Open in app

Sign in

Write

Sign in

Setting up syslog-ng — A step towards Centralized log management

Mohd Farhan
4 min readJun 14, 2021

Picture credit: Kallerna / Wikimedia Commons / Public Domain

syslog-ng is a log management application that enables you to collect logs from multiple platforms in a central space that can later be consumed for visualization. In fact, it is one of the configuration prerequisites for some of the most popular centralized log management tools.

Here, in this blog, I will walk you through the step-by-step process of installing and configuring syslog-ng server and client.

Use cases

There might be many scenarios where you would want to use syslog-ng as follows.

1. Lack of resource availability

You might not be that lucky to have a huge computing power that can handle anything running on it. In that case, you might consider syslog-ng which is lightweight and less resource-consuming.

2. Simple configuration

Other than resources, sometimes you just want the configuration to be simple and straight forward or you have a relatively small infrastructure which makes you think that having a complex centralized log management system does not worth it.

3. As a part of a centralized logging system

Say you have 100 servers that you want to pull(push) the logs from, instead of pulling(push) logs from each of them separately you can configure syslog-ng to store them in one common location from where your centralized logging system can pick them up.

Infra overview

For this demonstration, I am using two Ubuntu 20.04.2 LTS boxes as below.

Server 1

  • Hostname: server01
  • IP address: 172.31.22.105
  • Role: Collector

Server 2

  • Hostname: server02
  • IP address: 172.31.17.46
  • Role: Client

Installation

We are going to follow the straightforward 2 step installation process.

Step 1: Install the package

$ sudo apt-get update$ sudo apt-get install syslog-ng -y

Step 2: Configuration for the collector

It is always a good idea to backup the original configuration.

$ sudo mv /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.original

Now, create a new configuration file with the command sudo nano /etc/syslog/syslog-ng.conf. In that file add the following:

@version: 3.5@include “scl.conf”@include “`scl-root`/system/tty10.conf”options {time-reap(30);mark-freq(10);keep-hostname(yes);};source s_local { system(); internal(); };source s_network {syslog(transport(tcp) port(514));};destination d_local {file(“/var/log/syslog-ng/messages_${HOST}”); };destination d_logs {file(“/var/log/syslog-ng/${HOST}.log”owner(“root”)group(“root”)perm(0777)); };log { source(s_local); source(s_network); destination(d_logs); };

Do note that we are working with port 514, so you’ll need to make sure it is accessible on the collector from the client.

Step 3: Configuration for client

$ sudo mv /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.original

Create the directory to store the logs.

$ sudo mkdir /var/log/syslog-ng/

Just like we did for the collector create a new configuration file with the command sudo nano /etc/syslog/syslog-ng.conf. In that file add the following:

@version: 3.5@include “scl.conf”@include “`scl-root`/system/tty10.conf”source s_local { system(); internal(); };destination d_syslog_tcp {syslog(“192.168.1.118” transport(“tcp”) port(514)); };log { source(s_local);destination(d_syslog_tcp); };

Now, run the following commands on both the boxes to restart and enable syslog-ng service and see the logs flowing

$ sudo systemctl restart syslog-ng$ sudo systemctl enable syslog-ng

Macros

Macros are kinds of variables that are predefined, they play a very important role in creating generic syslog-ng configurations. You can witness me using ${HOST} in the collector configuration.

There are two types of macros in syslog-ng hard and soft. The main difference between these two is hard macros cannot be modified e.g., ${MONTH} macro derives its value from the timestamp on the other hand soft macros can be modified e.g., ${HOST} which will be altered based on the need.

Here is a list of each type of macros that you can use as per the need.

Hard macros:

MONTH_NAME — The English name of the month name

MONTH — The month the message was sent as a decimal value, prefixed with a zero if smaller than 10

MONTH_WEEK — The number of the week in the given month (0–5).

SOURCEIP — IP address of the host that sent the message to syslog-ng

TZ — An alias of the ${TZOFFSET} macro

UNIXTIME — Standard UNIX timestamp

WEEK_DAY_ABBREV — The 3-letter English abbreviation of the name of the day the message was sent, for example, Thu.

WEEK_DAY_NAME — The English name of the day.

WEEK_DAY — The day of the week as a numerical value (1–7).

WEEK — The week number of the year

YEAR — The year the message was sent.

Soft macros:

FULLHOST_FROM — The FQDN of the host that sent the message to syslog-ng as resolved by syslog-ng using DNS

FULLHOST — The name of the source host where the message originates from.

HOST_FROM — The FQDN of the host that sent the message to syslog-ng as resolved by syslog-ng using DNS.

HOST — The name of the source host where the message originates from.

MESSAGE — Text contents of the log message without the program name and pid.

MSG — The ${MSG} macro is an alias of the ${MESSAGE} macro, using ${MSG} in syslog-ng OSE is equivalent to ${MESSAGE}.

MSGID — A string specifying the type of the message in IETF-syslog (RFC5424-formatted) messages.

MSGONLY — Message contents without the program name or pid.

PID — The PID of the program sending the message.

PROGRAM — The name of the program sending the message.

SOURCE — The identifier of the source statement in the syslog-ng OSE configuration file that received the message.

Centralized Logging
Log Management
Syslog Ng

--

--

Mohd Farhan

Written by Mohd Farhan

1 Follower

A passionate IT guy

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams