How to Forward Logs to OpenSearch Clusters

OpenSearch is an open-source search and analytics suite which serves as a centralized location to manage logs forwarded from other resources, such as databases and Droplets.


You can forward logs to your Managed OpenSearch cluster to view them in the OpenSearch Dashboard in the control panel. The DigitalOcean API natively supports forwarding logs from other Managed Database clusters. You can also forward logs from Droplets by following some additional steps.

Forward Logs from Managed Database Clusters

To forward logs from managed database clusters, you need to create a log sink using the DigitalOcean API.

How to Create a Log Sink Using the DigitalOcean API
  1. Create a personal access token and save it for use with the API.

  2. Send a POST request to https://api.digitalocean.com/v2/databases/{database_cluster_uuid}/logsink

    cURL

    Using cURL:

                    curl -X POST \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
      -d '{"sink_name": "logsink", "sink_type": "rsyslog", "config": {"server": "192.168.10.1", "port": 514, "tls": false, "format": "rfc5424"}}' \
      "https://api.digitalocean.com/v2/databases/9cc10173-e9ea-4176-9dbc-a4cee4c4ff30/logsink"
                  

cURL

    
        
            
curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"sink_name": "logsink", "sink_type": "rsyslog", "config": {"server": "192.168.10.1", "port": 514, "tls": false, "format": "rfc5424"}}' \
  "https://api.digitalocean.com/v2/databases/9cc10173-e9ea-4176-9dbc-a4cee4c4ff30/logsink"

        
    

Forward Logs from a Droplet

To forward logs from Droplets, you need to set up and configure rsyslog on the Droplet you want to forward logs from. You can do so by provisioning the Droplet with the following userdata script:

    
        
            
curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{
  "name": "example.com",
  "region": "nyc3",
  "size": "s-1vcpu-1gb",
  "image": "ubuntu-20-04-x64",
  "ssh_keys": [
    289794,
    "3b:16:e4:bf:8b:00:8b:b8:59:8c:a9:d3:f0:19:fa:45"
  ],
  "backups": true,
  "ipv6": true,
  "monitoring": true,
  "user_data": "#!/bin/bash\nsudo systemctl start rsyslog\nsudo systemctl enable rsyslog\nsudo cat << \"EOF\" > /etc/rsyslog.conf\nmodule(load=\"imuxsock\")\nmodule(load=\"imudp\")\ninput(type=\"imudp\" port=\"514\")\nmodule(load=\"imtcp\")\ninput(type=\"imtcp\" port=\"514\")\n$template DynamicFile,\"/var/log/remotelogs/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log\"\n*.* ?DynamicFile\nmodule(load=\"imklog\" permitnonkernelfacility=\"on\")\n$RepeatedMsgReduction on\n$FileOwner syslog\n$FileGroup syslog\n$FileCreateMode 0640\n$DirCreateMode 0755\n$Umask 0022\n$PrivDropToUser syslog\n$PrivDropToGroup syslog\n$WorkDirectory /var/spool/rsyslog\n$IncludeConfig /etc/rsyslog.d/*.conf\nEOF\nsudo systemctl restart rsyslog"}' "https://api.digitalocean.com/v2/droplets"

        
    
How do I set up Rsyslog on a Droplet manually?

To set up and configure Rsyslog on a Droplet manually, use the following commands:

First, SSH into the provisioned Droplet:

    
        
            
ssh -i ~/.ssh/example_ssh_key [email protected]

        
    

After you log in, start and enable Rsyslog:

    
        
            
sudo systemctl start rsyslog
sudo systemctl enable rsyslog

        
    

Copy the following into /etc/rsyslog.conf:

    
        
            
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# You can find default logging rules in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# Provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# Provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

$template DynamicFile,"/var/log/remotelogs/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log"
*.* ?DynamicFile

if $programname == "sshd" then stop

# Provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup syslog
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

        
    

Then, restart Rsyslog and get its status:

    
        
            
sudo systemctl restart rsyslog
sudo systemctl status rsyslog

        
    

Create the log forwarding integration by sending a POST request to /v2/databases/$DATABASE_ID/logsink:

    
        
            
curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"integration_name": "example", "integration_type": "rsyslog", "config": {"server": "192.168.1.1", "port": 514, "tls": false, "format": "rfc5424"}}' "https://api.digitalocean.com/v2/databases/{uuid}/logsink"

        
    

Lastly, check the logs on the Droplet through the SSH session:

    
        
            
tail -f /var/log/remotelogs/<db-name>.log