syslog-ng Premium Edition 7.0.14 - Administration Guide

Preface Introduction to syslog-ng The concepts of syslog-ng Installing syslog-ng The syslog-ng PE quick-start guide The syslog-ng PE configuration file Collecting log messages — sources and source drivers
How sources work default-network-drivers: Receive and parse common syslog messages internal: Collecting internal messages file: Collecting messages from text files wildcard-file: Collecting messages from multiple text files linux-audit: Collecting messages from Linux audit logs network: Collecting messages using the RFC3164 protocol (network() driver) osquery: Collect and parse osquery result logs pipe: Collecting messages from named pipes program: Receiving messages from external applications python: writing server-style Python sources python-fetcher: writing fetcher-style Python sources snmptrap: Read Net-SNMP traps sun-streams: Collecting messages on Sun Solaris syslog: Collecting messages using the IETF syslog protocol (syslog() driver) system: Collecting the system-specific log messages of a platform systemd-journal: Collecting messages from the systemd-journal system log storage systemd-syslog: Collecting systemd messages using a socket tcp, tcp6, udp, udp6: Collecting messages from remote hosts using the BSD syslog protocol unix-stream, unix-dgram: Collecting messages from UNIX domain sockets windowsevent: Collecting Windows event logs
Sending and storing log messages — destinations and destination drivers
elasticsearch2: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED) elasticsearch-http: Sending messages to Elasticsearch HTTP Event Collector file: Storing messages in plain-text files hdfs: Storing messages on the Hadoop Distributed File System (HDFS) http: Posting messages over HTTP kafka: Publishing messages to Apache Kafka logstore: Storing messages in encrypted files mongodb: Storing messages in a MongoDB database network: Sending messages to a remote log server using the RFC3164 protocol (network() driver) pipe: Sending messages to named pipes program: Sending messages to external applications python: writing custom Python destinations smtp: Generating SMTP messages (e-mail) from logs splunk-hec: Sending messages to Splunk HTTP Event Collector sql: Storing messages in an SQL database stackdriver: Sending logs to the Google Stackdriver cloud syslog: Sending messages to a remote logserver using the IETF-syslog protocol syslog-ng(): Forward logs to another syslog-ng node tcp, tcp6, udp, udp6: Sending messages to a remote log server using the legacy BSD-syslog protocol (tcp(), udp() drivers) unix-stream, unix-dgram: Sending messages to UNIX domain sockets usertty: Sending messages to a user terminal — usertty() destination Client-side failover
Routing messages: log paths, flags, and filters Global options of syslog-ng PE TLS-encrypted message transfer Advanced Log Transfer Protocol Reliability and minimizing the loss of log messages Manipulating messages parser: Parse and segment structured messages Processing message content with a pattern database Correlating log messages Enriching log messages with external data Monitoring statistics and metrics of syslog-ng Multithreading and scaling in syslog-ng PE Troubleshooting syslog-ng Best practices and examples The syslog-ng manual pages

Log statistics from the internal() source

If the stats-freq() global option is higher than 0, syslog-ng PE periodically sends a log statistics message. This message contains statistics about the received messages, and about any lost messages since the last such message. It includes a processed entry for every source and destination, listing the number of messages received or sent, and a dropped entry including the IP address of the server for every destination where syslog-ng has lost messages. The center(received) entry shows the total number of messages received from every configured sources.

The following is a sample log statistics message for a configuration that has a single source (s_local) and a network and a local file destination (d_network and d_local, respectively). All incoming messages are sent to both destinations.

Log statistics;
        dropped='tcp(AF_INET(192.168.10.1:514))=6439',
        processed='center(received)=234413',
        processed='destination(d_tcp)=234413',
        processed='destination(d_local)=234413',
        processed='source(s_local)=234413'

The statistics include a list of source groups and destinations, as well as the number of processed messages for each. You can control the verbosity of the statistics using the stats-level() global option. The following is an example output.

src.internal;s_all#0;;a;processed;6445
src.internal;s_all#0;;a;stamp;1268989330
destination;df_auth;;a;processed;404
destination;df_news_dot_notice;;a;processed;0
destination;df_news_dot_err;;a;processed;0
destination;d_ssb;;a;processed;7128
destination;df_uucp;;a;processed;0
source;s_all;;a;processed;7128
destination;df_mail;;a;processed;0
destination;df_user;;a;processed;1
destination;df_daemon;;a;processed;1
destination;df_debug;;a;processed;15
destination;df_messages;;a;processed;54
destination;dp_xconsole;;a;processed;671
dst.tcp;d_network#0;10.50.0.111:514;a;dropped;5080
dst.tcp;d_network#0;10.50.0.111:514;a;processed;7128
dst.tcp;d_network#0;10.50.0.111:514;a;queued;2048
destination;df_syslog;;a;processed;6724
destination;df_facility_dot_warn;;a;processed;0
destination;df_news_dot_crit;;a;processed;0
destination;df_lpr;;a;processed;0
destination;du_all;;a;processed;0
destination;df_facility_dot_info;;a;processed;0
center;;received;a;processed;0
destination;df_kern;;a;processed;70
center;;queued;a;processed;0
destination;df_facility_dot_err;;a;processed;0

The statistics are semicolon separated: every line contains statistics for a particular object (for example source, destination, tag, and so on). The statistics have the following fields:

To reset the statistics to zero, use the following command: syslog-ng-ctl stats --reset

The monitoring() source

The monitoring() source allows you to select which statistics of syslog-ng PE you want to monitor. In addition, the statistics are available as structured name-value pairs, so you can format the output similarly to other log messages. That way, you can easily convert the statistics and metrics, for example, into JSON or WELF format. That way, you can send the statistics of your log messages into a monitoring solution.

The monitoring() source queries the statistics (counters) that syslog-ng PE collects, formats them, and optionally resets the counters. The monitoring() source emits only these messages, making it easy to route them to their appropriate destination. The stats-level() global option determines exactly which statistics syslog-ng PE collects.

Declaration
source s_monitor{
    monitoring(
        query("*")
    );};
Example: Save all statistics into a file in JSON format

The following configuration increases the stats-level() option to 3, and generates a JSON-formatted message every 10 seconds. The generated message contains every available statistics, and is saved into the /var/log/syslog-ng-statistics.log file.

@version: 7.0
options{
    stats-level(3);
    keep-hostname(no);
};
source s_monitor{ monitoring(
    query("*")
    freq(10)
    message-template('$(format-json --scope nv_pairs)')
    );};
destination d_file {
    file("/var/log/syslog-ng-statistics.log");
};
log {
    source(s_monitor);
    destination(d_file);
};

The generated message is similar to this one:

[2017-04-03T14:00:31.786133] Outgoing message; message='Apr  3 14:00:31 example-hostname syslog-ng[12281]: {"src":{"severity":{"7":{"processed":"0"},"6":{"processed":"0"},"5":{"processed":"0"},"4":{"processed":"0"},"3":{"processed":"0"},"2":{"processed":"0"},"1":{"processed":"0"},"0":{"processed":"0"}},"monitoring":{"s_monitor#0":{"stamp":"0","processed":"0"}},"facility":{"other":{"processed":"0"},"9":{"processed":"0"},"8":{"processed":"0"},"7":{"processed":"0"},"6":{"processed":"0"},"5":{"processed":"0"},"4":{"processed":"0"},"3":{"processed":"0"},"23":{"processed":"0"},"22":{"processed":"0"},"21":{"processed":"0"},"20":{"processed":"0"},"2":{"processed":"0"},"19":{"processed":"0"},"18":{"processed":"0"},"17":{"processed":"0"},"16":{"processed":"0"},"15":{"processed":"0"},"14":{"processed":"0"},"13":{"processed":"0"},"12":{"processed":"0"},"11":{"processed":"0"},"10":{"processed":"0"},"1":{"processed":"0"},"0":{"processed":"0"}}},"source":{"s_monitor":{"processed":"0"}},"global":{"sdata_updates":{"processed":"0"},"payload_reallocs":{"processed":"2"},"msg_clones":{"processed":"0"}},"destination":{"d_file":{"processed":"0"}},"center":{"received":{"processed":"0"},"queued":{"processed":"0"}},"PROGRAM":"syslog-ng","PID":"12281"}\x0a'

For reference, the JSON part in a readable format is:

{
  "center" : {
      "queued" : { "processed" : "0" },
      "received" : { "processed" : "0" }
    },
  "destination" : { "d_file" : { "processed" : "0" } },
  "global" : {
      "msg_clones" : { "processed" : "0" },
      "payload_reallocs" : { "processed" : "2" },
      "sdata_updates" : { "processed" : "0" }
    },
  "PID" : "12281",
  "PROGRAM" : "syslog-ng",
  "source" : { "s_monitor" : { "processed" : "0" } },
  "src" : {
      "facility" : {
          "0" : { "processed" : "0" },
          "1" : { "processed" : "0" },
          "2" : { "processed" : "0" },
          "3" : { "processed" : "0" },
          "4" : { "processed" : "0" },
          "5" : { "processed" : "0" },
          "6" : { "processed" : "0" },
          "7" : { "processed" : "0" },
          "8" : { "processed" : "0" },
          "9" : { "processed" : "0" },
          "10" : { "processed" : "0" },
          "11" : { "processed" : "0" },
          "12" : { "processed" : "0" },
          "13" : { "processed" : "0" },
          "14" : { "processed" : "0" },
          "15" : { "processed" : "0" },
          "16" : { "processed" : "0" },
          "17" : { "processed" : "0" },
          "18" : { "processed" : "0" },
          "19" : { "processed" : "0" },
          "20" : { "processed" : "0" },
          "21" : { "processed" : "0" },
          "22" : { "processed" : "0" },
          "23" : { "processed" : "0" },
          "other" : { "processed" : "0" }
        },
      "monitoring" : { "s_monitor#0" : {
              "processed" : "0",
              "stamp" : "0"
            } },
      "severity" : {
          "0" : { "processed" : "0" },
          "1" : { "processed" : "0" },
          "2" : { "processed" : "0" },
          "3" : { "processed" : "0" },
          "4" : { "processed" : "0" },
          "5" : { "processed" : "0" },
          "6" : { "processed" : "0" },
          "7" : { "processed" : "0" }
        }
    }
}

monitoring() source options

The monitoring() driver has the following options. Only the query() option is required, other options are optional.

clear-on-read()
Type: boolean
Default: no

Description: Reset the counters after reading. Note that if a destination is not available, syslog-ng PE will not reset its counter even if clear-on-read() is set to yes.

If you use multiple monitoring source, and you use the clear-on-read() parameter, make sure to adjust the queries appropriately. Overlapping queries that read and reset the same counters result in incorrect statistics.

freq()
Type: integer
Default: 600 [seconds]

Description: Specifies how often does syslog-ng PE execute the query and send a statistics message.

message-template()
Type: string
Default: N/A

Description: Specifies how the message containing the queried statistics is formatted. You can use macros and template functions in the format string. For example, you can format the message as a JSON object:

source s_monitor{ monitoring(
    query("*")
    freq(10)
    message-template('$(format-json --scope nv_pairs)')
    );};

Note that here you can only format the payload of the message (that is the, ${MESSAGE} part). You can format the headers or other parts of the outgoing message in the destination driver.

query()
Type: string
Default: N/A

Description: Specifies which statistical counters will be included in the messages. Note that the list of available counters depends on your syslog-ng PE configuration (mainly the configured sources and destinations) and on the stats-level() global option. The * string includes every available counters. The syntax of the query option is identical to the syslog-ng-ctl query get <query> command.

source s_monitor{ monitoring(
    query("*")
    );};

For example, the "destination*" query lists the configured destinations, and the metrics related to each destination. An example output:

destination.java.d_elastic#0.java_dst(ElasticSearch,elasticsearch-syslog-ng-test,t7cde889529c034aea9ec_micek).stats.dropped: 0
destination.java.d_elastic#0.java_dst(ElasticSearch,elasticsearch-syslog-ng-test,t7cde889529c034aea9ec_micek).stats.processed: 0
destination.java.d_elastic#0.java_dst(ElasticSearch,elasticsearch-syslog-ng-test,t7cde889529c034aea9ec_micek).stats.stored: 0
destination.d_elastic.stats.processed: 0

The monitoring-welf() source

This source is actually preconfigured monitoring() source that generates statistics messages in WELF format. Starting with syslog-ng PE version 7.0.2, syslog-ng PE uses this driver for new installations to generate statistics. By default, a message is sent every 10 minutes (600 seconds).

@version: 7.0
@include 'scl.conf'
options {
    stats_level(3);
};
source s_monitoring_welf {
    monitoring-welf(freq(10) query('*'));
};
destination d_file {
    file("/tmp/output.txt");
};
log {
    source(s_monitoring_welf);
    destination(d_file);
};

The output is similar to the following:

Apr 3 14:03:26 example-host syslog-ng[12363]: PID=12363 PROGRAM=syslog-ng center.queued.processed=0 center.received.processed=0 destination.d_file.processed=0 global.msg_clones.processed=0 global.payload_reallocs.processed=2 global.sdata_updates.processed=0 source.s_monitoring_welf.processed=0 src.facility.0.processed=0 src.facility.1.processed=0 src.facility.10.processed=0 src.facility.11.processed=0 src.facility.12.processed=0 src.facility.13.processed=0 src.facility.14.processed=0 src.facility.15.processed=0 src.facility.16.processed=0 src.facility.17.processed=0 src.facility.18.processed=0 src.facility.19.processed=0 src.facility.2.processed=0 src.facility.20.processed=0 src.facility.21.processed=0 src.facility.22.processed=0 src.facility.23.processed=0 src.facility.3.processed=0 src.facility.4.processed=0 src.facility.5.processed=0 src.facility.6.processed=0 src.facility.7.processed=0 src.facility.8.processed=0 src.facility.9.processed=0 src.facility.other.processed=0 src.monitoring.s_monitoring_welf#0.processed=0 src.monitoring.s_monitoring_welf#0.stamp=0 src.severity.0.processed=0 src.severity.1.processed=0 src.severity.2.processed=0 src.severity.3.processed=0 src.severity.4.processed=0 src.severity.5.processed=0 src.severity.6.processed=0 src.severity.7.processed=0\x0a'
Related Documents