On one VM I have this in /etc/rsyslog.d/50-default.conf

*.* @

#  Default rules for rsyslog.

On the vm with fluentd I have this:

I have this in /etc/td-agent/td-agent.conf

  type syslog
  port 42185
  tag  rsyslog

<match rsyslog.**>
  type copy
    # for debug (see /var/log/td-agent.log)
    type stdout
    type elasticsearch
    logstash_format true
    flush_interval 10s # for testing.

But nothing seems to be getting sent to the remote machine, as I look in /var/log/td-agent.log and I see

2014-08-08 10:51:10 -0700 [info]: adding source type="syslog"
2014-08-08 10:51:10 -0700 [info]: adding source type="forward"
2014-08-08 10:51:10 -0700 [info]: adding source type="http"
2014-08-08 10:51:10 -0700 [info]: adding source type="debug_agent"
2014-08-08 10:51:10 -0700 [info]: adding match pattern="td.*.*" type="tdlog"
2014-08-08 10:51:10 -0700 [info]: adding match pattern="debug.**" type="stdout"
2014-08-08 10:51:10 -0700 [info]: adding match pattern="rsyslog.**" type="copy"
2014-08-08 10:51:10 -0700 [info]: listening fluent socket on
2014-08-08 10:51:10 -0700 [info]: listening dRuby uri="druby://" object="Engine"

I don't know why the logs aren't being sent, and I don't see how to tell if there is something going wrong with rsyslog and it just isn't sending the files.

  • Have you tried using tcpdump to see whether the traffic is being received on the remote machine? – Andrew Aug 09 '14 at 18:19

If I'm not mistaken, rsyslog forwards logs over TCP (in the config file, this is listed as "for reliability"), but fluentD's listener defaults to listening on UDP. This change to your fluentD config should allow you to receive the logs on TCP:

  type syslog
  port 42185
  protocol_type tcp
  tag  rsyslog

I would check with TCP dump whether the traffic is being received on the agent, if you're still not receiving logs after making this change:

tcpdump -i any port 42185

This should also indicate whether TCP or UDP is being received (only specifying port, and not tcp or udp as well)

EDIT: in addition to this, make sure your rsyslog config is correct: all examples I've seen and used, have a double @@ in the forward rule:

*.* @@


  • Thank you, I got it working. I forgot that tcpdump will also consume the packets, so I wasted some time on that. I think the protocol_type was the final piece missing. – James Black Aug 11 '14 at 17:21