Skip to content

Onboarding LogZilla Cloud

This guide describes initial steps after a LogZilla Cloud instance has been provisioned. It covers first login, password update, configuring ingestion from a Linux host using syslog-ng over HTTPS, verification, and links to additional sources.

Prerequisites

  • Instance URL, username, and temporary password (from the provisioning email)
  • API ingest token (ingest-only token) for HTTPS event submission

First Login and Password Update

  1. Navigate to the instance URL provided in the onboarding email (note that if the one chosen was unavailable, this may be slightly different than the chosen hostname).
  2. Sign in using the provided username and temporary password.
  3. Open Settings and change the password:
  4. Enter the current password.
  5. Enter and confirm a new password.
  6. Store the new password securely.

Ingest-Only Token

  • The provisioning email includes an API ingest token (prefixed with ingest-).
  • This token is used to authenticate HTTPS ingestion to /incoming.
  • Security: Treat the token like a password. Rotate it if compromised and update any senders.
  • More information about tokens can be found in the API documentation.

Set Up a Relay

A relay receives events from devices and applications (typically via syslog on UDP/TCP 514) and forwards them securely to LogZilla Cloud over HTTPS using the ingest-only token.

  • Devices and apps send syslog to the relay.
  • The relay transforms/encapsulates events as JSON and posts to https://YOUR-HOST.logzilla.cloud/incoming with header Authorization: token YOUR_GENERATED_TOKEN.
  • Common choices: syslog-ng or rsyslog. Either can run on an existing Linux host or a small VM/container.

Relay flow overview:

Relay flow: Devices/Apps (UDP/TCP 514) → Relay (syslog-ng or rsyslog) → LogZilla Cloud /incoming over HTTPS 443 with Authorization token

Network and security checklist:

  1. Allow device-to-relay syslog (UDP/TCP 514) as appropriate.
  2. Allow relay outbound HTTPS (TCP 443) to YOUR-HOST.logzilla.cloud.
  3. Protect the ingest-only token; rotate it if exposed and update the relay configuration.

The system logger must be configured to relay events to LogZilla Cloud. The installation process varies depending on the system logger being used. To determine which syslog daemon is currently in use, run:

curl -s https://logzilla.sh/detect-syslog-env.sh | bash

Note: to receive logs from other non-linux devices, such as networking equipment, those devices will need to be configured to send logs via the RFC 3164 or RFC 5424 syslog specification to this linux server (or whichever is using the system logger configuration indicated below).

User tags, as mentioned below, are a way to add arbitrary metadata to events. They can be used in LogZilla for searching, filtering, dashboard widgets, and more. The system logger can be configured to add user tags to log events, which adds whatever metadata you want to the event. This can be useful if the metadata is different from one resource to the next and it is important to associate the event with the corresponding metadata. You can learn more at Data Transformation / User Tags. This step is optional, so feel free to skip it if you don't want to add user tag metadata at this point.

Option A: syslog-ng relay (HTTPS to /incoming)

Add an HTTP destination to the syslog-ng configuration to send structured JSON to LogZilla Cloud.

  1. Create a dedicated configuration file on the Linux host:
  2. sudo vi /etc/syslog-ng/conf.d/60-logzilla-cloud.conf (or sudo nano ...)
  3. Add a destination and a log path similar to the following. Replace placeholders before saving.
destination d_logzilla {
    http(
        url("https://YOUR-HOST.logzilla.cloud/incoming")
        method("POST")
        user-agent("syslog-ng User Agent")
        headers(
            "Content-Type: application/json",
            "Authorization: token YOUR_GENERATED_TOKEN"
        )
        body-prefix("{\"events\": [\n")
        delimiter(",\n")
        body('$(format-json
            --pair priority=int($PRI)
            --pair host="$HOST"
            --pair program="$PROGRAM"
            --pair message="$MESSAGE"
        )')
        body-suffix("\n]}")
        batch-lines(10000)
        batch-bytes(10485760)
        batch-timeout(500)
     );
};

log {
    source(s_src);
    destination(d_logzilla);
    flags(flow-control);
};

Note:

  • Ensure the source name exists. Some systems use src or a different default. If needed, define:
source s_src { system(); internal(); };
  • Batching: For low-volume environments, consider batch-lines(100), batch-bytes(262144), batch-timeout(1000) and tune as needed.

Adding custom user tags at the relay (optional):

You may attach arbitrary metadata as user tags directly from syslog-ng using additional --pair entries under a user_tags. prefix. Example lines to include inside $(format-json ...):

            --pair user_tags.Location="SJC-1"
            --pair user_tags.Contact="[email protected]"
            --pair user_tags.Asset_ID="WEB-0227"
  1. Replace placeholders:
  2. YOUR-HOST → chosen instance hostname.

  3. YOUR_GENERATED_TOKEN → ingest-only token from the provisioning email.

  4. Validate the configuration and restart syslog-ng:

syslog-ng --syntax-only
sudo systemctl restart syslog-ng

Option B: rsyslog relay (HTTPS to /incoming)

If rsyslog is preferred or already standard, it can post events to LogZilla Cloud using the omhttp output module. Availability of omhttp depends on the distribution; if it is unavailable, forward rsyslog locally to a syslog-ng relay and use Option A for HTTPS.

Example configuration (single-event POSTs; add reliability queue options for production):

# /etc/rsyslog.d/60-logzilla-cloud.conf
module(load="imuxsock")
module(load="imklog")
module(load="omhttp")  # ensure this module/package is installed on your OS

# Minimal JSON envelope per event
template(name="lz_event_json" type="list") {
  constant(value="{\"events\":[{")
  constant(value="\"priority\":") property(name="pri")
  constant(value=",\"host\":\"") property(name="hostname") constant(value="\"")
  constant(value=",\"program\":\"") property(name="programname") constant(value="\"")
  constant(value=",\"message\":\"") property(name="msg") constant(value="\"")
  constant(value=",\"user_tags\":{\"Location\":\"SJC-1\",\"Contact\":\"[email protected]\",\"Asset_ID\":\"WEB-0227\"}}")
  constant(value="}]} ")
}

# Post each event to LogZilla Cloud
action(
  type="omhttp"
  server="YOUR-HOST.logzilla.cloud"
  serverport="443"
  usehttps="on"
  restpath="/incoming"
  header="Content-Type: application/json"
  header="Authorization: token YOUR_GENERATED_TOKEN"
  template="lz_event_json"
  # reliability queue (tune as needed)
  action.resumeRetryCount="-1"
  queue.type="LinkedList"
  queue.size="10000"
)
  1. Validate and restart rsyslog:
sudo rsyslogd -N1
sudo systemctl restart rsyslog

Notes:

  • For very high throughput, prefer a syslog-ng relay with batching.
  • When omhttp is not available, forward rsyslog → syslog-ng locally and use Option A for the HTTPS JSON destination to /incoming.

Adding custom user tags at the relay (optional):

Rsyslog can embed a user_tags object in the JSON payload by extending the template. For example:

template(name="lz_event_json_with_tags" type="list") {
  constant(value="{\"events\":[{")
  constant(value="\"priority\":") property(name="pri")
  constant(value=",\"host\":\"") property(name="hostname") constant(value="\"")
  constant(value=",\"program\":\"") property(name="programname") constant(value="\"")
  constant(value=",\"message\":\"") property(name="msg") constant(value="\"")
  constant(value=",\"user_tags\":{\"Location\":\"SJC-1\",\"Contact\":\"[email protected]\",\"Asset_ID\":\"WEB-0227\"}}")
  constant(value="}]} ")
}

# Then reference this template in the omhttp action
action(
  type="omhttp"
  server="YOUR-HOST.logzilla.cloud"
  serverport="443"
  usehttps="on"
  restpath="/incoming"
  header="Content-Type: application/json"
  header="Authorization: token YOUR_GENERATED_TOKEN"
  template="lz_event_json_with_tags"
)

Verify Ingestion

  • From the Linux host, send a test event:
logger "Test LogZilla log message"
  • Optionally, verify end-to-end with curl (replace placeholders):
curl \
  -H 'Content-Type: application/json' \
  -H 'Authorization: token YOUR_GENERATED_TOKEN' \
  -X POST -d '{
    "events": [ {
      "message": "Test Message",
      "host": "curl.test",
      "program": "myapp"
    } ] }' \
  'https://YOUR-HOST.logzilla.cloud/incoming'
  • In the LogZilla UI, confirm reception:
  • Events/Sec widget shows bars for received events.
  • Most Recent Event Sources lists the Linux host.
  • Search for the message (for example, message:"Test LogZilla log message").

SaaS Administration

  • Location: https://YOUR-HOST.logzilla.cloud/settings/system/saas.
  • Manage subscription: opens the Stripe customer portal to update or cancel the subscription and manage payment methods.
  • Current tier panel: shows plan name, disk space, and daily event limits.
  • Change domain/hostname:
  • Request a new domain on the SaaS settings page and submit.
  • The instance will stop and start under the new domain; this typically takes a couple of minutes.
  • Update all senders and relays to the new hostname (YOUR-HOST.logzilla.cloud) after the change.

Other Sources