Posts Tagged ‘syslog-ng’

Instructions For Tunnelling Syslog Over SSH Using Syslog-NG

Here’s an interesting article on establishing an ssh tunnel between a client and syslog server for the purpose of securely transmitting syslog messages.

Be the first to comment - What do you think?  Posted by mutex - July 4, 2012 at 5:23 pm

Categories: Logging   Tags: ,


Syslog-NG is a multi-platform implementation of a syslog logging server.  There is an open source, commercial and appliance-based version available.

The primary Syslog-ng site is accessible here:



Other Information

Be the first to comment - What do you think?  Posted by mutex - May 21, 2012 at 5:01 pm

Categories: Syslog Servers, Tools   Tags:

Reading Logs From A File In Syslog-NG

I had previously written a little snippet on how to pull logs in from a file, however there is a substantial amount more to consider when configuring syslog-ng to read from a file, so I have dedicated this post to reading logs from a text file.

The basic structure for reading logs from a text file looks like this:

source s_file {

destination d_messages{

log {

The source file driver has a lot of options which can you help to tailor the import of logs into syslog.

One of the first, and most important settings to consider when reading logs in from the file is the “flags(no-parse)” option on the source file statement.  By default, syslog-ng expects the lines in the text file being read to be in the format of a syslog message, and will attempt to parse out the relevant fields, like date/time, severity, program, etc.  However, most applications that write custom log files don’t use a standard syslog format, and so we need a way to tell syslog-ng that the whole log record in our log file is the “log message”, and not a syslog-formatted message.  We accomplish this with the “flags(no-parse)” option, which looks like this in the config file: Read more…

15 comments - What do you think?  Posted by admin - July 25, 2010 at 11:28 am

Categories: Logging   Tags:

Pot Of Syslog-NG Tricks Version 3

Retaining the original hostname of the origin of syslog messages through a Syslog-NG relay

In some environments, syslog messages are concentrated and relayed through an intermediate syslog server.  One of the big deficiencies of the stock syslogd that comes with many Linux/UNIX operating systems is that they don’t provide the ability to keep the hostname or IP address of the original sender of the syslog message as it is transmitted through the syslog relay server.  Syslog-NG provides an option that, when used on the relay server, retains the host name of the originating system.  A basic relay syslog-ng.conf file might look like this:

source s_net { udp(); };
destination d_net { udp(“”); };
log { source(s_net); destination (d_net); };

Simply adding the keep-hostname(); statement to the source definition tells syslog-ng to retain the original host’s name in the syslog message as it is relayed through.  The resulting config file would look like this:

source s_net { udp(keep-hostname();); };
destination d_net { udp(“”); };
log { source(s_net); destination (d_net); };

And that’s all there is to it. Read more…

3 comments - What do you think?  Posted by admin - April 15, 2010 at 1:55 pm

Categories: Logging   Tags:

Pot Of Syslog-NG Tricks Version 2

Correcting bad or duplicate time and date stamps

Trying to accept logs from applications or devices into syslog-ng, but end up seeing two date and time fields in the resulting log coming out of syslog-ng?  This happens because syslog-ng is not able to understand the format that the date and time stamp arrive in.  Here’s an easy way to fix that problem.  Use a template to only use the “message” part of the incoming log:

source s_net { udp(); };
destination d_file{ file(“/var/log/application.log” template(“$MSG\n”)); };
log { source(s_net); destination(d_file); };

Including the facility & priority of a message syslog-ng output

To add the written form of the facility and priority to logs coming out of syslog-ng, such as “local1:info”, use the following template.

destination d_file {
template(“$FACILITY:$PRIORITY $MSG\n”; template_escape(no))); };

Alternatively, to add the numeric severity, use this:

destination d_file {
template(“$PRI $MSG\n”; template_escape(no))); };

$FACILITY and $PRIORITY produce the written name of the facility and priority, respectively.  The PRI macro produces the derived number that represents both the facility and priority.  To get the numeric value of the facility and priority, use the $FACILITY_NUM and $LEVEL_NUM macros.

Configuring syslog-ng as a relay

Syslog-ng is pretty straight forward to configure as a relay.

source s_net { udp(); };
destination d_net{ udp(“” port(514)); };
log { source(s_net); destination(d_net); };

2 comments - What do you think?  Posted by admin - March 2, 2010 at 11:04 pm

Categories: Logging   Tags:

Running Syslog-NG on Windows

This post describes running syslog-ng as a server on Windows.  In another post, we describe how to send Windows Event Logs to syslog.

There are many great commercial syslog servers for Windows.  There are not many options for those looking for a free alternative.  One option is Aonaware.  Another option is to install syslog-ng through cygwin.  Cygwin is a Linux-like environment run inside a windows command shell.  Cygwin runs on all current desktop and server versions of Windows.  In this post, we will walk through setting up syslog-ng on a windows host.

  1. First, visit the Cygwin website to download the setup.exe application.  Save, then run setup.exe.
  2. Choose “Install From Internet”
  3. Select the directory to install into and the user to install for (leave this as “all users”).
  4. Enter the directory for local packages. Accepting the default location is fine.
  5. Choose your Internet connection type (direct or proxy)
  6. Select a site to download from.  Any one should be fine.
  7. At the “install packages” window, type is “syslog” in the search box.  You will see “Admin” below.  Expand the admin section, and you will see syslog-ng.  Click the word “skip” until you see 3.0.1 (or whatever the latest supported version is).
  8. Also choose the following packages:
    1. Admin/cygrunsrv
    2. Editors/VIM
    3. Gnome/glib
  9. Finish the installation. Read more…

15 comments - What do you think?  Posted by admin - February 21, 2010 at 9:43 pm

Categories: Logging, Windows   Tags:

Pot Of Syslog-NG Tricks Version 1

Fixing Duplicate Date and/or Hostname Problems

Some devices send syslog messages with improperly formatted headers, which can cause syslog-ng to append a new set of header information, meaning that the host name and/or date appear twice in the logs.  A simple way to solve this is using a template:

source s_net { udp();};
destination d_file { file(“/var/log/file.log” template(“$MSG\n”)); };
log {source(s_net); destination(d_file); };

The template function in the destination definition tells syslog-ng to discard the header from the received message and only keep the actual message data, which is contained in the variable $MSG.   Syslog-ng inserts the proper header, using the date the log was received and the host the log came from, resulting in a normal syslog message. Read more…

6 comments - What do you think?  Posted by admin - February 19, 2010 at 5:24 pm

Categories: Logging   Tags:

Segregating Logs From Different Log Files On A Centralized Log Server Using Syslog-NG

In this post, I will demonstrate a way to capture logs from a series of log files, and relay those logs to a central log server, where the logs will be separated into log files, as they existed on the original host.

Reading from files

Syslog-ng has the ability to pull log data from files, then treat those logs as any other source, like this:

source  s_file_abclog { file(“/var/log/abc.log” follow_freq(1));};

In this way, you can handle log data from applications that do not have native support for syslog.

Then, you can send that data to a central log server, like this:

source  s_file_abclog { file(“/var/log/abc.log” follow_freq(1));};

destination d_remote{udp(“” port(514)); };
log { source(s_file_abclog); destination(d_remote);}; Read more…

5 comments - What do you think?  Posted by admin - August 23, 2009 at 4:22 pm

Categories: Log Management, Logging   Tags:

Configuring The Snare Windows Client And Syslog-NG To Work Together

In a previous post, we looked at installing Snare to log Windows events to a syslog server.  Here, we will configure syslog-ng to accept messages from Snare and implement a few simple customizations, including storing the logs in individual files.  We will assume that Snare is operational for the purposes of this guide.  Please see the post referenced above for help with installing Snare.

For this test, I am running syslog-ng 3.0.1 on FreeBSD 7.1 and Snare 3.14 on Windows XP.

First, we will start with a very basic configuration that logs to /var/log/messages:

source src {
destination messages { file(“/var/log/messages”); };

log {source(src); destination(messages);};

Read more…

4 comments - What do you think?  Posted by admin - May 13, 2009 at 7:57 pm

Categories: Logging, Windows   Tags: , ,

Native MySQL support in syslog-ng

So, apparently I’ve been living under a rock.  One of the biggest criticisms I’ve had about syslog-ng for a long time is the terribly convoluted process to get logs into MySQL.  I was looking through the syslog-ng mailing list and saw someone asking for help with getting the script to work for piping logs into MySQL, and the response was something like “why don’t you just use the native support for interfacing with MySQL?”.  Now I’ll need to find something else to complain about.

I have yet to play with this interface, but I’m building a system now to test bed it with.

Be the first to comment - What do you think?  Posted by admin - April 16, 2009 at 5:39 pm

Categories: Logging   Tags:

Recent Posts in the Syslog Forum

RSS Error: A feed could not be found at A feed with an invalid mime type may fall victim to this error, or SimplePie was unable to auto-discover it.. Use force_feed() if you are certain this URL is a real feed.