--- title: Rsyslog description: Configure Rsyslog to gather logs from your host, containers, & services. breadcrumbs: Docs > Integrations > rsyslog --- # rsyslog Supported OS ## Overview{% #overview %} Configure Rsyslog to gather logs from your host, containers, and services. ## Setup{% #setup %} ### Log collection{% #log-collection %} {% alert level="info" %} From [version 8.1.5](https://www.rsyslog.com/doc/configuration/modules/imfile.html#mode) Rsyslog recommends `inotify` mode. Traditionally, `imfile` used polling mode, which is much more resource-intense (and slower) than `inotify` mode. {% /alert %} 1. Activate the `imfile` module to monitor specific log files. To add the `imfile` module, add the following to your `rsyslog.conf`: ```gdscript3 module(load="imfile" PollingInterval="10") #needs to be done just once ``` 1. Create an `/etc/rsyslog.d/datadog.conf` file. 1. In `/etc/rsyslog.d/datadog.conf`, add the following configuration. Replace `` with **{% user-datadog-site /%}** and `` with your Datadog API key. You must include a separate `input` line for each log file you want to monitor: ```gdscript3 ## For each file to send input(type="imfile" ruleset="infiles" Tag="" File="") ## Set the Datadog Format to send the logs template(name="test_template" type="list") { constant(value="{") property(name="msg" outname="message" format="jsonfr") constant(value="}")} # include the omhttp module module(load="omhttp") ruleset(name="infiles") { action(type="omhttp" server="http-intake.logs." serverport="443" restpath="api/v2/logs" template="test_template" httpheaders=["DD-API-KEY: ", "Content-Type: application/json"]) } ``` 1. Restart Rsyslog. Your new logs are forwarded directly to your Datadog account. ```shell sudo systemctl restart rsyslog ``` 1. Associate your logs with the host metrics and tags. To make sure that your logs are associated with the metrics and tags from the same host in your Datadog account, set the `HOSTNAME` in your `rsyslog.conf` to match the hostname of your Datadog metrics. - If you specified a hostname in `datadog.conf` or `datadog.yaml`, replace the `%HOSTNAME%` value in `rsyslog.conf` to match your hostname. - If you did not specify a hostname in `datadog.conf` or `datadog.yaml`, you do not need to change anything. 1. To get the best use out of your logs in Datadog, set a source for the logs. - If you [forward your logs to the Datadog Agent](https://docs.datadoghq.com/help/), you can set the source in the Agent configuration file. - If you're not forwarding your logs to the Datadog Agent, create a distinct configuration file for each source in `/etc/rsyslog.d/`. To set the source, use the following format (if you have several sources, change the name of the format in each file): ``` $template DatadogFormat," <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - [metas ddsource=\"\"] %msg%\n" ``` You can add custom tags with the `ddtags` attribute: ``` $template DatadogFormat," <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - [metas ddsource=\"\" ddtags=\"env:dev,\"] %msg%\n" ``` 1. (Optional) Datadog cuts inactive connections after a period of inactivity. Some versions of Rsyslog are not able to reconnect when necessary. To mitigate this issue, use time markers so the connection never stops: 1. Add the following lines to your Rsyslog configuration file: ``` $ModLoad immark $MarkMessagePeriod 20 ``` 1. Restart the Rsyslog service: ```shell sudo systemctl restart rsyslog ``` ## Troubleshooting{% #troubleshooting %} Need help? Contact [Datadog support](https://docs.datadoghq.com/help/). ## Further Reading{% #further-reading %} - [Using Rsyslog to send logs to Datadog](https://www.datadoghq.com/architecture/using-rsyslog-to-send-logs-to-datadog/) - [Log Collection and Integrations](https://docs.datadoghq.com/logs/log_collection/?tab=host#logging-endpoints) - [Log Management Data Security](https://docs.datadoghq.com/data_security/logs/)