Projects / syslog-ng

syslog-ng

syslog-ng is a syslogd replacement for a wide variety of UNIX systems that supports IPv6 and is capable of transferring log messages reliably using TCP and SSL and filtering the content of messages using regular expressions. Both RFC3164 and RFC5424 style messages are handled, but more esoteric formats like BSD process accounting logs are supported too. Apart from regular text files, it supports storing messages into SQL and MongoDB databases, and forward messages to local processes via pipes or UNIX domain sockets. This makes syslog-ng ideal as an integration platform. syslog-ng supports extracting structured information from the traditionally text based syslog via csv-parser(), db-parser(), and patterndb. Tag based classification, rewriting messages, and outputting messages in JSON is also possible. This makes syslog-ng ideal for preprocessing events for further analysis, be that home-grown scripts or SIEM systems. syslog-ng scales well on today's multi processor and multi-core systems: reaching 1,000,000 messages per second is a reality for the simplest use cases.

Tags
Licenses
Operating Systems
Implementation

RSS Recent releases

  •  07 Nov 2013 00:35

Release Notes: This is the fourth bugfix release for the 3.4.x series, with important fixes over the previous releases. Upgrading to this release is highly recommended.

  •  14 Oct 2013 22:34

Release Notes: This beta has many new features compared to 3.4, including: redis and stomp destinations; multi-line support; type hinting; in-list() filter (black/white list based filtering); and many more. It is ready for testing on most platforms.

  •  15 Aug 2013 14:22

Release Notes: Many bugs were fixed. Upgrading to this release is highly recommended

  •  17 Apr 2013 17:42

Release Notes: This is a bugfix only maintenance release of the 3.3 series, correcting a crash which happened when a rewrite rule using set() or subst() was used in multiple log paths.

  •  12 Feb 2013 13:38

Release Notes: This version added junctions and channels for even more flexible configuration, a community contributed AMQP destination, improved JSON support including a parser, and many improvements related to value pairs.

RSS Recent comments

11 Feb 2008 16:22 ConSeannery

Re: syslog-ng not able to specify listening address?

> I can't seem to find any way to do this

> ... any suggestions?

>

> It doesn't seem as if there is a config

> or command-line option to tell syslog-ng

> to only listen on a certain IP address.

> This would be very useful, as I have a

> logging server that I want to have

> multiple IP addresses and different

> configs of syslog-ng listening on each.

>

> Does this exist and I'm not seeing it,

> or should it be a feature request?

Hey,

You define "sources" to do that. So, lets say you've got a management server with an internal ip of 10.1.10.1. You want the servers in the network to relay their logs to it. You can set your server to listen on that port by doing this in your syslog-ng.conf:

source s_internal_network {

#Receives messages on this boxes internal interface on port 1234.

tcp(ip(10.1.10.1) port(1234) max-connections(30));

};

Then configure a destination and a filter if necessary, then restart syslog-ng. if you do a netstat -pantu you will see that syslog-ng is listening on 10.1.10.1 port 1234.

Hope that helps. The manual is pretty easy to follow, unlike most dry and terrible documentation associated with linux tools, so check it out!

26 May 2005 09:44 Avatar Sjobeck

syslog-ng webmin module
I love anything with "-ng" after its name and this software is a perfect example of why. Really like it. The only thing hangign us up with it is that there is no webmin module for it. Let's face it, some people, even me, from time to time, need a GUI, and the regular syslog module in webmin does not work. If any one knocked down this issue, we would be forever in your debt.

Peace. Love. Linux.

Jason

10 Jun 2004 08:35 wmoran

syslog-ng not able to specify listening address?

I can't seem to find any way to do this ... any suggestions?

It doesn't seem as if there is a config or command-line option to tell syslog-ng to only listen on a certain IP address. This would be very useful, as I have a logging server that I want to have multiple IP addresses and different configs of syslog-ng listening on each.

Does this exist and I'm not seeing it, or should it be a feature request?

20 Apr 2004 18:28 akhasha

Re: Syslog-ng best thing since sliced bread

> The ability to send the log stream to

> the stdin of a program is a feature you

> just can't find anywhere else.

I don't know if this was the case back then, but with current versions of syslogd you can. From the manpage of syslogd version 1.4.1:

kern.=debug |/usr/adm/debug

This sends kernel debug messages to a FIFO from which another program can read. Though to make it appear on stdin you'd have to wrap it with a shell redirect using cat.

20 Sep 2001 16:25 thoth

network logging doesn't work well yet
I'm in need of a network logging solution which can survive network outages.

It appears syslog-ng does not perform well. When I gave it a remote network destination, It only logged to a single file and no messages appeared in any of the designated files. When I removed the remote destination from the configuration, things worked properly. I assume it is blocking on writes to the network.

Worse, errors in the config file result in a message like

parse error at 11
Parse error reading configuration file, exiting.

Not exactly illuminating. Eventually I found out how to specify a remote destination thanks to google :

destination central { tcp(10.21.0.3 port(514) ); };

Of course, the documentation on the web site was pretty much useless, with a single trite sentence documenting the tcp destination.

The documentation will doubtless improve as the product matures, but I don't know if this software has the necessary architecture to reliably deliver messages to remote machines in the face of network outages or local daemon restarts.

Screenshot

Project Spotlight

LIMA-CALLAO

An enterprise accounting software.

Screenshot

Project Spotlight

libHX

A library for quick day-to-day C programming.