Chat now with support
Chat with Support

syslog-ng Premium Edition 7.0.18 - Administration Guide

Preface Introduction to syslog-ng The concepts of syslog-ng Installing syslog-ng The syslog-ng PE quick-start guide The syslog-ng PE configuration file Collecting log messages — sources and source drivers
How sources work default-network-drivers: Receive and parse common syslog messages internal: Collecting internal messages file: Collecting messages from text files wildcard-file: Collecting messages from multiple text files linux-audit: Collecting messages from Linux audit logs network: Collecting messages using the RFC3164 protocol (network() driver) office365: Fetching logs from Office 365 osquery: Collect and parse osquery result logs pipe: Collecting messages from named pipes program: Receiving messages from external applications python: writing server-style Python sources python-fetcher: writing fetcher-style Python sources snmptrap: Read Net-SNMP traps sun-streams: Collecting messages on Sun Solaris syslog: Collecting messages using the IETF syslog protocol (syslog() driver) system: Collecting the system-specific log messages of a platform systemd-journal: Collecting messages from the systemd-journal system log storage systemd-syslog: Collecting systemd messages using a socket tcp, tcp6, udp, udp6: Collecting messages from remote hosts using the BSD syslog protocol udp-balancer: Receiving UDP messages at very high rate unix-stream, unix-dgram: Collecting messages from UNIX domain sockets windowsevent: Collecting Windows event logs
Sending and storing log messages — destinations and destination drivers
elasticsearch2: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED) elasticsearch-http: Sending messages to Elasticsearch HTTP Event Collector file: Storing messages in plain-text files hdfs: Storing messages on the Hadoop Distributed File System (HDFS) http: Posting messages over HTTP kafka: Publishing messages to Apache Kafka logstore: Storing messages in encrypted files mongodb: Storing messages in a MongoDB database network: Sending messages to a remote log server using the RFC3164 protocol (network() driver) pipe: Sending messages to named pipes program: Sending messages to external applications python: writing custom Python destinations smtp: Generating SMTP messages (email) from logs splunk-hec: Sending messages to Splunk HTTP Event Collector sql: Storing messages in an SQL database stackdriver: Sending logs to the Google Stackdriver cloud syslog: Sending messages to a remote logserver using the IETF-syslog protocol syslog-ng(): Forward logs to another syslog-ng node tcp, tcp6, udp, udp6: Sending messages to a remote log server using the legacy BSD-syslog protocol (tcp(), udp() drivers) unix-stream, unix-dgram: Sending messages to UNIX domain sockets usertty: Sending messages to a user terminal — usertty() destination Client-side failover
Routing messages: log paths, flags, and filters Global options of syslog-ng PE TLS-encrypted message transfer Advanced Log Transfer Protocol Reliability and minimizing the loss of log messages Manipulating messages parser: Parse and segment structured messages Processing message content with a pattern database Correlating log messages Enriching log messages with external data Monitoring statistics and metrics of syslog-ng Multithreading and scaling in syslog-ng PE Troubleshooting syslog-ng Best practices and examples The syslog-ng manual pages Glossary

Installing syslog-ng in Docker

The following describes how to install syslog-ng PE in a Docker container. The following operating systems are supported:

  • CentOS 7

  • RedHat EL 7.5

  • Ubuntu 18.04 LTS (Bionic Beaver)

To install syslog-ng PE in a Docker container

  1. Start Docker. Use the command appropriate for you platform:

    • docker run -d -p <network-ports-forwarded-to-docker> -v <directories-to-be-mounted> --name syslog-ng-in-docker centos:7

    • docker run -d -p <network-ports-forwarded-to-docker> -v <directories-to-be-mounted> --name syslog-ng-in-docker registry.access.redhat.com/rhel-7.5-s390x

    • docker run -d -p <network-ports-forwarded-to-docker> -v <directories-to-be-mounted> --name syslog-ng-in-docker ubuntu:18.04

    For example, to forward port 514 and mount the etc and var directories on RedHat, use the following command: docker run -d -p 514:514 -v /root/docker/etc/:/opt/syslog-ng/etc -v /root/docker/var:/opt/syslog-ng/var --name syslog-ng-in-docker registry.access.redhat.com/rhel-7.5-s390x

    Note the following points:

    • Forward all ports to Docker that you want to receive messages from in your syslog-ng PE configuration.

    • The previous example mounts the etc and var directories from outside the docker container. That way you can edit the syslog-ng PE configuration file outside the container, and the syslog-ng PE persist file will not be deleted if you delete and recreate the docker container.

    • Do not mount the same var directory for multiple docker containers.

    • Make sure that the syslog-ng PE running in the docker container has permissions to read the configuration file, and read and write permissions for the var directory.

    • If you want to read the logs of the host from /dev/log, mount it into the Docker container. Note that only a single syslog-ng PE instance can read /dev/log at the same time. Do not mount the same /dev/log for multiple syslog-ng PE instances.

  2. Download the syslog-ng PE .run installation package from Downloads page.

  3. Install syslog-ng PE in the Docker container. (Since there is no service management (systemd) in the docker container, the registration and start of the syslog-ng PE service is disabled.)

    docker exec -it syslog-ng-in-docker /bin/bash

    syslog-ng-premium-edition-7.0.18-linux-glibc2.11-amd64.run -- --accept-eula --silent --no-register

  4. (Optional Step) If you want to use any features of syslog-ng PE that require external packages (for example, Java or Python-based destinations), install the required packages manually in the Docker container (for example, Java or Python).

  5. Start syslog-ng PE.

    docker exec -i syslog-ng-in-docker /opt/syslog-ng/sbin/syslog-ng <-optional-command-line-parameters-of-syslog-ng>

    For the list of available command-line parameters, see the syslog-ng.8 manual page.

Start, reload, stop syslog-ng PE in a Docker container

To start syslog-ng PE, issue the following command in the Docker container.

docker exec -i syslog-ng-in-docker /opt/syslog-ng/sbin/syslog-ng <-optional-command-line-parameters-of-syslog-ng>

To reload syslog-ng PE, issue the following command in the Docker container.

docker exec -i syslog-ng-in-docker /opt/syslog-ng/sbin/syslog-ng-ctl reload

To stop syslog-ng PE, issue the following command in the Docker container.

docker exec -i syslog-ng-in-docker /opt/syslog-ng/sbin/syslog-ng-ctl stop

Upgrading syslog-ng PE running in a Docker container

To upgrade a syslog-ng PE instance that is running in a Docker container

  1. Download the new syslog-ng PE .run installation package from Downloads page.

  2. Upgrade syslog-ng PE in the Docker container.

    docker exec -it syslog-ng-in-docker /bin/bash

    syslog-ng-premium-edition-7.0.18-linux-glibc2.11-amd64.run -- --accept-eula --silent --no-register --upgrade

  3. Start syslog-ng PE.

    docker exec -i syslog-ng-in-docker /opt/syslog-ng/sbin/syslog-ng <-optional-command-line-parameters-of-syslog-ng>

    For the list of available command-line parameters, see the syslog-ng.8 manual page.

Related Documents