syslog-ng: the neXGen syslog

syslog-ng is a flexible, scalable, easy-to-use logging system that works on Unix and Linux platforms. syslog-ng does what the stock syslog does and much much more. It is syslog enhanced in terms of functionality (I don’t know if it works on the codebase of syslog). I wouldn’t do justice to it if I described it myself, so instead, I’m jotting down a few links anyone who is serious about and is looking for a powerful logging system to work on Unix/Linux platform should consider.

syslog-ng supports a huge set of options and configurations. I admit I have not even explored half of the set.

To provide a quick glimpse into what syslog-ng can do, I will set up a small distributed logging environment.

  • Client (10.1.0.10) running syslog, from where we need to pick up logs
  • Server (10.1.0.1) running syslog-ng, where we want all logs to gather.

Let’s assume, for the sake of example, that we want to grab all INFO level (logs generated vai syslog(2) are categorised by level which indicates the severity of the logs, such as being of ‘alert’, ‘warn’, ‘error’, and so on severity) logs being generated on Client. Client is generating logs via syslog. As I explained in Syslog Remote Logging, syslog can be configured to send logs remotely over to systems running syslog. In order to make Client send INFO level logs to Server, we’ll have to add the following line into /etc/syslog.conf on Client:

*.info @10.1.0.1

That’s it for Client. As soon as the syslog daemon on Client is re-started, it will start sending logs over to 10.1.0.1, which is the Server.

Now, on the Server we plan to set up syslog-ng instead. Before we do that, we need to decide a few things. Server will be receiving logs on UPD 512 (that is the default port on which syslog or syslog-ng, for that matter, listens for data sent from remote syslog daemons). Although the Client is sending INFO logs, it can send any other type(s) of logs if configured to, we, at Server, are only interested in logs with the INFO level. Finally, we would like to store the logs for each remote syslog we receive logs from inside /var/log/hosts/ with filenames that represent the IP addresses of corresponding remote syslog systems. With that in mind, let’s write the following in /etc/syslog-ng/syslog-ng.conf:


options { long_hostnames(off); sync(0); };
src info_src { udp(); };
destination info_dst { file("/var/log/hosts/$HOST.log"); };
filter info_filter { level(info); };
log { source(info_src); filter(info_filter); destination(info_dst); };

Refer to links given in this post for clear, detailed explanation of how these rules are constructed and what they do. In the nutshell, however, these set of rules do the following: read logs coming on UDP port (512, default), filter them based on level, and store them into files named after the IP address of the remote system.

That’s it. Start up syslog-ng with the -f switch and /etc/syslog-ng/syslog-ng.conf as the argument to the -f switch.

3 thoughts on “syslog-ng: the neXGen syslog

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>