Configuring centralized logging from text log files in Unix (remote_syslog2) · ...
remote_syslog2 to aggregate logs from any text file, like app log files, in Unix and BSD.
To send log files to Papertrail from applications and daemons that don’t support syslog, run Papertrail’s tiny standalone remote_syslog2 daemon. It tracks one or more log files and sends new entries to Papertrail in realtime.
remote_syslog2 works for any text log files, has no impact to or reliance on the system syslog daemon or its logging configuration, is easy to set up, and forwards logs directly to Papertrail. No adjustments to
syslog-ng.conf are required.
Some applications that typically log to text files, such as MySQL, Apache, and Tomcat (log4j), have internal support for logging directly to syslog. For apps like these, either their internal syslog or
remote_syslog2 can be used to send logs to Papertrail.
Automated (Configuration Management)
remote_syslog2 can be deployed and configured with configuration management tools. Papertrail provides official support for Chef, Puppet, and Salt:
These configuration management modules only configure and deploy
remote_syslog2. To configure and manage the system’s syslog daemon configuration, see Configuring remote syslog from Unix/Linux and BSD/macOS.
Download the current release. To extract it and copy the binary into a system path, run:
$ tar xzf ./remote_syslog*.tar.gz $ cd remote_syslog $ sudo cp ./remote_syslog /usr/local/bin
RPM and Debian packages are also available.
Paths to log file(s) can be specified on the command-line, or save log_files.yml.example as
/etc/log_files.yml. Edit it to define:
- the path to this app’s log file, and any other log file(s) to watch.
- the destination
portprovided under log destinations. If no destination port was provided, set
logs.papertrailapp.comand remove the
portconfig line to use the default port (514).
Start the daemon:
Logs should appear in Papertrail within a few seconds of being written to the on-disk log file. Problem? See Troubleshooting.
remote_syslog requires read permission on the log files it is monitoring.
The system rebooted and
remote_syslog didn’t start
Install an init file.
Logs not appearing?
Please feel free to drop a mail into email@example.com, either instead of following these instructions or while trying them. We enjoy helping, and these steps are only here if they let you save time by troubleshooting independently.
There are a few reasons
remote_syslog might not be sending logs.
ps auxww | grep [r]emote_syslog. Exactly 1 process should be shown, like this:
root 24501 0.0 0.4 13952 8864 ? S Mar01 2:45 remote_syslog
Does it have the correct access permissions?
In the example above, the process is running as user
root. If a user other than
root is shown, does that user running
remote_syslog have permission to write to
/var/run/ is the default location for PID files (background).
remote_syslog isn’t already running as root, try running it as root to test (such as with
sudo), or specify an alternate location for the PID file (such as with
Did it stop running?
If you can start
remote_syslog but it subsequently stops running, try leaving it attached to the terminal (rather than daemonizing) using
Is it running, but suddenly stopped sending data?
…perhaps across many systems at the same time? This could be a firewall policy change or log rotation. However,
remote_syslog plays well with all common log rotation systems (with no changes to the configuration of either), so we’d like to hear about this problem.
remote_syslog monitoring log files that are stored on an NFS share?
If so, enable polling via the
The next step is to see what
remote_syslog is actually doing. Typically that’s with strace, such as:
$ strace -tt -s 500 -fp 12345
12345 is the process ID of
remote_syslog, obtained from the second column of
ps auxww. This will output every call that it makes. We suggest sending the strace output to a file:
$ strace -tt -s 500 -fp 12345 -o strace.log
Feel free to send the
strace.log file to us via firstname.lastname@example.org. We’ll look for a few things. Did the OS notify
remote_syslog of writes to the log files? Did
sendto() (UDP) or
send() (TCP) to try sending the message? What happened?
See other options with:
See also Troubleshooting reachability.
Can we help? Just ask.