Collecting Syslogs

With SigNoz, you can easily collect and analyze system logs generated by your operating system. On Linux and Unix, these system logs are typically represented in the Syslog format.

This document shows how to set up rsyslog to forward logs to the OpenTelemetry (OTel) Collector using the syslog receiver, so you can parse, query, and monitor logs with minimal effort.

Prerequisite

  • Unix based Operating System
📝 Note

On most modern Linux setups, journald is the default logging system, and it doesn't emit classic syslog output unless explicitly forwarded. If you're running Kubernetes or Linux nodes, checkout our Systemd Logs documentation.

Setup

Step 1: Add OTel Collector Binary

Add the OpenTelemetry Collector binary to your VM by following this guide.

Step 2: Configure Syslog Receiver in OTel Collector

Add the syslog receiver to the config.yaml of the OTel Collector:

receivers:
  syslog:
    tcp:
      listen_address: "0.0.0.0:54527"
    protocol: rfc3164
    location: UTC
    operators:
      - type: move
        from: attributes.message
        to: body
...

Here, we collect logs and move messages from attributes to body using operators. Read more about operators here.

For additional configurations for the syslog receiver, check here.

Step 3: Update Pipeline in OTel Collector

Modify the pipeline inside config.yaml to include the syslog receiver:

service:
    ...
    logs:
        receivers: [otlp, syslog]
        processors: [batch]
        exporters: [otlp]

Step 4: Restart OTel Collector

Restart the OTel Collector to apply the new changes.

Step 5: Modify rsyslog.conf

Run the following command to edit the rsyslog.conf file:

sudo vim /etc/rsyslog.conf

Add the following lines at the end:

template(
  name="UTCTraditionalForwardFormat"
  type="string"
  string="<%PRI%>%TIMESTAMP:::date-utc% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
)

*.* action(type="omfwd" target="0.0.0.0" port="54527" protocol="tcp" template="UTCTraditionalForwardFormat")

For production use cases, configure retries and queues:

*.*  action(type="omfwd" target="0.0.0.0" port="54527" protocol="tcp"
        action.resumeRetryCount="10"
        queue.type="linkedList" queue.size="10000" template="UTCTraditionalForwardFormat")

Step 6: Restart rsyslog Service

Restart the rsyslog service:

sudo systemctl restart rsyslog.service

Check the status:

sudo systemctl status rsyslog.service

If there are no errors, logs will be visible in the SigNoz UI.

Add Resource Context

System logs by default don’t include resource context which includes information about the host such as host name, IP Address, container name etc. You can use the OpenTelemetry Collector’s resourcedetection processor to enrich your system logs with this information in the Resource field of your logs.

Last updated: August 29, 2025

Edit on GitHub

Was this page helpful?