New: production-ready observability stack integrated into rsyslog

Rsyslog now includes an officially maintained, production-oriented observability stack for centralized logging and monitoring. The stack is designed as a practical reference deployment that can be used directly or adapted to local requirements.

This addition was merged into the rsyslog main branch last Friday via pull request #6325.

The stack is called ROSI, short for Rsyslog Operations Stack Initiative. Its first deliverable, the ROSI Collector, focuses on the central log collection side.

What is included

The ROSI Collector is shipped as a Docker Compose deployment located under:

deploy/docker-compose/rosi-collector/

It combines the following components into a coherent setup:

• rsyslog as a centralized log receiver
• Grafana Loki for log storage and querying
• Prometheus for metrics collection
• Grafana with preconfigured dashboards
• Traefik as a reverse proxy with automatic TLS via Let’s Encrypt

The stack is intended to be directly usable while remaining fully transparent and modifiable.

Core properties

• Reference deployment, not a demo
  The configuration reflects operational practice and recommended integration patterns rather than a minimal showcase.
• Secure transport
  Syslog reception over TLS (RFC 5425) is supported, including mTLS. Certificate generation helpers are included.
• Immediate observability
  Predefined Grafana dashboards provide visibility into log flow, system state, and basic operational metrics without additional wiring.
• Operational helpers
  Scripts are included for certificate handling, stack status checks, and Prometheus target management.
• Integrated documentation
  Documentation is part of the main rsyslog documentation.

Why this exists

Many users want a complete and coherent logging and observability setup instead of assembling individual components themselves. The ROSI Collector provides a known-good baseline that can be deployed as-is or adjusted incrementally.

For the rsyslog project, ROSI establishes an explicit operational reference. This improves consistency across documentation, support, and future observability-related work, without changing rsyslog’s role as a flexible and modular logging engine.

Scope and future direction

The current ROSI Collector targets VM-based and single-host Docker environments. These setups are common and often favor solutions that are understandable, inspectable, and low in operational complexity.

ROSI is expected to evolve. Kubernetes support is a targeted extension, but intentionally not part of the initial merge. Establishing a solid and well-understood baseline takes priority over covering all deployment models at once.