools. With this platform, you can sort logs and create useful (or fancy) dashboards.
What are logs?
Here are some example logs from an OVHcloud Public Cloud instance on Debian 12:
Configure your Account
The first thing to do is to configure your Logs Data Platform account: create your user!
Install and configure a log collector
So let's assume you have your Linux. This tutorial DOES NOT fully cover how to configure other flavors of syslog or other operating systems. Please refer to their own documentation to know how to set up a source, a filter, and an external destination for the logs. You can still read this entire document to have a grasp on how the configuration is built. However, this configuration should work on any syslog-ng version above 3.12.1.
We will install a log collector. What is it? It's a tool that collects logs from any source, processes them, and delivers them to various destinations, like the Logs Data Platform.
In this section we will install Syslog-ng:
- Log in your Linux
- Install syslog-ng and the last certificates
- Check that your syslog-ng version is above 3.12.1 (use syslog-ng --version to confirm it).
- Once it's done we will configure it to deliver logs to the platform
- Create a new syslog-ng configuration file ldp.conf with a text editor (here we use nano for example)
- Copy-paste this configuration. Don't forget to replace the variables with your stream write token and with your Logs Data Platform cluster address.
- Copy the data-gathering tools certificate from the manager Home page in SSL Configuration section, and paste it in file "/usr/local/share/ca-certificates/ldp.pem"
- Ensure the permission on this file is 644
- Import this certificate to your system's trusted CA repository
Let's review this configuration.
REWRITE: this will set your X-OVH-TOKEN as an RFC 5424 structured data. You can retrieve your stream write token by going to Stream page
in the OVHcloud Control Panel and select Copy the write token from the desired stream.
DESTINATION: This is where we will deliver logs in nearly real time. Here, we have two destinations: The first is the remote endpoint in Logs Data Platform, the second one is a local file for debugging purposes only. You can find your Logs Data Platform cluster address by going to Home page
in the OVHcloud Control Panel in access point configuration. For debugging purposes, you can uncomment the "debugfile" section to check if the whole pipeline is working properly. It will write to the local file destination. Since local file writing might consume a lot of I/O resources, we recommend not using this debugging output in production.
LOG: This directive specifies the whole pipeline: "s_src" => "ovh-token" => "ovhPaasLogs".
- Save the file, close nano and restart syslog-ng.
Let's play with Graylog Dashboards
Let's recap: you have a Linux instance and it's sending logs locally and remotely, thanks to the syslog-ng log collector. We send two types of flows: internal() and system().
The last step is to create a dashboard displaying the results. Connect to the Logs Data Platform manager and ensure you that you have a Stream and that the token in the syslog configuration file is OK. Ensure that you have a Dashboard created.
Access Graylog, click the Streams
tab, and select your stream.
In the top-left corner, chose ..last 1 day as your range
, then click on the green button 🔍
to search.
On the top right corner of the histogram, click the more options ▼
icon and select Copy to Dashboard
.
Choose the dashboard you want to add to, then click Select
.
To change the format of your widget to a pie chart, in the top right corner of the histogram, click the more options ▼
icon and select Edit
.
On the next screen, under VISUALIZATION TYPE select Pie Chart
and then click Save
.
The best feature is the ability to mix criteria, based on what is important to you. For example, facility:auth AND level:6
. Why not create an alert on this condition?
Go further
For more information and tutorials, please see our other Logs Data Platform support guides or explore the guides for other OVHcloud products and services.