Send data via Syslog to your Logstash instance provided by


Ship logs using syslog to logstash

Step 1 - Download SSL Certificate

Download file and place in /etc/rsyslog.d/keys/ca.d/ or another directory

sudo mkdir -p /etc/rsyslog.d/keys/ca.d
sudo curl -o /etc/rsyslog.d/keys/ca.d/

rsyslog trusts these root CA keys to validate the key presented by, preventing man-in-the-middle attacks.

Step 2 - RSyslog

On many distros, also install the rsyslog-gnutls package (including CentOS, Fedora, Debian, and Ubuntu).

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/

$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *

*.* @@your-logstash-host:your-port


  • If possible run the latest minor versions of rsyslog v7 or v8. There are many TLS bugs in past versions.
  • Ensure you have @@ not a single @ infront of the host. This is so TCP is used.

Step 3 - Restart

Restart rsyslog so it detects the TLS-over-TCP destination:

sudo /etc/init.d/rsyslog restart

Step 4 - Troubleshooting

could not load module '/usr/lib/rsyslog/',
rsyslog error -2078 [try ]


could not load module '/usr/lib/rsyslog/', 
dlopen: /usr/lib/rsyslog/ cannot open shared object file: No such file or directory
[try ]

First, make sure that module actually exists by running ls against the path in the error, such as:

ls -la /usr/lib/rsyslog/

If it doesn’t exist, install the related package (often called rsyslog-gnutls) or if you compiled rsyslog from source, compile the module.

sudo apt-get install rsyslog-gnutl

Second, ensure that the user which runs rsyslog has permissions to read’s public key (in the instructions above, /etc/rsyslog.d/keys/ca.d/ On many distributions, rsyslog starts as root and then drops to a user. In that case, run: chmod 644 /etc/rsyslog.d/keys/ca.d/ to let all users read the key file.

Finally, this may appear if you are using $ModLoad lmnsd_gtls to explicitly load the TLS module, and that configuration option occurs before the $DefaultNetstreamDriverCAFile has been defined. Explicitly loading the module is rarely required and the configuration above does not use it. We recommend removing that $ModLoad lmnsd_gtls option and relying on autoloading. If your lmnsd_gtls needs to be explicitly loaded, like because it is in a non-default location, move the $DefaultNetstreamDriverCAFile config line above the $ModLoad line.

expand view

Expand View

compact view

Compact View

Return to Search
Sign Up