How to setup remote syslog from Unraid to Better Stack

My Unraid server recently froze up. I could no longer SSH in, nor would the web UI load. The only signs of life were responses to ping. All I could do was reboot, which means losing access to logs as they’re stored in RAM. So, to allow me to analyze such a situation if it were to happen in the future, I started looking at my options.

Unraid provides a few in Settings → Syslog Server:

Mirror syslog to flash: this works, but it risks killing your flash drive due to the many write operations caused by logging.
Copy syslog to flash on shutdown: this should have worked, but I have this enabled and there was no log file on my flash drive after the freeze.
Remote syslog to a different machine: this is probably the best option, but I only had Raspberry Pi’s nearby, and I didn’t want the heavy write load to kill their SD cards. You can also technically use this to make Unraid log to itself, by setting up a dedicated syslog share.

I chose a fourth option: remote syslog to a cloud service. This means logs are offloaded from the machine as quickly as possible, and I’m not risking bricking any flash media storage. I picked Better Stack because their free tier is adequate for me.

Step 1: Create a Better Stack Account

Go to Better Stack and sign up for an account
Navigate to Sources
Click Connect source
In the Platform section, select the Logs tab, and select RSyslog as the source type

You can now find setup instructions in the tailor-made quick start guide linked on the Data ingestion tab. Better Stack doesn’t know you’re using Unraid, so the setup instructions aren’t entirely correct. They’ll instruct you to install rsyslog-gnutls, but you don’t need to do that. They’ll also give you a tailormade script for your config, which they want you to pipe into sh. Also don’t do that.

Scroll down a bit to find the syslog config under Manual RSyslog setup. You’ll need the UDP config.

Important note about unencrypted UDP

Unraid ships with rsyslog built in, but unfortunately it doesn’t support TLS. I’m still on Unraid 6.12.13, so this may have changed in future versions. Since Better Stack requires TLS when logging over TCP but not when logging over UDP, we’ll pick UDP. This means that logs are not encrypted. Whether this is acceptable is up to you.

If you absolutely need encryption, here are 2 alternatives. Each has their own drawbacks though.

Alternative 1: Log over HTTPS

You can set up an infintely looping script like so:

#!/bin/bash
TOKEN="YOUR_TOKEN_HERE" # source_token in your Better Stack config
TARGET="YOUR_TARGET_HERE" # target in your Better Stack config
 
tail -F /var/log/syslog | while read line; do
  curl -s -X POST "$TARGET" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"message\": \"$line\"}" > /dev/null 2>&1
done

Then either run it via User Scripts or kick it off by adding a line to /boot/config/go:

nohup /boot/config/scripts/betterstack-http-logger.sh &

This is rather fragile though. If the script crashes, the logs are lost until the next reboot. It also kicks off a new curl process for every log line.

Alternative 2: Dockerized log forwarder

You can use a Docker container like Vector to forward logs over encrypted TCP. Unraid logs to Vector, and Vector forwards to Better Stack. The drawback here is that it won’t capture logs if the Unraid array isn’t started, as that is a prerequisite for Docker on Unraid.

Step 2: Create the rsyslog configuration

SSH into your Unraid server and create the configuration file on your flash drive:

mkdir -p /boot/config/rsyslog.d
 
# Use the exact UDP config as provided by Better Stack:
cat > /boot/config/rsyslog.d/betterstack.conf << 'EOF'
template(name="LogtailFormat" type="list") {
  constant(value="<")
  property(name="pri")
  constant(value=">")
  constant(value="1")
  constant(value=" ")
  property(name="timestamp" dateFormat="rfc3339")
  constant(value=" ")
  property(name="hostname")
  constant(value=" ")
  property(name="app-name")
  constant(value=" ")
  property(name="procid")
  constant(value=" ")
  property(name="msgid")
  constant(value=" ")
  property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
  constant(value="[logtail@11993 source_token=\"YOUR_TOKEN_HERE\"]")
  constant(value=" ")
  property(name="msg" droplastlf="on")
}
 
action(
  type="omfwd"
  protocol="udp"
  target="YOUR_TARGET_HERE"
  port="6517"
  template="LogtailFormat"
  queue.spoolDirectory="/var/spool/rsyslog"
  queue.filename="logtail"
  queue.maxdiskspace="75m"
  queue.type="LinkedList"
  queue.saveonshutdown="on"
)
EOF

Step 3: Copy the rsyslog configuration on boot

The configuration needs to be in /etc/rsyslog.d/, but that is in RAM and gets wiped on reboot. We need to copy our config there on every boot.

Edit /boot/config/go and add these lines before the # Start the Management Utility line:

# Setup remote syslog to Better Stack
mkdir -p /var/spool/rsyslog
mkdir -p /etc/rsyslog.d
cp /boot/config/rsyslog.d/betterstack.conf /etc/rsyslog.d/betterstack.conf
/etc/rc.d/rc.rsyslogd restart

You can either reboot now or run the commands you added to /boot/config/go manually to apply the configuration.

This works because Unraid’s default rsyslog.conf (in /boot/config/rsyslog.conf and /etc/rsyslog.conf) has this line:

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

Step 4: Verify It’s Working

To verify it’s working, log a test message by running the following:

logger "Test message from Unraid to Better Stack"

Now go to your Better Stack dashboard → Logs & traces and select the source you created. You should see the test message appear within a few seconds.

If it doesn’t appear, you can:

Check local rsyslog status:
```
tail -f /var/log/syslog
```
Verify the config was loaded:
```
cat /etc/rsyslog.d/betterstack.conf
```
Check if rsyslog is running:
```
ps aux | grep rsyslog
```

Why not use Unraid’s web UI to set up remote syslog to Better Stack?

As mentioned above, Unraid has a “Remote syslog server” field in Settings → Syslog Server, but it has limitations:

Hostname truncation: Long hostnames (like Better Stack’s) get truncated
No authentication: The simple host:port format doesn’t support the source token that Better Stack requires
No custom templates: Better Stack expects a specific log configuration with the token embedded

By creating our own rsyslog configuration we’re bypassing these limitations.

Thanks for reading

Now we wait and see for my Unraid server to freeze again. I hope this was helpful for you too. Let me know if you have any comments or questions on your micro-blogging platform of choice: Bluesky, Mastodon, or Twitter.

One more thing…

Do you love newsletters? But hate a cluttered inbox? Then you might like Feedo, which I built to solve this! Feedo takes your newsletters out of your inbox, and presents them in a beautiful feed.

More reasons to love Feedo:

👀 No algorithm: Feedo presents your newsletters in a chronological feed. There's no AI trying (and failing) to figure out what you want to see.
🧠 Smart: Feedo automagically finds the newsletters in your inbox. No need to manually tell it which emails are newsletters (although you can).
🤷‍♀️ Simple: Feedo works with your current email account.

Download Feedo now on Google Play!