Rsyslog

Create topic

Click on "Create topic".

Enable syslog protocol ingestion in topic configuration

Click on "Enable syslog" and write down port number.

Download CA certificates

Downlad CA certificates bundle and place it in /etc/rsyslog.cacert.pem

sudo curl https://curl.se/ca/cacert.pem -o /etc/rsyslog.cacert.pem

Add Loglark export to rsyslog configuration

First, you need to locate configuration directory for rsyslog. Modern installations usually support including configuration parts from /etc/rsyslog.d on Linux systems or /usr/local/etc/syslog.d on FreeBSD. If your system has such directory, then place place the following snippet into it.

Otherwise you would need to edit rsyslog configuration directly. It is usually located at /etc/rsyslog.conf or /usr/local/etc/rsyslog.conf. Add the snippet to the end of configuration file.

Replace XXXX with port number you've got earlier.

*.*     action(
                type="omfwd"
                target="feeder.loglark.io"
                port="XXXX"
                protocol="tcp"
                StreamDriver="gtls"
                StreamDriverMode="1"
                StreamDriverAuthMode="x509/name"
                StreamDriverPermittedPeers="*.loglark.io"
                streamDriver.CAFile="/etc/rsyslog.cacert.pem"
                action.resumeRetryCount="100"
                queue.type="linkedList"
                queue.size="10000"
	)

Ensure that rsyslog supports encryption

For Debian based distros ensure that rsyslog-gnutls package is installed:

sudo apt install rsyslog-gnutls

For RedHat derivatives:

sudo yum install rsyslog-gnutls

Restart rsyslog

sudo service rsyslog restart

Create topic​

Enable syslog protocol ingestion in topic configuration​

Download CA certificates​

Add Loglark export to rsyslog configuration​

Ensure that rsyslog supports encryption​

Restart rsyslog​