Robust Methods for Forwarding Application Logs to Remote Syslog Without Root Access


3 views

In production environments without root access, forwarding application logs to a centralized syslog server requires careful consideration of performance, reliability, and resource usage. The main constraints are:

  • No syslog daemon reconfiguration privileges
  • Potential high log volume (thousands of lines per second)
  • Need for continuous operation without supervision

1. Using rsyslog's imfile Module

Even without root access, you can configure a user-level rsyslog instance:


# Create user-specific config
mkdir -p ~/.rsyslog.d
cat > ~/.rsyslog.conf << 'EOF'
$ModLoad imfile
$InputFileName /path/to/application.log
$InputFileTag app1:
$InputFileStateFile app1-state
$InputRunFileMonitor

$template RemoteTemplate,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
*.* @remote-syslog.example.com:514;RemoteTemplate
EOF

# Run as user process
rsyslogd -f ~/.rsyslog.conf -n -i ~/.rsyslog.pid

2. Filebeat with Syslog Output

Elastic's Filebeat offers excellent performance characteristics:


# filebeat.yml example
filebeat.inputs:
- type: log
  paths:
    - /var/log/app/*.log

output.syslog:
  hosts: ["remote-syslog:514"]
  protocol: "udp"
  tag: "filebeat"

3. syslog-ng in User Mode

syslog-ng's advanced filtering capabilities work well without privileges:


@version: 3.35
source s_files {
    file("/path/to/app.log" follow-freq(1) flags(no-parse));
};

destination d_remote {
    syslog("remote-syslog.example.com" transport("udp") port(514));
};

log {
    source(s_files);
    destination(d_remote);
};

For high-volume environments:

  • Batch log lines before transmission (100-1000 lines)
  • Use UDP instead of TCP when possible (verify network reliability first)
  • Implement log rotation monitoring to handle file rotations
  • Consider buffer sizing (memory vs. disk persistence tradeoffs)

Essential metrics to track:


# Sample monitoring command for Filebeat
watch -n 30 'filebeat test output && \
echo "Queue usage: $(du -sh /tmp/filebeat-registry)" && \
netstat -anu | grep 514 | wc -l'

When network connectivity issues occur:

  1. Local buffering with disk-based queues
  2. Compression during retransmission attempts
  3. Alerting thresholds for backlog size

When dealing with multiple applications generating their own log files in plain text format, the need for centralized logging becomes critical. However, traditional syslog forwarding solutions often require root access or syslog reconfiguration - privileges that aren't always available in locked-down production environments.

Native syslog facilities like rsyslog or syslog-ng typically need:

  • Root access to modify configuration files in /etc/
  • System service restarts
  • Potential application changes to write directly to syslog

Here are three production-ready solutions that operate without root privileges:

1. Filebeat (Elastic Stack)

Elastic's Filebeat is purpose-built for log forwarding with minimal resource usage:


# Example filebeat.yml configuration
filebeat.inputs:
- type: filestream
  enabled: true
  paths:
    - /var/log/app/*.log
  fields:
    app: my_application
    environment: production

output.logstash:
  hosts: ["logstash.example.com:5044"]

2. Vector (Timber.io)

Vector provides high-performance log collection with Rust-based efficiency:


[sources.app_logs]
type = "file"
include = ["/path/to/app/*.log"]
ignore_older = 86400

[transforms.parse_logs]
type = "remap"
inputs = ["app_logs"]
source = '''
  . |= parse_json!(.message)
'''

[sinks.remote_syslog]
type = "socket"
inputs = ["parse_logs"]
mode = "tcp"
address = "syslog.example.com:514"
encoding.codec = "syslog"

3. Fluent Bit

A lightweight option perfect for containerized environments:


[INPUT]
    Name              tail
    Path              /var/log/app/*.log
    Tag               app.*
    Mem_Buf_Limit     5MB
    Skip_Long_Lines   On

[OUTPUT]
    Name              syslog
    Match             app.*
    Host              syslog.example.com
    Port              514
    Mode              tcp
    Syslog_Format     rfc3164

When dealing with massive log volumes:

  • Configure appropriate batching (5-10 seconds typically optimal)
  • Set memory buffers to handle spikes (10-100MB depending on traffic)
  • Consider log rotation policies to prevent file handle exhaustion

Even without root access, ensure:

  • Log files have proper read permissions for the forwarding process
  • Network communication is encrypted (TLS where possible)
  • Sensitive data is redacted at source when needed

Implement health checks for your log forwarding processes:


# Sample monitoring script for Filebeat
if ! pgrep -f "filebeat -c" > /dev/null; then
    echo "Filebeat not running!" | mail -s "Log Alert" admin@example.com
fi