Logmanager documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Logmanager documentation
  2. /
  3. Log source devices configuration
  4. /
  5. Linux Syslog-NG

Linux Syslog-NG

Syslog writes events generated by Linux. These messages are stored locally in individual files. Messages can be set to automatically forward to the Logmanager.

After a change of configuration files, it is recommended to make a validity check by command syslog-ng -s.

General configuration

First, it’s necessary to check the basic settings, which are shared with the other configuration options:

  1. Edit the configuration file /etc/syslog-ng/syslog-ng.conf.

  2. Make sure the file contains the following parameters:

    source s_src { system(); internal(); };
@include "/etc/syslog-ng/conf.d/"

  3. Save the file.

Forwarding all logs to the Logmanager server

If you need to send all messages that occur in the system, follow these steps:

  1. Create a file /etc/syslog-ng/conf.d/lm.conf.

  2. Insert the following code:

    destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        log-fifo-size(10000)
    );
};
log { source(s_src); destination(d_netlm); };

    Logmanager_IP_address is the IP address of your Logmanager server.

    log-fifo-size is the output Syslog-NG queue. The number indicates the maximum number of messages that can be stored in the queue. In case of connection loss with the Logmanager server, unsent messages are stored in this queue. After reaching the limit, incoming messages will be discarded until the communication is restored.

  3. Save the file.

  4. Restart the service syslog-ng with the command: /etc/init.d/syslog-ng restart

Now the Syslog-NG server will be sending logs to Logmanager.

Forwarding logs of a specific program

If you need to send messages from a specific program (service), follow these steps:

  1. Create a file /etc/syslog-ng/conf.d/lm_<program_name>.conf.

  2. Insert the following code:

     destination d_netlm {
     tcp(
         "<Logmanager_IP_address>"
         port(514)
         log-fifo-size(10000)
     );
 };
 filter f_<program_name> { program("<program_name>"); };
 log { source(s_src); filter(f_<program_name>); destination(d_netlm); };

    Logmanager_IP_address is the IP address of your Logmanager server.

    program_name is the name of the service, for example sshd (SSH daemon).

    log-fifo-size is the output Syslog-NG queue. Number indicates maximum number of messages, which can be stored in the queue. In case of connection loss with Logmanager server, unsent messages are stored in this queue. After reaching the limit, incoming messages will be discarded until the communication is restored.

  3. Save the file.

  4. Restart the service syslog-ng with the command: /etc/init.d/syslog-ng restart

Now the Syslog-NG server will be sending logs to Logmanager.

Example of forwarding specific program logs

A sample of the logging configuration for SSH daemon:

destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        log-fifo-size(10000)
    );
};
filter f_sshd { program("sshd"); };
log { source(s_src); filter(f_sshd); destination(d_netlm); };
Logmanager_IP_address is the IP address of your Logmanager server.

Forwarding a specific log file

If you need to send a specific log file, follow these steps:

  1. Create a file /etc/syslog-ng/conf.d/lm_<program_name>.conf.

  2. Insert the following code:

     destination d_netlm {
     tcp(
         "<Logmanager_IP_address>"
         port(514)
         log-fifo-size(10000)
     );
 };
 source s_<program_name> {
 file(
     "/var/log/<program_name>"
     program_override("<program_name>")
 );
 };
 log { source(s_<program_name>); destination(d_netlm); };

    Logmanager_IP_address is the IP address of your Logmanager server.

    program_name is the name of the service, for example sshd (SSH daemon).

    log-fifo-size is output Syslog-NG queue. Number indicates maximum number of messages, which can be stored in the queue. In case of connection loss with Logmanager server, unsent messages are stored in this queue. After reaching the limit, incoming messages will be discarded until the communication is restored.

  3. Save the file.

  4. Restart the service syslog-ng with the command: /etc/init.d/syslog-ng restart

Now the Syslog-NG server will be sending logs to Logmanager.

Example of forwarding a specific log file

A sample of the log file configuration for Apache Tomcat:

destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        log-fifo-size(10000)
    );
};
source s_tomcat {
   file(
      "/var/log/tomcat7/localhost_access.log"
      program_override("tomcat")
   );
};
log { source(s_tomcat); destination(d_netlm); };
Logmanager_IP_address is the IP address of your Logmanager server.

Forwarding logs of a specific facility or severity

If you need to send messages from a specific facility or severity, follow these steps:

  1. Create a file /etc/syslog-ng/conf.d/lm_severity_facility.conf.

  2. Insert the following code into it:

    destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        log-fifo-size(10000)
    );
};

# filter for severity crit
filter f_crit { level(crit) };
log { source(s_src); filter(f_crit); destination(d_netlm); };

# or filter for facility mail
filter f_mail { facility(mail) };
log { source(s_src); filter(f_mail); destination(d_netlm); };

    Logmanager_IP_address is the IP address of your Logmanager server.

    log-fifo-size is the output Syslog-NG queue. Number indicates the maximum number of messages that can be stored in the queue. In case of connection loss with the Logmanager server, unsent messages are stored in this queue. After reaching the limit, incoming messages will be discarded until the communication is restored.

  3. Save the file.

  4. Restart the service syslog-ng with the command: /etc/init.d/syslog-ng restart

Now the Syslog-NG server will be sending logs to Logmanager.

Settings for Syslog-NG 3.8 and higher

Since this version, Syslog-NG supports storage of messages to disk in case of connection loss between Syslog-NG and the Logmanager server. If you need to store more unsent messages to the disk, it is possible to change the following configuration:

destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        disk-buffer(
            mem-buf-size(10000)
            disk-buf-size(2000000)
            reliable(yes)
        )
    );
};

Example of forwarding all logs to the Logmanager server:

destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        disk-buffer(
            mem-buf-size(10000)
            disk-buf-size(2000000)
            reliable(yes)
        )
    );
};
log { source(s_src); destination(d_netlm); };
Logmanager_IP_address is the IP address of your Logmanager server.
Storage of messages to disk is slower than storage in the memory. In case of a high number of messages, Syslog-NG can negatively affect server performance.

Alternative Syslon-NG logging via TLS syslog

  1. Create a folder for certificates:

    sudo mkdir /etc/syslog-ng/ca.d

  2. Move on to the newly created folder:

    cd /etc/syslog-ng/ca.d

  3. Copy the public CA certificate to the folder (in format .pem)

  4. Execute the following command:

    openssl x509 -noout -hash -in ca-certificate.pem (result should be hash, např. 6d2962a8)

  5. Create a symbolic link to the certificate (you need to copy the hash from the previous command and add the suffix .0 behind the hash):

    ln -s ca-certificate.pem 6d2962a8.0

  6. Create a file /etc/syslog-ng/conf.d/lm_TLS.conf

  7. Paste the following code into it:

    destination d_netlm {
    network("<hostname/IP adress set in CN of certificate>" port(6514)
        transport("tls")
        tls( ca-dir("/etc/syslog-ng/ca.d"))
    );
};
log { source(s_src); destination(d_netlm); };
gdoc_arrow_left_alt Linux Rsyslog Log4j gdoc_arrow_right_alt