Chat now with support
Chat with Support

syslog-ng Premium Edition 7.0.19 - Administration Guide

Preface Introduction to syslog-ng The concepts of syslog-ng Installing syslog-ng The syslog-ng PE quick-start guide The syslog-ng PE configuration file Collecting log messages — sources and source drivers
How sources work default-network-drivers: Receive and parse common syslog messages internal: Collecting internal messages file: Collecting messages from text files wildcard-file: Collecting messages from multiple text files linux-audit: Collecting messages from Linux audit logs network: Collecting messages using the RFC3164 protocol (network() driver) office365: Fetching logs from Office 365 osquery: Collect and parse osquery result logs pipe: Collecting messages from named pipes program: Receiving messages from external applications python: writing server-style Python sources python-fetcher: writing fetcher-style Python sources snmptrap: Read Net-SNMP traps syslog: Collecting messages using the IETF syslog protocol (syslog() driver) system: Collecting the system-specific log messages of a platform systemd-journal: Collecting messages from the systemd-journal system log storage systemd-syslog: Collecting systemd messages using a socket tcp, tcp6, udp, udp6: Collecting messages from remote hosts using the BSD syslog protocol udp-balancer: Receiving UDP messages at very high rate unix-stream, unix-dgram: Collecting messages from UNIX domain sockets windowsevent: Collecting Windows event logs
Sending and storing log messages — destinations and destination drivers
elasticsearch2: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED) elasticsearch-http: Sending messages to Elasticsearch HTTP Event Collector file: Storing messages in plain-text files hdfs: Storing messages on the Hadoop Distributed File System (HDFS) http: Posting messages over HTTP kafka: Publishing messages to Apache Kafka logstore: Storing messages in encrypted files mongodb: Storing messages in a MongoDB database network: Sending messages to a remote log server using the RFC3164 protocol (network() driver) pipe: Sending messages to named pipes program: Sending messages to external applications python: writing custom Python destinations sentinel: Sending logs to the Microsoft Azure Sentinel cloud smtp: Generating SMTP messages (email) from logs splunk-hec: Sending messages to Splunk HTTP Event Collector sql: Storing messages in an SQL database stackdriver: Sending logs to the Google Stackdriver cloud syslog: Sending messages to a remote logserver using the IETF-syslog protocol syslog-ng(): Forward logs to another syslog-ng node tcp, tcp6, udp, udp6: Sending messages to a remote log server using the legacy BSD-syslog protocol (tcp(), udp() drivers) unix-stream, unix-dgram: Sending messages to UNIX domain sockets usertty: Sending messages to a user terminal — usertty() destination Client-side failover
Routing messages: log paths, flags, and filters Global options of syslog-ng PE TLS-encrypted message transfer Advanced Log Transfer Protocol Reliability and minimizing the loss of log messages Manipulating messages parser: Parse and segment structured messages Processing message content with a pattern database Correlating log messages Enriching log messages with external data Monitoring statistics and metrics of syslog-ng Multithreading and scaling in syslog-ng PE Troubleshooting syslog-ng Best practices and examples The syslog-ng manual pages Glossary

persist-tool.1

Name

persist-tool — Display the content of the persist file

Synopsis

persist-tool [command] [options]

Description

NOTE: The persist-tool application is distributed with the system logging application, and is usually part of the syslog-ng package. The latest version of the syslog-ng application is available at https://syslog-ng.com..

This manual page is only an abstract, for the complete documentation of syslog-ng, see https://syslog-ng.com..

The persist-tool application is a utility that can be used to dump the content of the persist file, and manipulate its content.

Warning

Persist-tool is a special tool for syslog-ng experts. Do use the tool unless you know exactly what you are doing. Misconfiguring it will result in irrecoverable damage to the persist file, without any warning.

Note

Limitations:

  • The persist-state functions can be used only with syslog-ng PE 5 LTS style persist file (SLP4). Older persist files are not supported.

  • Wildcard characters are not supported in file/directory names.

The dump command

dump [options] [persist_file]

Use the dump command to print the current content of the persist file in JSON format to the console.

The dump command has the following options:

--help or -?

Display a brief help message.

Example:

persist-tool dump /opt/syslog-ng/var/syslog-ng.persist

The output looks like:

run_id = { "value": "00 00 00 00 0C 00 00 00 " }
host_id = { "value": "00 00 00 00 5F 49 2F 01 " }
The add command

add [options] [input_file]

Use the add command to add or modify a specified state-entry in the persist file. The state-entry should be in the same format as the dump command displays it. If the given state-entry already exists, it will be updated. Otherwise, a new value will be added. If the given persist state is invalid, it will be skipped.

To use the add command: use persist-tool dump to print the content of the current persist file, and redirect it to a file. Edit the content of this file. Use persist-tool add with this file to modify the persist.

The add command has the following options:

--help or -?

Display a brief help message.

--output-dir=<directory> or -o

Required parameter. The directory where the persist file is located at. The name of the persist file stored in this directory must be syslog-ng.persist.

--persist-name=<filename> or -p

Optional parameter. The name of the persist file to generate. Default value: syslog-ng.persist.

Example:

/opt/syslog-ng/bin/persist-tool add dump_persist -o .

The valid output looks like:

log_reader_curpos(Application)      OK
affile_sd_curpos(/var/aaa.txt)        OK

The invalid output looks like:

log_reader_curpos(Application)      OK
wrong
        FAILED (error: Invalid entry syntax)
affile_sd_curpos(/var/aaa.txt)        OK
Files

/opt/syslog-ng/bin/persist-tool

See also

syslog-ng.conf(5)

syslog-ng(8)

Note

For the detailed documentation of syslog-ng PE see The syslog-ng PE 7 Administrator Guide

If you experience any problems or need help with syslog-ng, visit the syslog-ng mailing list.

For news and notifications about of syslog-ng, visit the syslog-ng blogs.

Author

This manual page was written by the One Identity Documentation Team.

Copyright

Copyright 2000-2019 One Identity. Published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. For details, see https://creativecommons.org//. The latest version is always available at https://www.syslog-ng.com.

syslog-debun.1


Table of Contents

syslog-debun— syslog-ng DEBUg buNdle generator
Name

syslog-debun — syslog-ng DEBUg buNdle generator

Synopsis

syslog-debun [options]

Description

NOTE: The syslog-debun application is distributed with the syslog-ng PE system logging application, and is usually part of the syslog-ng PE package. The latest version of the syslog-ng PE application is available at the syslog-ng page.

This manual page is only an abstract, for the complete documentation of syslog-ng, see the syslog-ng Documentation page.

The syslog-debun tool collects and saves information about your syslog-ng PE installation, making troubleshooting easier, especially if you ask help about your syslog-ng PE related problem.

General Options
-h

Display the help page.

-l

Do not collect privacy-sensitive data, for example, process tree, fstab, and so on. If you use with -d, then the following parameters will be used for debug mode:-Fev

-R <directory>

The directory where syslog-ng PE is installed instead of /opt/syslog-ng.

-W <directory>

Set the working directory, where the debug bundle will be saved. Default value: /tmp. The name of the created file is syslog.debun.${host}.${date}.${3-random-characters-or-pid}.tgz

Debug mode options
-d

Start syslog-ng PE in debug mode, using the -Fedv --enable-core options.

Warning! Using this option under high message load may increase disk I/O during the debug, and the resulting debug bundle can be huge. To exit debug mode, press Enter.

-D <options>

Start syslog-ng PE in debug mode, using the specified command-line options. To exit debug mode, press Enter. For details on the available options, see ???.

-t <seconds>

Run syslog-ng PE in noninteractive debug mode for <seconds>, and automatically exit debug mode after the specified number of seconds.

-w <seconds>

Wait <seconds> seconds before starting debug mode.

System call tracing
-s

Enable syscall tracing (strace -f or truss -f). Note that using -s itself does not enable debug mode, only traces the system calls of an already running syslog-ng PE process. To trace system calls in debug mode, use both the -s and -d options.

Packet capture options

Capturing packets requires a packet capture tool on the host. The syslog-debun tool attempts to use tcpdump on most platforms, except for Solaris, where it uses snoop.

-i <interface>

Capture packets only on the specified interface, for example, eth0.

-p

Capture incoming packets using the following filter: port 514 or port 601 or port 53

-P <options>

Capture incoming packets using the specified filter.

-t <seconds>

Run syslog-ng PE in noninteractive debug mode for <seconds>, and automatically exit debug mode after the specified number of seconds.

Examples
syslog-debun

Create a simple debug bundle, collecting information about your environment, for example, list packages containing the word: syslog, ldd of your syslog-binary, and so on.

syslog-debun -l

Similar to syslog-debun, but without privacy-sensitive information. For example, the following is NOT collected: fstab, df output, mount info, ip / network interface configuration, DNS resolv info, and process tree.

syslog-debun -d

Similar to syslog-debun, but it also stops syslog-ng, then restarts it in debug mode (-Fedv --enable-core). To stop debug mode, press Enter. The output of the debug mode collected into a separate file, and also added to the debug bundle.

syslog-debun -s

Trace the system calls (using strace or truss) of an already running syslog-ng PE process.

syslog-debun -d -s

Restart syslog-ng PE in debug mode, and also trace the system calls (using strace or truss) of the syslog-ng PE process.

syslog-debun -p

Run packet capture (pcap) with the filter: port 514 or port 601 or port 53 Also waits for pressing Enter, like debug mode.

syslog-debun -p -t 10

Noninteractive debug mode: Similar to syslog-debun -p, but automatically exit after 10 seconds.

        syslog-debun -P "host 1.2.3.4"  -D "-Fev --enable-core"

Change the packet-capturing filter from the default to host 1.2.3.4. Also change debugging parameters from the default to -Fev --enable-core. Since a timeout (-t) is not given, waits for pressing Enter.

syslog-debun -p -d -w 5 -t 10

Collect pcap and debug mode output following this scenario:

  • Start packet capture with default parameters (-p)

  • Wait 5 seconds (-w 5)

  • Stop syslog-ng

  • Start syslog-ng in debug mode with default parameters (-d)

  • Wait 10 seconds (-t 10)

  • Stop syslog-ng debuging

  • Start syslog-ng

  • Stop packet capturing

Files

/opt/syslog-ng/bin/loggen

See also

syslog-ng.conf(5)

Note

For the detailed documentation of syslog-ng PE see The syslog-ng PE 7 Administrator Guide

If you experience any problems or need help with syslog-ng, visit the syslog-ng mailing list.

For news and notifications about of syslog-ng, visit the syslog-ng blogs.

Author

This manual page was written by the One Identity Documentation Team.

Copyright

Copyright 2000-2019One Identity. Published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. For details, see https://creativecommons.org//. The latest version is always available at https://www.syslog-ng.com.

syslog-ng-ctl.1


Table of Contents

syslog-ng-ctl— Display message statistics and enable verbose, debug and trace modes in syslog-ng Premium Edition
Name

syslog-ng-ctl — Display message statistics and enable verbose, debug and trace modes in syslog-ng Premium Edition

Synopsis

syslog-ng-ctl [command] [options]

Description

NOTE: The syslog-ng-ctl application is distributed with the syslog-ng Premium Edition system logging application, and is usually part of the syslog-ng package. The latest version of the syslog-ng application is available at syslog-ng page.

This manual page is only an abstract, for the complete documentation of syslog-ng, see the syslog-ng Documentation page.

The syslog-ng-ctl application is a utility that can be used to:

  • enable/disable various syslog-ng messages for troubleshooting

  • display statistics about the processed messages

  • handling password-protected private keys

  • display the currently running configuration of syslog-ng PE

  • reload the configuration of syslog-ng PE.

  • stop syslog-ng PE.

Enabling troubleshooting messages

command [options]

Use the syslog-ng-ctl <command> --set=on command to display verbose, trace, or debug messages. If you are trying to solve configuration problems, the verbose (and occasionally trace) messages are usually sufficient. Debug messages are needed mostly for finding software errors. After solving the problem, do not forget to turn these messages off using the syslog-ng-ctl <command> --set=off. Note that enabling debug messages does not enable verbose and trace messages.

Use syslog-ng-ctl <command> without any parameters to display whether the particular type of messages are enabled or not.

If you need to use a non-standard control socket to access syslog-ng, use the syslog-ng-ctl <command> --set=on --control=<socket> command to specify the socket to use.

verbose

Print verbose messages. If syslog-ng was started with the --stderr or -e option, the messages will be sent to stderr. If not specified, syslog-ng will log such messages to its internal source.

trace

Print trace messages of how messages are processed. If syslog-ng was started with the --stderr or -e option, the messages will be sent to stderr. If not specified, syslog-ng will log such messages to its internal source.

debug

Print debug messages. If syslog-ng was started with the --stderr or -e option, the messages will be sent to stderr. If not specified, syslog-ng will log such messages to its internal source.

Example:

syslog-ng-ctl verbose --set=on
syslog-ng-ctl query

The syslog-ng PE application stores various data, metrics, and statistics in a hash table. Every property has a name and a value. For example:

[syslog-ng]
|
|_[destinations]-[network]-[tcp]->[stats]->{received=12;dropped=2}
|
|_[sources]-[sql]-[stats]->{received=501;dropped=0}

You can query the nodes of this tree, and also use filters to select the information you need. A query is actually a path in the tree. You can also use the ? and * wildcards. For example:

  • Select every property: *

  • Select all dropped value from every stats node: *.stats.dropped

The nodes and properties available in the tree depend on your syslog-ng PE configuration (that is, the sources, destinations, and other objects you have configured), and also on your stats-level() settings.

The list command

syslog-ng-ctl query list

Use the syslog-ng-ctl query list command to display the list of metrics that syslog-ng PE collects about the processed messages. For details about the displayed metrics, see The syslog-ng Administrator Guide???.

An example output:

center.received.stats.processed
center.queued.stats.processed
destination.java.d_elastic#0.java_dst(ElasticSearch,elasticsearch-syslog-ng-test,t7cde889529c034aea9ec_micek).stats.dropped
destination.java.d_elastic#0.java_dst(ElasticSearch,elasticsearch-syslog-ng-test,t7cde889529c034aea9ec_micek).stats.processed
destination.java.d_elastic#0.java_dst(ElasticSearch,elasticsearch-syslog-ng-test,t7cde889529c034aea9ec_micek).stats.queued
destination.d_elastic.stats.processed
source.s_tcp.stats.processed
source.severity.7.stats.processed
source.severity.0.stats.processed
source.severity.1.stats.processed
source.severity.2.stats.processed
source.severity.3.stats.processed
source.severity.4.stats.processed
source.severity.5.stats.processed
source.severity.6.stats.processed
source.facility.7.stats.processed
source.facility.16.stats.processed
source.facility.8.stats.processed
source.facility.17.stats.processed
source.facility.9.stats.processed
source.facility.18.stats.processed
source.facility.19.stats.processed
source.facility.20.stats.processed
source.facility.0.stats.processed
source.facility.21.stats.processed
source.facility.1.stats.processed
source.facility.10.stats.processed
source.facility.22.stats.processed
source.facility.2.stats.processed
source.facility.11.stats.processed
source.facility.23.stats.processed
source.facility.3.stats.processed
source.facility.12.stats.processed
source.facility.4.stats.processed
source.facility.13.stats.processed
source.facility.5.stats.processed
source.facility.14.stats.processed
source.facility.6.stats.processed
source.facility.15.stats.processed
source.facility.other.stats.processed
global.payload_reallocs.stats.processed
global.msg_clones.stats.processed
global.sdata_updates.stats.processed
tag..source.s_tcp.stats.processed

The syslog-ng-ctl query list command has the following options:

--reset

Use --reset to set the selected counters to 0 after executing the query.

Displaying metrics and statistics

syslog-ng-ctl query get [options]

The syslog-ng-ctl query get <query> command lists the nodes that match the query, and their values.

For example, the "destination*" query lists the configured destinations, and the metrics related to each destination. An example output:

          destination.java.d_elastic#0.java_dst(ElasticSearch,elasticsearch-syslog-ng-test,t7cde889529c034aea9ec_micek).stats.dropped=0
destination.java.d_elastic#0.java_dst(ElasticSearch,elasticsearch-syslog-ng-test,t7cde889529c034aea9ec_micek).stats.processed=0
destination.java.d_elastic#0.java_dst(ElasticSearch,elasticsearch-syslog-ng-test,t7cde889529c034aea9ec_micek).stats.queued=0
destination.d_elastic.stats.processed=0

The syslog-ng-ctl query get command has the following options:

--sum

Add up the result of each matching node and return only a single number.

For example, the syslog-ng-ctl query get --sum "destination*.dropped" command displays the number of messages dropped by the syslog-ng PE instance.

--reset

Use --reset to set the selected counters to 0 after executing the query.

The stats command

stats [options]

Use the stats command to display statistics about the processed messages. For details about the displayed statistics, see The syslog-ng Administrator Guide???. The stats command has the following options:

--control=<socket> or -c

Specify the socket to use to access syslog-ng. Only needed when using a non-standard socket.

--reset=<socket> or -r

Reset all statistics to zero, except for the queued counters. (The queued counters show the number of messages in the message queue of the destination driver, waiting to be sent to the destination.)

Example:

syslog-ng-ctl stats

An example output:

        src.internal;s_all#0;;a;processed;6445
src.internal;s_all#0;;a;stamp;1268989330
destination;df_auth;;a;processed;404
destination;df_news_dot_notice;;a;processed;0
destination;df_news_dot_err;;a;processed;0
destination;d_ssb;;a;processed;7128
destination;df_uucp;;a;processed;0
source;s_all;;a;processed;7128
destination;df_mail;;a;processed;0
destination;df_user;;a;processed;1
destination;df_daemon;;a;processed;1
destination;df_debug;;a;processed;15
destination;df_messages;;a;processed;54
destination;dp_xconsole;;a;processed;671
dst.tcp;d_network#0;10.50.0.111:514;a;dropped;5080
dst.tcp;d_network#0;10.50.0.111:514;a;processed;7128
dst.tcp;d_network#0;10.50.0.111:514;a;queued;2048
destination;df_syslog;;a;processed;6724
destination;df_facility_dot_warn;;a;processed;0
destination;df_news_dot_crit;;a;processed;0
destination;df_lpr;;a;processed;0
destination;du_all;;a;processed;0
destination;df_facility_dot_info;;a;processed;0
center;;received;a;processed;0
destination;df_kern;;a;processed;70
center;;queued;a;processed;0
destination;df_facility_dot_err;;a;processed;0
Displaying license-related information

syslog-ng-ctl show-license-info [options]

The syslog-ng PE application uses a license in server mode to determine the maximum number of hosts that are allowed to connect. Use the syslog-ng-ctl show-license-info command to display license-related information the number of hosts currently logging to your server. This helps you to plan your capacity, to check your license usage, and to detect client misconfiguration that can result in a license miscount anomaly. Note that in client or relay mode, syslog-ng PE does not require a license.

The syslog-ng-ctl show-license-info command displays the following information. In case of an unlimited license, or in client or relay mode, only the license type is displayed:

  • License Type: none, limited, unlimited

  • Host Limit: the maximum number of hosts that are allowed to connect.

  • Currently Used Slots: the number of currently used host slots

  • Usage: the percent of used host slots

  • Licensed Clients: the list of hostnames that are stored in the license module

The syslog-ng-ctl show-license-info command has the following options:

--json or -J

Print license-related information in JSON format.

Example:

syslog-ng-ctl show-license-info

An example output:

License-Type: limited
Host-Limit: 10
Currently-Used-Slots: 7
Usage: 70%
Licensed-Clients:
    192.168.0.1
    192.168.0.2
    192.168.0.3
    192.168.1.4
    192.168.1.5

Example:

        syslog-ng-ctl show-license-info --json

An example output:

{
    "license_type": "limited",
    "host_limit": 10,
    "currently_used_slots": 7,
    "usage": "70%",
    "licensed_clients": [
        "xy.testdomain",
        "testhost",
        "192.168.0.3",
        "test_host",
        "192.168.1.5"
    ]
}

Example:

syslog-ng-ctl show-license-info

in case of an unlimited license

An example output:

$ syslog-ng-ctl show-license-info
License-Type: unlimited

Example:

syslog-ng-ctl show-license-info

if syslog-ng PE is in client or relay mode

An example output:

$ syslog-ng-ctl show-license-info
License-Type: none
Handling password-protected private keys

syslog-ng-ctl credentials [options]

The syslog-ng-ctl credentials status command allows you to query the status of the private keys that syslog-ng PE uses in the network() and syslog() drivers. You can also provide the passphrase for password-protected private keys using the syslog-ng-ctl credentials add command. For details on using password-protected keys, see The syslog-ng Administrator Guide???.

Displaying the status of private keys

syslog-ng-ctl credentials status [options]

The syslog-ng-ctl credentials status command allows you to query the status of the private keys that syslog-ng PE uses in the network() and syslog() drivers. The command returns the list of private keys used, and their status. For example:

syslog-ng-ctl credentials status
Secret store status:
/home/user/ssl_test/client-1/client-encrypted.key SUCCESS

If the status of a key is PENDING, you must provide the passphrase for the key, otherwise syslog-ng PE cannot use it. The sources and destinations that use these keys will not work until you provide the passwords. Other parts of the syslog-ng PE configuration will be unaffected. You must provide the passphrase of the password-protected keys every time syslog-ng PE is restarted.

The following log message also notifies you of PENDING passphrases:

          Waiting for password; keyfile='private.key'
--control=<socket> or -c

Specify the socket to use to access syslog-ng. Only needed when using a non-standard socket.

Opening password-protected private keys

syslog-ng-ctl credentials add [options]

You can add the passphrase to a password-protected private key file using the following command. syslog-ng PE will display a prompt for you to enter the passphrase. We recommend that you use this method.

          syslog-ng-ctl credentials add --id=<path-to-the-key>

Alternatively, you can include the passphrase in the --secret parameter:

          syslog-ng-ctl credentials add --id=<path-to-the-key> --secret=<passphrase-of-the-key>

Or you can pipe the passphrase to the syslog-ng-ctl command, for example:

          echo "<passphrase-of-the-key>" | syslog-ng-ctl credentials add --id=<path-to-the-key>
--control=<socket> or -c

Specify the socket to use to access syslog-ng. Only needed when using a non-standard socket.

--id=<path-to-the-key> or -i

The path to the password-protected private key file. This is the same path that you use in the key-file() option of the syslog-ng PE configuration file.

--secret=<passphrase-of-the-key> or -s

The password or passphrase of the private key.

Displaying the configuration

syslog-ng-ctl config [options]

Use the syslog-ng-ctl config command to display the configuration that syslog-ng PE is currently running. Note by default, only the content of the main configuration file are displayed, included files are not resolved. To resolve included files and display the entire configuration, use the syslog-ng-ctl config --preprocessed command.

Reloading the configuration

syslog-ng-ctl reload [options]

Use the syslog-ng-ctl reload command to reload the configuration file of syslog-ng PE without having to restart the syslog-ng PE application. The syslog-ng-ctl reload works like a SIGHUP (-1). On Microsoft Windows, this is the only way to reload the configuration of syslog-ng PE.

The syslog-ng-ctl reload command returns 0 if the operation was successful, 1 otherwise.

Stopping syslog-ng PE

syslog-ng-ctl stop [options]

Use the syslog-ng-ctl stop command to stop the syslog-ng PE application. The syslog-ng-ctl stop works like a SIGHUP (-15) on Linux and Unix systems. On Microsoft Windows, this is the only way to gracefully stop syslog-ng PE if it is running in the foreground.

Files

/opt/syslog-ng/sbin/syslog-ng-ctl

See also

The syslog-ng Documentation page

syslog-ng.conf(5)

syslog-ng(8)

Note

For the detailed documentation of syslog-ng PE see The syslog-ng PE 7 Administrator Guide

If you experience any problems or need help with syslog-ng, visit the syslog-ng mailing list.

For news and notifications about of syslog-ng, visit the syslog-ng blogs.

Author

This manual page was written by the One Identity Documentation Team.

Copyright

Copyright 2000-2019One Identity. Published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. For details, see https://creativecommons.org//. The latest version is always available at https://syslog-ng.com.

syslog-ng.8


Table of Contents

syslog-ng— syslog-ng system logger application
Name

syslog-ng — syslog-ng system logger application

Synopsis

syslog-ng [options]

Description

This manual page is only an abstract, for the complete documentation of syslog-ng, see The syslog-ng Premium Edition Administrator Guide or the syslog-ng Documentation page.

The syslog-ng PE application is a flexible and highly scalable system logging application. Typically, syslog-ng is used to manage log messages and implement centralized logging, where the aim is to collect the log messages of several devices on a single, central log server. The different devices - called syslog-ng clients - all run syslog-ng, and collect the log messages from the various applications, files, and other sources. The clients send all important log messages to the remote syslog-ng server, where the server sorts and stores them.

Options
--caps

Run syslog-ng PE process with the specified POSIX capability flags.

  • If the --no-caps option is not set, and the host supports CAP_SYSLOG, syslog-ng PE uses the following capabilities: "cap_net_bind_service, cap_net_broadcast, cap_net_raw, cap_dac_read_search, cap_dac_override, cap_chown, cap_fowner=p cap_syslog=ep"

  • If the --no-caps option is not set, and the host does not support CAP_SYSLOG, syslog-ng PE uses the following capabilities: "cap_net_bind_service, cap_net_broadcast, cap_net_raw,cap_dac_read_search, cap_dac_override, cap_chown, cap_fowner=p cap_sys_admin=ep"

For example:

              /opt/syslog-ng/sbin/syslog-ng -Fv --caps cap_sys_admin,cap_chown,cap_dac_override,cap_net_bind_service,cap_fowner=pi

Note that the capabilities are not case sensitive, the following command is also good: /opt/syslog-ng/sbin/syslog-ng -Fv --caps CAP_SYS_ADMIN,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_NET_BIND_SERVICE,CAP_FOWNER=pi

For details on the capability flags, see the following man pages: cap_from_text(3) and capabilities(7)

--cfgfile <file> or -f <file>

Use the specified configuration file.

--chroot <dir> or -C <dir>

Change root to the specified directory. The configuration file is read after chrooting so, the configuration file must be available within the chroot. That way it is also possible to reload the syslog-ng configuration after chrooting. However, note that the --user and --group options are resolved before chrooting.

--control <file> or -c <file>

Set the location of the syslog-ng control socket. Default value: /var/run/syslog-ng.ctl

--debug or -d

Start syslog-ng in debug mode.

--default-modules

A comma-separated list of the modules that are loaded automatically. Modules not loaded automatically can be loaded by including the @module <modulename> statement in the syslog-ng PE configuration file. Available only in syslog-ng Premium Edition 4.1 and later.

--enable-core

Enable syslog-ng to write core files in case of a crash to help support and debugging.

--fd-limit <number>

Set the minimal number of required file descriptors (fd-s). This sets how many files syslog-ng can keep open simultaneously. Default value: 4096. Note that this does not override the global ulimit setting of the host.

--foreground or -F

Do not daemonize, run in the foreground. When running in the foreground, syslog-ng PE starts from the current directory ($CWD) so it can create core files (normally, syslog-ng PE starts from $PREFIX/var).

--group <group> or -g <group>

Switch to the specified group after initializing the configuration file.

--help or -h

Display a brief help message.

--module-registry

Display the list and description of the available modules. Note that not all of these modules are loaded automatically, only the ones specified in the --default-modules option. Available only in syslog-ng Premium Edition 4 F1 and later.

--no-caps

Run syslog-ng as root, without capability-support. This is the default behavior. On Linux, it is possible to run syslog-ng as non-root with capability-support if syslog-ng was compiled with the --enable-linux-caps option enabled. (Execute syslog-ng --version to display the list of enabled build parameters.)

To run syslog-ng PE with specific capabilities, use the --caps option.

--persist-file <persist-file> or -R <persist-file>

Set the path and name of the syslog-ng.persist file where the persistent options and data are stored.

--pidfile <pidfile> or -p <pidfile>

Set path to the PID file where the pid of the main process is stored.

--preprocess-into <output-file>

After processing the configuration file and resolving included files and variables, write the resulting configuration into the specified output file. Available only in syslog-ng Premium Edition 4 F1 and later.

--process-mode <mode>

Sets how to run syslog-ng: in the foreground (mainly used for debugging), in the background as a daemon, or in safe-background mode. By default, syslog-ng runs in safe-background mode. This mode creates a supervisor process called supervising syslog-ng , that restarts syslog-ng if it crashes.

--stderr or -e

Log internal messages of syslog-ng to stderr. Mainly used for debugging purposes in conjunction with the --foreground option. If not specified, syslog-ng will log such messages to its internal source.

--syntax-only or -s

Verify that the configuration file is syntactically correct and exit.

--user <user> or -u <user>

Switch to the specified user after initializing the configuration file (and optionally chrooting). Note that it is not possible to reload the syslog-ng configuration if the specified user has no privilege to create the /dev/log file.

--verbose or -v

Enable verbose logging used to troubleshoot syslog-ng.

--version or -V

Display version number and compilation information, and also the list and short description of the available modules. For detailed description of the available modules, see the --module-registry option. Note that not all of these modules are loaded automatically, only the ones specified in the --default-modules option.

--worker-threads

Sets the number of worker threads syslog-ng PE can use, including the main syslog-ng PE thread. Note that certain operations in syslog-ng PE can use threads that are not limited by this option. This setting has effect only when syslog-ng PE is running in multithreaded mode. Available only in syslog-ng Premium Edition 4 F1 and later. See The syslog-ng Premium Edition 7 Administrator Guide for details.

Setting default command-line options

You can set default settings for syslog-ng PEsyslog-ng PE will always run with these default command-line parameters. You can specify your default settings in the following files:

  • /etc/default/syslog-ng

  • /etc/sysconfig/syslog-ng (only for RedHat platforms)

  • $SYSLOGNG_PREFIX/etc/default/syslog-ng, where $SYSLOGNG_PREFIX is the installation directory of syslog-ng PE. For version 4.0, this is /opt/syslog-ng

During startup, syslog-ng PE will automatically use the settings from these files if they exist. You can set the following options:

MAXWAIT

The number of seconds the init script will wait for syslog-ng PE to shut down properly. If the syslog-ng PE process does not shut down during this period, it is terminated with a SIGKILL signal. Increase this value if you have lots of separate disk-buffer files (for example, to 60 seconds).

SYSLOGNG_OPTIONS

A string of additional command-line options for the syslog-ng daemon.

Files

/opt/syslog-ng/

/opt/syslog-ng/etc/syslog-ng.conf

See also

syslog-ng.conf(5)

Note

For the detailed documentation of syslog-ng PE see The syslog-ng PE 7 Administrator Guide

If you experience any problems or need help with syslog-ng, visit the syslog-ng mailing list.

For news and notifications about of syslog-ng, visit the syslog-ng blogs.

Author

This manual page was written by the One Identity Documentation Team.

Copyright

Copyright 2000-2019One Identity. Published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. For details, see https://creativecommons.org//. The latest version is always available at https://www.syslog-ng.com.

Related Documents