Chat now with support
Chat with Support

syslog-ng Premium Edition 6.0.17 - Administration Guide

Preface Chapter 1. Introduction to syslog-ng Chapter 2. The concepts of syslog-ng Chapter 3. Installing syslog-ng Chapter 4. The syslog-ng PE quick-start guide Chapter 5. The syslog-ng PE configuration file Chapter 6. Collecting log messages — sources and source drivers Chapter 7. Sending and storing log messages — destinations and destination drivers Chapter 8. Routing messages: log paths, reliability, and filters Chapter 9. Global options of syslog-ng PE Chapter 10. TLS-encrypted message transfer Chapter 11. FIPS-compliant syslog-ng Chapter 12.  Reliable Log Transfer Protocol™ Chapter 13. Reliability and minimizing the loss of log messages Chapter 14. Manipulating messages Chapter 15. Parsing and segmenting structured messages Chapter 16. Processing message content with a pattern database Chapter 17. Statistics and metrics of syslog-ng Chapter 18. Multithreading and scaling in syslog-ng PE Chapter 19. Troubleshooting syslog-ng Chapter 20. Best practices and examples

NFS file system for log files

Using the NFS network file system can lead to problems if NFS connection is not stable, therefore One Identity does neither recommend nor officially support such scenarios. If you can avoid it, do not store log files on NFS. If the NFS connection is stable and reliable, syslog-ng PE can read and write files on mounted NFS partitions as a normal file source or destination. Read this section carefully before using syslog-ng PE and NFS-mounted log files.

Risks

If there is any issue with the NFS connection (for example, connection loss, the NFS server stops), syslog-ng PE can stop working. These NFS issues can be related to the operating system, and can also vary depending on its patch level and kernel version. The possible effects include the following:

  • syslog-ng PE freezes, does not respond, does not process logs, is unable to stop or reload, and you can stop it only using the kill -9 command

  • syslog-ng PE is not able to start, and hangs during startup

  • Message loss or message duplication

  • Message becomes corrupt (it is not lost, but the message or some parts of it contain garbage)

  • When using the logstore() destination, the logstore file becomes corrupt

  • On some RHEL-based systems (possibly depending on the kernel version too), NFS returns NULL characters when reading a file that another process is writing at the very same moment.

Limitations of using syslog-ng PE with NFS

  • Do not use the logstore() destination to store files on an NFS-mounted partition

  • To use wildcards in the file source if your log files are on an NFS file system, set the force-directory-polling() option to yes to detect newly created files. Note that wildcard file sources are available only in syslog-ng PE version 6.0.3 and newer versions of the 6.x branch, and are not yet available in syslog-ng PE version 7.

  • Since One Identity does not officially support scenarios where you use syslog-ng PE together with NFS, One Identity will handle support requests and bugs related to such scenarios only if you can reproduce the issue independently from NFS.

Recommendations for using NFS with syslog-ng PE

If you cannot avoid using NFS with syslog-ng PE note the following points.

  • USE at least NFS v4 (or newer if available)

  • USE the soft mount option (-o soft) to mount the partition

  • USE the TCP mount option (-o tcp) to mount the partition

  • DO NOT install syslog-ng PE on an NFS-mounted partition

  • DO NOT store the runtime files (for example, the configuration or the persist file) of syslog-ng PE on an NFS-mounted partition

  • DO NOT use logstore on an NFS-mounted partition, it can easily become corrupted

Chapter 3. Installing syslog-ng

This chapter explains how to install syslog-ng Premium Edition on the supported platforms using the precompiled binary files.

The syslog-ng PE binaries include all required libraries and dependencies of syslog-ng PE, only the ncurses library is required as an external dependency (syslog-ng PE itself does not use the ncurses library, it is required only during the installation). The components are installed into the /opt/syslog-ng directory. It can automatically re-use existing configuration and license files, and also generate a simple configuration automatically into the /opt/syslog-ng/etc/syslog-ng.conf file.

NOTE:

There are two versions of every binary release. The one with the compact suffix does not include SQL support. If you are installing syslog-ng PE in client or relay mode, or you do not use the sql() source or destination, use the compact binaries. That way no unnecessary components are installed to your system.

The syslog-ng PE application can be installed interactively following the on-screen instructions as described in the section called “Installing syslog-ng using the .run installer”, and also without user interaction using the silent installation option — see the section called “Installing syslog-ng PE without user-interaction”.

Prerequisites to installing syslog-ng PE

  • The binary installer packages of syslog-ng Premium Edition include every required dependency for most platforms, only the ncurses library is required as an external dependency (syslog-ng PE itself does not use the ncurses library, it is required only during the installation).

    NOTE:

    There are two versions of every binary release. The one with the compact suffix does not include SQL support. If you are installing syslog-ng PE in client or relay mode, or you do not use the sql() source or destination, use the compact binaries. That way no unnecessary components are installed to your system.

  • For Java-based destinations (for example, Elasticsearch, Apache Kafka, HDFS), Java must be installed on the host where you use such destinations. Typically, this is the host where you are running syslog-ng PE in server mode.

  • DO NOT install syslog-ng PE on an NFS-mounted partition

  • DO NOT store the runtime files (for example, the configuration or the persist file) of syslog-ng PE on an NFS-mounted partition

The following platforms require the following patches for syslog-ng PE:

HP-UX

NOTE:

To install syslog-ng PE version 4 F1 on HP-UX (PARISC), the following patches must be installed on the host: PHCO_24402, PHCO_38279, PHKL_31918, PHSS_30049.

The patch kits are available at http://www.hp.com/ for customers with valid support contract.

Solaris

Table 3.1. Supported platforms and generated packages

OS Architecture Generated .pkg packages
Solaris 10 SPARC client, setup
Solaris 10 SPARC64 client, setup
Solaris 10 amd64 client, setup

Procedure 3.3. Installing syslog-ng PE on RPM-based platforms (Red Hat, SUSE, AIX)

Purpose: 

To install syslog-ng PE on operating systems that use the Red Hat Package Manager (RPM), complete the following steps. Installing syslog-ng PE automatically replaces the original syslog service. The following supported operating systems use RPM:

  • CentOS

  • openSUSE

  • Red Hat Enterprise Linux

  • Red Hat Enterprise Server

  • SUSE Linux Enterprise Server

Caution:

If you already had syslog-ng Open Source Edition (OSE) installed on the host, and are upgrading to syslog-ng Premium Edition, make sure that the ${SYSLOGNG_OPTIONS} environmental variable does not contain a -p <path-to-pid-file> option. If it does, remove this option from the environmental variable, because it can prevent syslog-ng PE from stopping properly. Typically, the environmental variable is set in the files /etc/default/syslog-ng or /etc/sysconfig/syslog-ng, depending on the operating system you use.

Steps: 

  1. Login to MyDownloads and download the syslog-ng RPM package for your system.

    • If the host already uses syslog-ng PE for logging, execute the following command as root. Otherwise, skip this step.

      rpm -U syslog-ng-premium-edition-<version>-<OS>-<arch>.rpm

      The syslog-ng Premium Edition application and all its dependencies will be installed, and the configuration of the existing syslog-ng PE installation will be used.

      NOTE:

      If you are upgrading from syslog-ng version 2.1, note that the location of the configuration file has been moved to /opt/syslog-ng/etc/syslog-ng.conf

    • Execute the following command as root:

      rpm -i syslog-ng-premium-edition-<version>-<OS>-<arch>.rpm

      The syslog-ng PE application and all its dependencies will be installed.

  2. Caution:

    When performing an upgrade, the package manager might automatically execute the post-uninstall script of the upgraded package, stopping syslog-ng PE and starting syslogd. If this happens, stop syslogd and start syslog-ng PE by issuing the following commands:

    /etc/init.d/syslogd stop
    /etc/init.d/syslog-ng start

    This behavior has been detected on CentOS 4 systems, but may occur on other rpm-based platforms as well.

  3. Edit the syslog-ng PE configuration file as needed. If you want to run syslog-ng PE in server mode, copy the license file to the /opt/syslog-ng/etc/ directory.

    For information on configuring syslog-ng PE, see the Chapter 4, The syslog-ng PE quick-start guide.

  4. Optional step for SELinux-enabled systems: Complete Procedure 3.4, “Using syslog-ng PE on SELinux”.

  5. Optional step for AIX systems: To redirect the messages of the AIX Error log into syslog, create a file (for example /tmp/syslog-ng.add) with the following contents:

    errnotify:
    en_name = "syslog1"
    en_persistenceflg = 1
    en_method = "logger Msg from Error Log: `errpt -l $1 | grep -v 'ERROR_ID TIMESTAMP'`"

    Then execute the following command as root: odmadd /tmp/syslog-ng.add.

Procedure 3.4. Using syslog-ng PE on SELinux

Purpose: 

Version syslog-ng PE 5 F2 and later properly supports SELinux on Red Hat Enterprise Linux 6.5 and newer platforms. Version 5 F5 and later also supports SELinux on Red Hat Enterprise Linux 5, as well as on 6.0-6.4. The CentOS platforms corresponding to the supported RHEL versions, and Oracle Linux 7 are supported as well. To use syslog-ng PE on a SELinux-enabled host, complete the following steps.

NOTE:

The following steps install SELinux policy module that enables syslog-ng PE to properly run with its default configuration and default installation path (/opt/syslog-ng) on a SELinux-enabled host. If you configure syslog-ng PE to perform an operation that is outside the permissions of this policy module (for example, to bind to a non-standard port, use a program destination or source, or to write logfiles in a non-standard directory), you have to modify and recompile the policy module. If you need help with that, contact the BalaBit Support Team.

Prerequisites: 

  • The following packages must be available on the host: policycoreutils,policycoreutils-devel, policycoreutils-python. If they are not already installed, issue the following command: yum install policycoreutils policycoreutils-devel policycoreutils-python

  • On RHEL 6.5, update the following packages at least to the indicated versions. These packages are available in the Red Hat repositories and are installed by default on RHEL 6.6. You can update them with the yum update selinux-policy command.

    • selinux-policy-3.7.19-231.el6.noarch > 3.7.19-260.el6.noarch

    • selinux-policy-targeted-3.7.19-231.el6.noarch > 3.7.19-260.el6.noarch

  • The syslog-ng PE application must be installed on the host. For details, see Chapter 3, Installing syslog-ng.

Steps: 

Expected result: 

The syslog-ng PE application is installed and properly running under SELinux. If syslog-ng PE does not start, or displays permission errors, execute the syslog_ng.sh.

  1. Download the syslog-ng PE SELinux policy module from support portal.

  2. Uncompress the file and run the ./syslog_ng.sh script to compile and load the SELinux rules for syslog-ng PE.

  3. Restart syslog-ng PE using the following command.

    Caution:

    The SELinux policy works only if syslog-ng PE is started by the init daemon.

    • On RHEL6: service syslog-ng restart

    • On RHEL7: systemctl restart syslog-ng

    If you do not use the service or the systemctl to start syslog-ng PE execute the syslog_ng.sh script again after starting syslog-ng PE. This is required to correct the settings of the files related to syslog-ng PE (most notably /dev/log and the files under /opt/syslog-ng). The settings can become incorrect if the privileges of the process that started syslog-ng PE are different from the privileges of the service or the systemctl process.

  4. Optional Step: The syslog-ng PE application can create coredumps, but this is disabled by default. You can enable coredumps with the setsebool -P daemons_dump_core 1 command.

    Note that his command enables every daemons on your system to create core dumps, not just syslog-ng PE. There is no way to enable per-application core dumps in SELinux.

Procedure 3.5. Installing syslog-ng on Debian-based platforms

Purpose: 

To install syslog-ng on operating systems that use the Debian Software Package (deb) format, complete the following steps. The following supported operating systems use this format:

  • Debian Jessie

Caution:

If you already had syslog-ng Open Source Edition (OSE) installed on the host, and are upgrading to syslog-ng Premium Edition, make sure that the ${SYSLOGNG_OPTIONS} environmental variable does not contain a -p <path-to-pid-file> option. If it does, remove this option from the environmental variable, because it can prevent syslog-ng PE from stopping properly. Typically, the environmental variable is set in the files /etc/default/syslog-ng or /etc/sysconfig/syslog-ng, depending on the operating system you use.

Steps: 

  1. Login to MyDownloads and download the syslog-ng PE DEB package for your system.

  2. Issue the following command as root:

    dpkg -i syslog-ng-premium-edition-<version>-<OS>-<arch>.deb

  3. Answer the configuration questions of syslog-ng PE. These are described in detail in the section called “Installing syslog-ng using the .run installer”.

    For information on configuring syslog-ng PE, see the Chapter 4, The syslog-ng PE quick-start guide.

Procedure 3.9. Installing syslog-ng PE on Windows platforms

Purpose: 

Complete the following steps to install syslog-ng PE in server mode on Microsoft Windows platforms. For details on the different operation modes of syslog-ng PE, see the section called “Modes of operation”.

Steps: 

  1. Login to MyDownloads and download the syslog-ng installer package and your syslog-ng Premium Edition license. The license will be required to run syslog-ng in server mode (see the section called “Server mode”) and is needed when you are installing syslog-ng on your central log server.

  2. Start the installer. The Welcome screen is displayed. Click Next.

    Figure 3.16. The Welcome screen of the syslog-ng PE installer on Microsoft Windows

    The Welcome screen of the syslog-ng PE installer on Microsoft Windows

  3. Accepting the EULA: You can install syslog-ng PE only if you understand and accept the terms of the End-User License Agreement (EULA). The full text of the EULA can be displayed during installation by selecting the Show EULA option, and is also available at Software Transaction, License and End User License Agreements. Select Accept to accept the EULA and continue the installation.

    If you do not accept the terms of the EULA for some reason, select Reject to cancel installing syslog-ng PE.

  4. Select Install syslog-ng Premium Edition and click Next.

    NOTE:

    If you do not want to install syslog-ng PE, just copy its files to a host so that you can start it manually without registering it as a service, select Unpack files without installation.

    Figure 3.17. Select how to install syslog-ng PE on Microsoft Windows

    Select how to install syslog-ng PE on Microsoft Windows

  5. Installation path: Enter the path to install syslog-ng PE to. This is useful if you intend to install syslog-ng PE without registering it as a service, or if it cannot be installed to the default location because of policy compliance reasons. If no path is given, syslog-ng PE is installed to the default folder.

    Figure 3.18. Select the installation folder for syslog-ng PE on Microsoft Windows

    Select the installation folder for syslog-ng PE on Microsoft Windows

  6. Locating the license: Enter the path to your license file and click Next.

    If you are upgrading an existing configuration that already has a license file, the installer automatically detects it.

    Caution:

    The syslog-ng PE application will not use the specified file directly, but copy it under the %INSTALLDIR%\etc\ folder.

    Figure 3.19. Selecting the license file on Microsoft Windows

    Selecting the license file on Microsoft Windows

  7. Locating the configuration file: Enter the path to your configuration file and click Next.

    If you are upgrading an existing configuration that already has a configuration file, the installer automatically detects it.

    Caution:

    The syslog-ng PE application will not use the specified file directly, but copy it to %INSTALLDIR%\etc\syslog-ng.conf. To modify the configuration of syslog-ng PE, edit the %INSTALLDIR%\etc\syslog-ng.conf file. By default, syslog-ng PE is installed into the C:\Program Files\syslog-ng directory.

    Figure 3.20. Selecting the configuration file on Microsoft Windows

    Selecting the configuration file on Microsoft Windows

  8. Select Register as a service.

    Figure 3.21. Registering and starting the syslog-ng PE service

    Registering and starting the syslog-ng PE service

  9. Select Start the syslog-ng PE service and click Install.

    Expected result: 

    The syslog-ng PE application is installed and the service is started.

Procedure 3.10. Managing syslog-ng PE from Puppet

Purpose: 

To simplify the management of large-scale syslog-ng PE deployments, you can centrally manage your syslog-ng PE hosts from Puppet. The syslog-ng Premium Edition Puppet module (syslog_ng) allows you to perform the following tasks.

  • Install syslog-ng PE from a package repository.

  • Upgrade syslog-ng PE to a newer version.

  • Delete syslog-ng PE from a host.

  • Update the syslog-ng PE configuration file of your hosts from a central repository.

  • Create backup of your syslog-ng PE configuration files. You can redistribute these backups to your hosts if a rollback is needed.

The Puppet module supports the following platforms: Red Hat Enterprise Linux (RHEL), Oracle Linux, CentOS, Ubuntu, and Debian. Other Linux platforms based on .deb and .rpm packages might also work, but are not tested.

To manage your syslog-ng PE clients from Puppet, complete the following steps.

Prerequisites: 

To use the syslog_ng Puppet module, the following prerequisites must be met.

  • A Puppet architecture installed and configured

  • The Puppet master and slaves nodes are configured and connected

  • The filebucket feature of Puppet is enabled and configured

  • Package repositories are added to the slave nodes (where syslog-ng PE can be installed from)

Steps: 

  1. Login to MyDownloads and download the syslog-ng PE installer package for your platform.

  2. Add the syslog-ng PE installer package to your local package repositories.

  3. Download the syslog_ng Puppet module from support portal.

  4. Copy the module to your Puppet master, then build and install it. For details, see the Readme.md file of the module.

Procedure 3.12. Configuring Microsoft SQL Server to accept logs from syslog-ng

Purpose: 

Complete the following steps to configure your Microsoft SQL Server to enable remote logins and accept log messages from syslog-ng.

Steps: 

  1. Start the SQL Server Management Studio application. Select Start > Programs > Microsoft SQL Server 2005 > SQL Server Management Studio.

  2. Create a new database.

    1. Figure 3.22. Creating a new MSSQL database 1.

      Creating a new MSSQL database 1.

      In the Object Explorer, right-click on the Databases entry and select New Database.

    2. Figure 3.23. Creating a new MSSQL database 2.

      Creating a new MSSQL database 2.

      Enter the name of the new database (for example syslogng) into the Database name field and click OK.

  3. Create a new database user and associate it with the new database.

    1. Figure 3.24. Creating a new MSSQL user 1.

      Creating a new MSSQL user 1.

      In the Object Explorer, select Security, right-click on the Logins entry, then select New Login.

    2. Figure 3.25. Creating a new MSSQL user 2.

      Creating a new MSSQL user 2.

      Enter a name (for example syslog-ng) for the user into the Login name field.

    3. Select the SQL Server Authentication option and enter a password for the user.

    4. In the Default database field, select the database created in Step 2 (for example syslogng).

    5. In the Default language field, select the language of log messages that you want to store in the database, then click OK.

      Caution:

      Incorrect language settings may result in the database converting the messages to a different character-encoding format. That way the log messages may become unreadable, causing information loss.

    6. In the Object Explorer, select Security > Logins, then right-click on the new login created in the previous step, and select Properties.

    7. Figure 3.26. Associating database with the new user

      Associating database with the new user

      Select User Mapping. In the Users mapped to this login option, check the line corresponding to the new login (for example syslogng). In the Database role membership field, check the db_owner and public options.

  4. Figure 3.27. Associating database with the new user

    Associating database with the new user

    Enable remote logins for SQL users.

    In the Object Explorer right-click on your database server, and select Properties > Security, and set the Server Authentication option to SQL Server and Windows Authentication mode.

Security-enhanced Linux: grsecurity, SELinux

Security-enhanced Linux solutions such as grsecurity or SELinux can interfere with the operation of syslog-ng PE. The syslog-ng PE application supports these security enhancements as follows:

  • grsecurity: Version syslog-ng PE 5 F2 and later can be run on hosts using grsecurity, with the following limitations: using the Oracle SQL source and destination is not supported.

  • SELinux: Version syslog-ng PE 5 F2 and later properly supports SELinux on Red Hat Enterprise Linux 6.5 and newer platforms. The CentOS platforms corresponding to the supported RHEL versions are supported as well. For details, see Procedure 3.4, “Using syslog-ng PE on SELinux”.

Installing syslog-ng using the .run installer

Caution:

If you already had syslog-ng Open Source Edition (OSE) installed on the host, and are upgrading to syslog-ng Premium Edition, make sure that the ${SYSLOGNG_OPTIONS} environmental variable does not contain a -p <path-to-pid-file> option. If it does, remove this option from the environmental variable, because it can prevent syslog-ng PE from stopping properly. Typically, the environmental variable is set in the files /etc/default/syslog-ng or /etc/sysconfig/syslog-ng, depending on the operating system you use.

This section describes how to install the syslog-ng PE application interactively using the binary installer. The installer has a simple interface: use the TAB or the arrow keys of your keyboard to navigate between the options, and Enter to select an option.

NOTE:

The installer stops the running syslogd application if it is running, but its components are not removed. The /etc/init.d/sysklogd init script is automatically renamed to /etc/init.d/sysklogd.backup. Rename this file to its original name if you want to remove syslog-ng or restart the syslogd package.

Procedure 3.1. Installing syslog-ng PE in client or relay mode

Purpose: 

Complete the following steps to install syslog-ng Premium Edition on clients or relays. For details on the different operation modes of syslog-ng PE, see the section called “Modes of operation”.

Steps: 

NOTE:

The native logrotation tools do not send a SIGHUP to syslog-ng after rotating the log files, causing syslog-ng to write into files already rotated. To solve this problem, the syslog-ng init script links the /var/run/syslog.pid file to syslog-ng's pid. Also, on Linux, the install.sh script symlinks the initscript of the original syslog daemon to syslog-ng's initscript.

  1. Login to MyDownloads and download the syslog-ng PE installer package.

  2. Enable the executable attribute for the installer using the chmod +x syslog-ng-<edition>-<version>-<OS>-<platform>.run, then start the installer as root using the ./syslog-ng-<edition>-<version>-<OS>-<platform>.run command. (Note that the exact name of the file depends on the operating system and platform.) Wait until the package is uncompressed and the welcome screen appears, then select Continue.

    Figure 3.1. The welcome screen

    The welcome screen

  3. Accepting the EULA: You can install syslog-ng PE only if you understand and accept the terms of the End-User License Agreement (EULA). The full text of the EULA can be displayed during installation by selecting the Show EULA option, and is also available at Software Transaction, License and End User License Agreements. Select Accept to accept the EULA and continue the installation.

    If you do not accept the terms of the EULA for some reason, select Reject to cancel installing syslog-ng PE.

  4. Detecting platform and operating system: The installer attempts to automatically detect your oprating system and platform. If the displayed information is correct, select Yes. Otherwise select Exit to abort the installation, and verify that your platform is supported. For a list of supported platforms, see the section called “Supported platforms”. If your platform is supported but not detected correctly, contact our Support Team.

    Figure 3.2. Platform detection

    Platform detection

  5. Installation path: Enter the path to install syslog-ng PE to. This is useful if you intend to install syslog-ng PE without registering it as a service, or if it cannot be installed to the default location because of policy compliance reasons. If no path is given, syslog-ng PE is installed to the default folder.

    Figure 3.3. Installation path

    Installation path

    NOTE:

    When installing syslog-ng PE to an alternative path on AIX, HP-UX, or Solaris platforms, set the CHARSETALIASDIR environmental variable to the lib subdirectory of the installation path. That way syslog-ng PE can find the charset.alias file.

  6. Registering as syslog service: Select Register to register syslog-ng PE as the syslog service. This will stop and disable the default syslog service of the system.

    Figure 3.4. Registering as syslog service

    Registering as syslog service

  7. Locating the license: Since you are installing syslog-ng PE in client or relay mode, simply select OK. For details on the different operation modes of syslog-ng PE, see the section called “Modes of operation”.

  8. Upgrading: The syslog-ng PE installer can automatically detect if you have previously installed a version of syslog-ng PE on your system. To use the configuration file of this previous installation, select Yes. To ignore the old configuration file and create a new one, select No.

    Note that if you decide to use your existing configuration file, the installer automatically checks it for syntax error and displays a list of warnings and errors if it finds any problems.

    Figure 3.5. Upgrading syslog-ng

    Upgrading syslog-ng

  9. Generating a new configuration file: The installer displays some questions to generate a new configuration file.

    1. Remote sources: Select Yes to accept log messages from the network. TCP, UDP, and SYSLOG messages on every interface will be automatically accepted.

      Figure 3.6. Accepting remote messages

      Accepting remote messages

    2. Remote destinations: Enter the IP address or hostname of your log server or relay and select OK.

      Figure 3.7. Forwarding messages to the log server

      Forwarding messages to the log server

    NOTE:

    Accepting remote messages and forwarding them to a log server means that syslog-ng PE will start in relay mode.

  10. After the installation is finished, add the /opt/syslog-ng/bin and /opt/syslog-ng/sbin directories to your search PATH environment variable. That way you can use syslog-ng PE and its related tools without having to specify the full pathname. Add the following line to your shell profile:

    PATH=/opt/syslog-ng/bin:$PATH 
  11. Optional step for SELinux-enabled systems: Complete Procedure 3.4, “Using syslog-ng PE on SELinux”.

Procedure 3.2. Installing syslog-ng PE in server mode

Purpose: 

Complete the following steps to install syslog-ng PE on log servers. For details on the different operation modes of syslog-ng PE, see the section called “Modes of operation”.

Steps: 

NOTE:

The native logrotation tools do not send a SIGHUP to syslog-ng after rotating the log files, causing syslog-ng to write into files already rotated. To solve this problem, the syslog-ng init script links the /var/run/syslog.pid file to syslog-ng's pid. Also, on Linux, the install.sh script symlinks the initscript of the original syslog daemon to syslog-ng's initscript.

  1. Login to MyDownloads and download the syslog-ng PE installer package and your syslog-ng Premium Edition license file (license.txt). The license will be required to run syslog-ng PE in server mode (see the section called “Server mode”) and is needed when you are installing syslog-ng PE on your central log server.

  2. Enable the executable attribute for the installer using the chmod +x syslog-ng-<edition>-<version>-<OS>-<platform>.run, then start the installer as root using the ./syslog-ng-<edition>-<version>-<OS>-<platform>.run command. (Note that the exact name of the file depends on the operating system and platform.) Wait until the package is uncompressed and the welcome screen appears, then select Continue.

    Figure 3.8. The welcome screen

    The welcome screen

  3. Accepting the EULA: You can install syslog-ng PE only if you understand and accept the terms of the End-User License Agreement (EULA). The full text of the EULA can be displayed during installation by selecting the Show EULA option, and is also available at Software Transaction, License and End User License Agreements. Select Accept to accept the EULA and continue the installation.

    If you do not accept the terms of the EULA for some reason, select Reject to cancel installing syslog-ng PE.

  4. Detecting platform and operating system: The installer attempts to automatically detect your oprating system and platform. If the displayed information is correct, select Yes. Otherwise select Exit to abort the installation, and verify that your platform is supported. For a list of supported platforms, see the section called “Supported platforms”. If your platform is supported but not detected correctly, contact our Support Team.

    Figure 3.9. Platform detection

    Platform detection

  5. Installation path: Enter the path to install syslog-ng PE to. This is useful if you intend to install syslog-ng PE without registering it as a service, or if it cannot be installed to the default location because of policy compliance reasons. If no path is given, syslog-ng PE is installed to the default folder.

    Figure 3.10. Installation path

    Installation path

    NOTE:

    When installing syslog-ng PE to an alternative path on AIX, HP-UX, or Solaris platforms, set the CHARSETALIASDIR environmental variable to the lib subdirectory of the installation path. That way syslog-ng PE can find the charset.alias file.

  6. Registering as syslog service: Select Register to register syslog-ng PE as the syslog service. This will stop and disable the default syslog service of the system.

    Figure 3.11. Registering as syslog service

    Registering as syslog service

  7. Locating the license: Enter the path to your license file (license.txt) and select OK. Typically this is required only for your central log server.

    If you are upgrading an existing configuration that already has a license file, the installer automatically detects it.

    Figure 3.12. Platform detection

    Platform detection

  8. Upgrading: The syslog-ng PE installer can automatically detect if you have previously installed a version of syslog-ng PE on your system. To use the configuration file of this previous installation, select Yes. To ignore the old configuration file and create a new one, select No.

    Note that if you decide to use your existing configuration file, the installer automatically checks it for syntax error and displays a list of warnings and errors if it finds any problems.

    Figure 3.13. Upgrading syslog-ng

    Upgrading syslog-ng

  9. Generating a new configuration file: The installer displays some questions to generate a new configuration file.

    1. Remote sources: Select Yes to accept log messages from the network. TCP, UDP, and SYSLOG messages on every interface will be automatically accepted.

      Figure 3.14. Accepting remote messages

      Accepting remote messages

    2. Remote destinations: Enter the IP address or hostname of your log server or relay and select OK.

      Figure 3.15. Forwarding messages to the log server

      Forwarding messages to the log server

    NOTE:

    Accepting remote messages and forwarding them to a log server means that syslog-ng PE will start in relay mode.

  10. After the installation is finished, add the /opt/syslog-ng/bin and /opt/syslog-ng/sbin directories to your search PATH environment variable. That way you can use syslog-ng PE and its related tools without having to specify the full pathname. Add the following line to your shell profile:

    PATH=/opt/syslog-ng/bin:$PATH 
  11. Optional step for SELinux-enabled systems: Complete Procedure 3.4, “Using syslog-ng PE on SELinux”.

Installing syslog-ng PE without user-interaction

The syslog-ng PE application can be installed in silent mode without any user-interaction by specifying the required parameters from the command line. Answers to every question of the installer can be set in advance using command-line parameters.

./syslog-ng-premium-edition-<version>.run -- --silent [options]

Caution:

The -- characters between the executable and the parameters are mandatory, like in the following example: ./syslog-ng-premium-edition-3.0.1b-solaris-10-sparc-client.run -- --silent --accept-eula -l /var/tmp/license.txt

To display the list of parameters, execute the ./syslog-ng-premium-edition-<version>.run -- --h command. Currently the following options are available:

  • --accept-eula or -a: Accept the EULA.

  • --license-file <file> or -l <file>: Path to the license file.

  • --upgrade | -u: Perform automatic upgrade — use the configuration file from an existing installation.

  • --remote <destination host>: Send logs to the specified remote server. Not available when performing an upgrade.

  • --network: Accept messages from the network. Not available when performing an upgrade.

  • --configuration <file>: Use the specified configuration file.

  • --list-installed: List information about all installed syslog-ngs.

  • --path <path>: Set installation path.

  • --register: Force service registration.

  • --no-register: Prevent service registration.

Related Documents