Chat now with support
Chat with Support

syslog-ng Premium Edition 7.0.14 - Quick Start Guide

Installing on Windows

The following instructions describe the standalone installation, which is configured locally. For more advanced installation options (using domain group policies, installing by group policy), refer to The syslog-ng Agent for Windows Administrator Guide.

  1. Execute the downloaded binary.

  2. Accept the EULA.

  3. Select the destination folder for syslog-ng Agent for Windows.

  4. Choose Stand alone mode.

  5. The installer generates a simple configuration. Enter the destination IP of the syslog-ng PE server:

    1. Select Destinations

    2. Double-click Add new server

    3. Enter the server's IP address

    4. Change the port number to 601

    5. Click OK

  6. Close the configuration window to finish installation.

  7. Validating the installation

    Test remote logging:

    1. Log out and back in on the Windows client

    2. Verify the server log. On the syslog-ng PE server, enter the following command:

      tail /var/log/messages

    Expected outcome

    The logout and login events are displayed in the log.

Configuring syslog-ng PE

The syslog-ng application reads incoming messages and forwards them to the selected destinations. The syslog-ng application can receive messages from files, remote hosts, and other sources.

Log messages enter syslog-ng in one of the defined sources, and are sent to one or more destinations.

Sources and destinations are independent objects: log paths define what syslog-ng does with a message, connecting the sources to the destinations. A log path consists of one or more sources and one or more destinations, messages arriving from a source are sent to every destination listed in the log path. A log path defined in syslog-ng is called a log statement.

There are many other optional elements, like filters, parsers, etc., but in this guide we focus on a core syslog-ng feature: reliable logging.

Advanced Log Transfer Protocol

The syslog-ng PE application can send and receive log messages in a reliable way over the TCP transport layer using the Advanced Log Transfer Protocol (ALTP). ALTP is a proprietary transport protocol that prevents message loss during connection breaks. The transport is used between syslog-ng PE hosts (for example, a client and a server, or a client-relay-server), and interoperates with the mechanisms of syslog-ng PE's flow-control and the reliable disk-buffer option, thus providing the best way to prevent message loss. The sender detects which messages the receiver has successfully received. If messages are lost during the transfer, the sender resends the missing messages, starting from the last successfully received message. Therefore, messages are not duplicated at the receiving end in case of a connection break (however, in failover mode, this is not completely ensured). ALTP also allows for encrypted and non-encrypted connections to be received on the same port, using a single source driver.

To make ALTP work, you have to enable it on the server and on all participating clients as well. In the following example, a minimum working configuration is provided. For additional options, including TLS configuration, refer to "Advanced Log Transfer Protocol " in the Administration Guide.

Enabling disk buffer on the syslog-ng PE client on Linux

The Premium Edition of syslog-ng can store messages on the local hard disk if the central log server or the network connection to the server becomes unavailable. This feature is called the disk buffer and needs to be configured only on the client side.

NOTE:

The log messages on Windows come from files – either eventlog containers or custom log files – which are already stored on the hard disk, so the agent does not use additional disk buffering.

To enable disk buffering on the syslog-ng PE client on Linux, modify its configuration:

To enable disk buffering on the syslog-ng PE client on Linux

  1. Open the /opt/syslog-ng/etc/syslog-ng.conf configuration file in a text editor.

  2. Locate the line starting with destination d_logserver.

  3. Modify it to look like the following line:

    destination d_logserver {
        tcp("<PEServerIP>" disk-buffer(disk-buf-size(2000000)));
    };

    Replace <PEServerIP> with the hostname or IP address of the syslog-ng PE server.

    For additional disk buffer options, refer to "network() destination options" in the Administration Guide.

  4. Save the configuration and restart syslog-ng.

Macros in filenames

On servers where logs of many clients are retained for extended periods of time, log files are usually stored under a directory hierarchy. To help sort incoming log messages to such hierarchies, syslog-ng supports the use of macros. Depending on the needs of your organization, date, source host, or combined solutions can be used.

In the following example, the file destination on the server is modified to also write messages into a directory structure under /var/log, where the first level is the year, the second level is the week of the year, followed by a file name based on the sending host.

To configure macros in filenames

  1. Open the /opt/syslog-ng/etc/syslog-ng.conf configuration file in a text editor.

  2. Locate the line starting with destination d_messages.

  3. Modify it to look like the following line:

    destination d_messages {
        file("/var/log/messages");
        file("/var/log/$YEAR/$WEEK/$HOST-messages" create-dirs(yes));
    };
  4. Save the file and restart syslog-ng

    NOTE:

    Collecting to /var/log/messages is left there for your convenience, it can be safely removed. Even if the related configuration item is removed, the file stays there, but it is not updated anymore.

    For more details on macros available in syslog-ng, refer to Administration Guide.

Related Documents