SigNoz Cloud - This page is relevant for SigNoz Cloud editions.
Self-Host - This page is relevant for self-hosted SigNoz editions.

Collecting Syslogs

With SigNoz, you can easily collect and analyze system logs generated by your operating system. On Linux and Unix, these system logs are typically represented in the Syslog format.

This document shows how to set up rsyslog to forward logs to the OpenTelemetry (OTel) Collector using the syslog receiver, so you can parse, query, and monitor logs with minimal effort.

Prerequisite

  • Unix based Operating System
đź“ť Note

On most modern Linux setups, journald is the default logging system, and it doesn't emit classic syslog output unless explicitly forwarded. If you're running Kubernetes or Linux nodes, checkout our Systemd Logs documentation.

Setup

Step 1: Add OTel Collector Binary

Add the OpenTelemetry Collector binary to your VM by following this guide.

Step 2: Configure Syslog Receiver in OTel Collector

Add the syslog receiver to the config.yaml of the OTel Collector:

receivers:
  syslog:
    tcp:
      listen_address: "0.0.0.0:54527"
    protocol: rfc3164
    location: UTC
    operators:
      - type: move
        from: attributes.message
        to: body
...

Here, we collect logs and move messages from attributes to body using operators. Read more about operators here.

For additional configurations for the syslog receiver, check here.

Step 3: Update Pipeline in OTel Collector

Modify the pipeline inside config.yaml to include the syslog receiver:

service:
    ...
    logs:
        receivers: [otlp, syslog]
        processors: [batch]
        exporters: [otlp]

Step 4: Restart OTel Collector

Restart the OTel Collector to apply the new changes.

Step 5: Modify rsyslog.conf

Run the following command to edit the rsyslog.conf file:

sudo vim /etc/rsyslog.conf

Add the following lines at the end:

template(
  name="UTCTraditionalForwardFormat"
  type="string"
  string="<%PRI%>%TIMESTAMP:::date-utc% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
)

*.* action(type="omfwd" target="0.0.0.0" port="54527" protocol="tcp" template="UTCTraditionalForwardFormat")

For production use cases, configure retries and queues:

*.*  action(type="omfwd" target="0.0.0.0" port="54527" protocol="tcp"
        action.resumeRetryCount="10"
        queue.type="linkedList" queue.size="10000" template="UTCTraditionalForwardFormat")

Step 6: Restart rsyslog Service

Restart the rsyslog service:

sudo systemctl restart rsyslog.service

Check the status:

sudo systemctl status rsyslog.service

If there are no errors, logs will be visible in the SigNoz UI.

Add Resource Context

System logs by default don’t include resource context which includes information about the host such as host name, IP Address, container name etc. You can use the OpenTelemetry Collector’s resourcedetection processor to enrich your system logs with this information in the Resource field of your logs.

Related Resources

Last updated: August 29, 2025

Edit on GitHub

Was this page helpful?

Prev
HTTP logs
Next
Logrus
On this page
Prerequisite
Setup
Step 1: Add OTel Collector Binary
Step 2: Configure Syslog Receiver in OTel Collector
Step 3: Update Pipeline in OTel Collector
Step 4: Restart OTel Collector
Step 5: Modify `rsyslog.conf`
Step 6: Restart rsyslog Service
Step 1: Update `docker-compose.yaml`
Step 2: Configure Syslog Receiver in OTel Collector
Step 3: Update Pipeline in OTel Collector
Step 4: Restart OTel Collector Container
Step 5: Modify `rsyslog.conf`
Step 6: Restart rsyslog Service
Add Resource Context
Related Resources
Docs
IntroductionContributingMigrate from DatadogSigNoz API
Community
Support
Slack
X
Launch Week
Changelog
Dashboard Templates
DevOps Wordle
Newsletter
KubeCon, Atlanta 2025
More
SigNoz vs DatadogSigNoz vs New RelicSigNoz vs GrafanaSigNoz vs Dynatrace
Careers
AboutTermsPrivacySecurity & Compliance
SigNoz
All systems operational