Logmanager documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Logmanager documentation
  2. /
  3. Log source devices configuration
  4. /
  5. Linux Syslog-NG

Linux Syslog-NG

Syslog writes events generated by Linux. These messages are stored locally in individual files. Messages can be set to automatically forward to the Logmanager.

After change of configuration files is recommended to make validity check by command syslog-ng -s.

General configuration

First, it’s necessary to check the basic settings, which is shared with the other configuration options:

  1. Edit the configuration file /etc/syslog-ng/syslog-ng.conf.

  2. Make sure the file contains the following parameters:

    source s_src { system(); internal(); };
@include "/etc/syslog-ng/conf.d/"

  3. Save the file.

Forwarding all logs to Logmanager server

If you need to send all messages that occur in the system, follow these steps:

  1. Create the file /etc/syslog-ng/conf.d/lm.conf.

  2. Insert the following code into it:

    destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        log-fifo-size(10000)
    );
};
log { source(s_src); destination(d_netlm); };

    Logmanager_IP_address is IP address of your Logmanager server.

    log-fifo-size is output Syslog-NG queue. Number indicates maximum number of messages, which can be stored in the queue. In case of connection loss with Logmanager server, unsent messages are stored in this queue. After reaching the limit, incoming messages will be discarded until the communication is restored.

  3. Save the file.

  4. Restart the service syslog-ng with command:

    /etc/init.d/syslog-ng restart

Now Syslog-NG server will be sending logs to Logmanager.

Forwarding logs of specific program

If you need to send only messages from a specific program (service), follow these steps:

  1. Create the file /etc/syslog-ng/conf.d/lm_<program_name>.conf.

  2. Insert the following code into it:

     destination d_netlm {
     tcp(
         "<Logmanager_IP_address>"
         port(514)
         log-fifo-size(10000)
     );
 };
 filter f_<program_name> { program("<program_name>"); };
 log { source(s_src); filter(f_<program_name>); destination(d_netlm); };

    Logmanager_IP_address is IP address of your Logmanager server.

    program_name is name of service, for example sshd (SSH daemon).

    log-fifo-size is output Syslog-NG queue. Number indicates maximum number of messages, which can be stored in the queue. In case of connection loss with Logmanager server, unsent messages are stored in this queue. After reaching the limit, incoming messages will be discarded until the communication is restored.

  3. Save the file.

  4. Restart the service syslog-ng with command:

    /etc/init.d/syslog-ng restart

Now Syslog-NG server will be sending logs to Logmanager.

Example of forwarding specific program logs

A sample of the logging configuration for SSH daemon:

destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        log-fifo-size(10000)
    );
};
filter f_sshd { program("sshd"); };
log { source(s_src); filter(f_sshd); destination(d_netlm); };
Logmanager_IP_address is IP address of your Logmanager server.

Forwarding specific log file

If you need to send only specific log file, follow these steps:

  1. Create the file /etc/syslog-ng/conf.d/lm_<program_name>.conf.

  2. Insert the following code into it:

     destination d_netlm {
     tcp(
         "<Logmanager_IP_address>"
         port(514)
         log-fifo-size(10000)
     );
 };
 source s_<program_name> {
 file(
     "/var/log/<program_name>"
     program_override("<program_name>")
 );
 };
 log { source(s_<program_name>); destination(d_netlm); };

    Logmanager_IP_address is IP address of your Logmanager server.

    program_name is name of service, for example sshd (SSH daemon).

    log-fifo-size is output Syslog-NG queue. Number indicates maximum number of messages, which can be stored in the queue. In case of connection loss with Logmanager server, unsent messages are stored in this queue. After reaching the limit, incoming messages will be discarded until the communication is restored.

  3. Save the file.

  4. Restart the service syslog-ng with command:

    /etc/init.d/syslog-ng restart

Now Syslog-NG server will be sending logs to Logmanager.

Example of forwarding specific log file

A sample of the log file configuration for Apache Tomcat:

destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        log-fifo-size(10000)
    );
};
source s_tomcat {
   file(
      "/var/log/tomcat7/localhost_access.log"
      program_override("tomcat")
   );
};
log { source(s_tomcat); destination(d_netlm); };
Logmanager_IP_address is IP address of your Logmanager server.

Forwarding logs of specific facility or severity

If you need to send only messages from a specific facility or severity, follow these steps:

  1. Create the file /etc/syslog-ng/conf.d/lm_severity_facility.conf.

  2. Insert the following code into it:

    destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        log-fifo-size(10000)
    );
};

# filter for severity crit
filter f_crit { level(crit) };
log { source(s_src); filter(f_crit); destination(d_netlm); };

# or filter for facility mail
filter f_mail { facility(mail) };
log { source(s_src); filter(f_mail); destination(d_netlm); };

    Logmanager_IP_address is IP address of your Logmanager server.

    log-fifo-size is output Syslog-NG queue.Number indicates maximum number of messages, which can be stored in the queue. In case of connection loss with Logmanager server, unsent messages are stored in this queue. After reaching the limit, incoming messages will be discarded until the communication is restored.

  3. Save the file.

  4. Restart the service syslog-ng with command: /etc/init.d/syslog-ng restart

Now Syslog-NG server will be sending logs to Logmanager.

Settings for Syslog-NG 3.8 and higher

Since this version Syslog-NG supports storage of messages to disk in case of connection loss between Syslog-NG and Logmanager server. If you need to store more unsent messages to the disk, it is possible to change following configuration:

destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        disk-buffer(
            mem-buf-size(10000)
            disk-buf-size(2000000)
            reliable(yes)
        )
    );
};

Example of forwarding all logs to Logmanager server:

destination d_netlm {
    tcp(
        "<Logmanager_IP_address>"
        port(514)
        disk-buffer(
            mem-buf-size(10000)
            disk-buf-size(2000000)
            reliable(yes)
        )
    );
};
log { source(s_src); destination(d_netlm); };
Logmanager_IP_address is IP address of your Logmanager server.
Storage of messages to disk is slower than storage in the memory. In case of high number of messages, Syslog-NG can negatively affect server performance.

Alternative Syslon-NG logging via TLS syslog

  1. Create a folder for certificates:

    sudo mkdir /etc/syslog-ng/ca.d

  2. Move on to the newly created folder:

    cd /etc/syslog-ng/ca.d

  3. Copy the public CA certificate to the folder (in format .pem)

  4. Execute the following command:

    openssl x509 -noout -hash -in ca-certificate.pem (result should be hash, např. 6d2962a8)

  5. Create a symbolic link to the certificate (you need to copy the hash from the previous command and add the suffix .0 behind the hash):

    ln -s ca-certificate.pem 6d2962a8.0

  6. Create a file /etc/syslog-ng/conf.d/lm_TLS.conf

  7. Paste the following code into it:

    destination d_netlm {
    network("<hostname/IP adress set in CN of certificate>" port(6514)
        transport("tls")
        tls( ca-dir("/etc/syslog-ng/ca.d"))
    );
};
log { source(s_src); destination(d_netlm); };