rsyslog/rsyslog-collector

Overview

The rsyslog-collector container image extends the standard rsyslog/rsyslog base with modules for centralised log aggregation. It is preconfigured to receive logs via UDP, TCP, and optionally RELP, and can forward them to storage backends or files.

This image is the recommended starting point for building a log collector or relay service.

Note

• UDP (514/udp) and TCP (514/tcp) are enabled by default.

• RELP (2514/tcp) is available but disabled by default.

• External deployments usually map RELP to 20514/tcp to avoid conflicts with the standard syslog port.

Environment Variables

Runtime behaviour can be tuned with the following variables:

ENABLE_UDP

Enable UDP syslog reception. Default on.

ENABLE_TCP

Enable TCP syslog reception. Default on.

ENABLE_RELP

Enable RELP syslog reception (internal port 2514/tcp). Default off.

WRITE_ALL_FILE

Write all messages to /var/log/all.log. Default on.

WRITE_JSON_FILE

Write JSON formatted messages to /var/log/all-json.log. Default on.

RSYSLOG_HOSTNAME

Hostname used inside rsyslog. Defaults to the value of /etc/hostname when unset.

PERMIT_UNCLEAN_START

Skip configuration validation when set. By default rsyslogd -N1 validates the configuration.

RSYSLOG_ROLE

Role name consumed by the entrypoint. Defaults to collector.

Port Mapping Reference

Protocol	Container Port	Example External	Controlled by
UDP Syslog | 514/udp		514/udp	ENABLE_UDP
TCP Syslog | 514/tcp		514/tcp	ENABLE_TCP
RELP | 2514/tcp		20514/tcp	ENABLE_RELP

Example Deployment (docker-compose)

A minimal configuration using docker compose:

version: "3.9"

services:
  rsyslog-collector:
    image: rsyslog/rsyslog-collector:latest
    environment:
      ENABLE_UDP: "on"
      ENABLE_TCP: "on"
      ENABLE_RELP: "on"
    ports:
      - "514:514/udp"    # Syslog UDP
      - "514:514/tcp"    # Syslog TCP
      - "20514:2514/tcp" # RELP (external 20514 → internal 2514)
    volumes:
      - ./data:/var/log   # Optional: collect logs on host

Verifying the Container

To confirm that the collector is listening on the expected ports:

docker compose exec rsyslog-collector ss -tuln

This should show listeners on 514/udp, 514/tcp, and 2514/tcp when RELP is enabled.

Production Deployments

For a complete production deployment with dashboards, alerting, and log storage, see ROSI Collector. ROSI Collector builds on this container image to provide Grafana visualization, Loki log storage, and Prometheus metrics collection.

See also

• ROSI Collector - Complete log collection stack

• GitHub Discussions for community support.

• rsyslog Assistant AI for self-help and examples.

---

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.