How to configure BSD-syslog and IETF-syslog message formats in Syslog-ng (4273418)

This knowledge shows how to configure BSD-syslog (RFC 3164) and IETF-syslog (RFC 5424) message formats in Syslog-ng Premium Edition (PE) through some basic example configurations.

Configuring BSD-syslog (RFC 3164) format

Source configuration

The network() source driver can receive syslog messages conforming to RFC3164 from the network using the TCP, TLS, and UDP networking protocols.

• UDP source listening on 192.168.1.1 (the default port for UDP is 514):

source s_network {
    network( ip("192.168.1.1") transport("udp") ); 
};

For more details about network() source driver see the following documentation.

Syslog-ng PE 6: Collecting messages using the RFC3164 protocol (network() driver)

Syslog-ng PE 7: network: Collecting messages using the RFC3164 protocol (network() driver)

Destination configuration

For more details about network() destination driver see the following documentation.

Syslog-ng PE 6: Sending messages to a remote log server using the RFC3164 protocol (network() driver)

Syslog-ng PE 7: network: Sending messages to a remote log server using the RFC3164 protocol (network() driver)

Syslog-ng Agent for Windows

- Navigate to the destination server and open Properties

- Add IP the address of the syslog server

- Set port 514 as Server port

- Select 'Legacy BSD Syslog Protocol' at Messages tab | Protocol

Configuring IETF-syslog (RFC 5424) format

Source configuration

The syslog() driver can receive messages from the network using the standard IETF-syslog protocol (as described in RFC5424-26). UDP, TCP, and TLS-encrypted TCP can all be used to transport the messages.

• Default settings: listening on every available IPV4 interface on the TCP/601 port.

source s_syslog {
    syslog();
};

Destination configuration

The syslog() driver sends messages to a remote host using the IETF syslog format. It has a single required parameter that specifies the destination host address where messages should be sent.

• TCP destination that sends messages to 10.1.2.3, port 514:

destination d_tcp {

    syslog("10.1.2.3"); 

};

• TCP destination that sends messages to 10.1.2.3, port 1999:

destination d_tcp {

    syslog("10.1.2.3" port(1999) );

};

For more details about network() destination driver see the following documentation.

Syslog-ng PE 6:Sending messages to a remote log server using the IETF-syslog protocol

Syslog-ng PE 7: syslog: Sending messages to a remote logserver using the IETF-syslog protocol

Syslog-ng Agent for Windows

- Navigate to the destination server and open Properties

- Add the IP address of the syslog server

- Set port 601 as Server port

- Select 'Syslog Protocol' at Messages tab | Protocol

Collecting non-syslog messages

• The no-parse flag completely disables syslog message parsing and processes the complete line as the message part of a syslog message.
• The syslog-ng PE application will generate a new syslog header (timestamp, host, and so on) automatically and put the entire incoming message into the MESSAGE part of the syslog message (available using the ${MESSAGE} macro).
• Warning! Do not receive both syslog and non-syslog messages on the same source. Instead create separate source for both format.

BSD-syslog

source s_network {
     network( ip("192.168.1.1") flags(no-parse) ); 
};

IETF-syslog

source s_network {
    syslog( ip("192.168.1.1") flags(no-parse) ); 
};

Syslog message formats

How to configure BSD-syslog and IETF-syslog message formats in Syslog-ng Store Box