To convert your existing tcp(), tcp6(), udp(), udp6() source drivers to use the network() driver, see Change an old source driver to the network() driver.
To replace your existing tcp(), tcp6(), udp(), udp6() sources with a network() source, complete the following steps.
-
Replace the driver with network. For example, replace udp( with network(
-
Set the transport protocol.
-
If you used TLS-encryption, add the transport("tls") option, then continue with the next step.
-
If you used the tcp or tcp6 driver, add the transport("tcp") option.
-
If you used the udp or udp driver, add the transport("udp") option.
-
If you use IPv6 (that is, the udp6 or tcp6 driver), add the ip-protocol(6) option.
-
If you did not specify the port used in the old driver, check network() source options and verify that your clients send the messages to the default port of the transport protocol you use. Otherwise, set the appropriate port number in your source using the port() option.
-
All other options are identical. Test your configuration with the syslog-ng --syntax-only command.
The following configuration shows a simple tcp source.
source s_old_tcp {
tcp(
ip(127.0.0.1) port(1999)
tls(
peer-verify("required-trusted")
key-file("/opt/syslog-ng/etc/syslog-ng/syslog-ng.key")
cert-file('/opt/syslog-ng/etc/syslog-ng/syslog-ng.crt')
)
);
};
When replaced with the network() driver, it looks like this.
source s_new_network_tcp {
network(
transport("tls")
ip(127.0.0.1) port(1999)
tls(
peer-verify("required-trusted")
key-file("/opt/syslog-ng/etc/syslog-ng/syslog-ng.key")
cert-file('/opt/syslog-ng/etc/syslog-ng/syslog-ng.crt')
)
);
};
The unix-stream() and unix-dgram() drivers open an AF_UNIX socket and start listening on it for messages. The unix-stream() driver is primarily used on Linux and uses SOCK_STREAM semantics (connection oriented, no messages are lost), while unix-dgram() is used on BSDs and uses SOCK_DGRAM semantics: this may result in lost local messages if the system is overloaded.
To avoid denial of service attacks when using connection-oriented protocols, the number of simultaneously accepted connections should be limited. This can be achieved using the max-connections() parameter. The default value of this parameter is quite strict, you might have to increase it on a busy system.
Both unix-stream and unix-dgram have a single required argument that specifies the filename of the socket to create. For the list of available optional parameters, see unix-stream() and unix-dgram() source options
Declaration:
unix-stream(filename [options]);
unix-dgram(filename [options]);
NOTE:syslogd on Linux originally used SOCK_STREAM sockets, but some distributions switched to SOCK_DGRAM around 1999 to fix a possible DoS problem. On Linux you can choose to use whichever driver you like as syslog clients automatically detect the socket type being used.
Example: Using the unix-stream() and unix-dgram() drivers
source s_stream {
unix-stream("/dev/log" max-connections(10));
};
source s_dgram {
unix-dgram("/var/run/log");
};
Starting with syslog-ng OSE 3.6, the unix-stream() and unix-dgram() sources automatically extract the available UNIX credentials and other metainformation from the received log messages. The syslog-ng OSE application can extract the following information on Linux and FreeBSD platforms (examples show the value of the macro for the su - myuser command). Similar information is available for the systemd-journal source.
Table 10: UNIX credentials available via UNIX domain sockets
${.unix.cmdline} |
The name (without the path) and command-line options of the executable belonging to the PID that sent the message. For example, su - myuser |
${.unix.exe} |
The path of the executable belonging to the PID that sent the message. For example, /usr/bin/su |
${.unix.gid} |
The group ID (GID) corresponding to the UID of the application that sent the log message. Note that this is the ID number of the group, not its human-readable name. For example, 0 |
${.unix.pid} |
The process ID (PID) of the application that sent the log message. For example, 774.
Note that on every UNIX platforms, if the system() source uses sockets, it will overwrite the PID macro with the value of ${.unix.pid}, if it is available. |
${.unix.uid} |
The user ID (UID) of the application that sent the log message. Note that this is the ID number of the user, not its human-readable name. For example, 0 |