With SigNoz, you can easily collect and analyze system logs generated by your operating system. On Linux and Unix, these system logs are typically represented in the Syslog format.
This document shows how to set up rsyslog to forward logs to the OpenTelemetry Collector using the syslog receiver, so you can parse, query, and monitor logs in SigNoz.
Prerequisites
- A Unix-based Operating System
- An instance of SigNoz (either Cloud or Self-Hosted)
On most modern Linux setups, journald is the default logging system, and it doesn't emit classic syslog output unless explicitly forwarded. If you want to collect journald logs directly, check out our Systemd Logs documentation.
Steps
Step 1: Install the OpenTelemetry Collector
If you haven't already, install the OpenTelemetry Collector binary on your VM by following the OpenTelemetry Binary usage in Virtual Machine guide.
Step 2: Configure the Syslog Receiver
Append the syslog receiver to the receivers block of your OpenTelemetry Collector configuration file (typically config.yaml or /etc/otel-collector-config.yaml):
receivers:
# ... existing receivers
syslog:
tcp:
listen_address: '0.0.0.0:54527'
protocol: rfc3164
location: UTC
operators:
- type: move
from: attributes.message
to: body
This snippet listens for incoming TCP connections on port 54527. It also uses operators to move messages from attributes to body. Read more about operators in the Logs User Guide.
For additional configurations, see the Syslog Receiver documentation.
Step 3: Enable the Receiver in the Pipeline
Update your logs pipeline in the same configuration file to include the syslog receiver. Append it to your service.pipelines.logs.receivers list:
service:
# ... existing pipelines
pipelines:
logs:
receivers: [otlp, syslog] # Add syslog here
processors: [batch]
exporters: [otlp]
Step 4: Restart the OpenTelemetry Collector
Restart the Collector process so it loads the new configuration.
If you installed it as a service:
sudo systemctl restart otelcol-contrib
For docker-compose:
docker-compose up -d --force-recreate otel-collector
Step 5: Configure rsyslog to Forward Logs
Run the following command to edit the rsyslog.conf file:
sudo vim /etc/rsyslog.conf
Add the following lines at the end of the file:
template(
name="UTCTraditionalForwardFormat"
type="string"
string="<%PRI%>%TIMESTAMP:::date-utc% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
)
*.* action(type="omfwd" target="127.0.0.1" port="54527" protocol="tcp" template="UTCTraditionalForwardFormat")
The template defines a custom format for forwarding syslog messages; it includes priority, UTC timestamp, hostname, syslog tag, and the message content itself. The action forwards all (*.*) syslog messages over TCP to the OpenTelemetry Collector listening at 127.0.0.1:54527.
If your OpenTelemetry Collector is running on a different host, replace 127.0.0.1 with the IP address or hostname of that machine.
Step 6: Restart the rsyslog Service
Restart the rsyslog service to apply your changes:
sudo systemctl restart rsyslog.service
Check the status to ensure it is running properly:
sudo systemctl status rsyslog.service
Validate
Once both services are running, generate a test syslog entry:
logger "SigNoz syslog test message"
Then open Logs Explorer in SigNoz and search for the message body containing SigNoz syslog test message. You should see the log entry with attributes like syslog.hostname populated.
Captured syslogs can be viewed in the Logs Explorer section of SigNoz. Search for attributes like syslog.hostname or the specific application reporting to syslog.
Troubleshooting
Rsyslog fails to restart or status shows errors
Run rsyslogd -N1 to verify the configuration syntax. Often, typos in the format template or action statement can prevent the service from starting.
You can also check the service logs to see the exact reason for the failure or any runtime issues:
journalctl -u rsyslog.service -b
Logs are not appearing in SigNoz
- Verify the OpenTelemetry Collector is running and there are no errors in its logs.
- Make sure that port
54527is accessible from thersysloghost to the OpenTelemetry Collector host (check firewall rules or security groups). - Check your SigNoz ingestion key and endpoint. For SigNoz Cloud, ensure the URL is correct (e.g.,
https://ingest.<region>.signoz.cloud:443). - Temporarily enable verbose logging in
rsyslogor checkcat /var/log/syslogfor forwarding issues.
Next Steps
System logs by default don’t always include robust resource contexts (like container name, exact OS version, or cloud instance IDs). You can use the OpenTelemetry Collector’s resourcedetection processor to enrich your system logs.
Additionally, you can:
- Explore Log Query and Filtering in SigNoz
- Set up Alerts based on logs
- Correlate logs with metrics and traces for complete observability
Get Help
If you need help with the steps in this topic, please reach out to us on SigNoz Community Slack.
If you are a SigNoz Cloud user, please use in product chat support located at the bottom right corner of your SigNoz instance or contact us at cloud-support@signoz.io.
