This chapter collects the manual pages of syslog-ng PE and other related applications that are usually distributed and packaged together with the syslog-ng Premium Edition application.
Preface
Introduction to syslog-ng
What syslog-ng is
What syslog-ng is not
Why is syslog-ng needed?
What is new in syslog-ng Premium Edition 7?
Who uses syslog-ng?
Supported platforms
The concepts of syslog-ng
The philosophy of syslog-ng
Logging with syslog-ng
Modes of operation
Global objects
Timezones and daylight saving
Versions and releases of syslog-ng Premium Edition
Licensing
GPL and LGPL licenses
High availability support
The structure of a log message
Message representation in syslog-ng PE
Structuring macros, metadata, and other value-pairs
Things to consider when forwarding messages between syslog-ng PE hosts
Using syslog-ng PE with NFS or CIFS (or SMB) file system for log files
Installing syslog-ng PE
Prerequisites to installing syslog-ng PE
Security-enhanced Linux: grsecurity, SELinux
Installing syslog-ng PE on RPM-based platforms (Red Hat, SUSE, AIX)
Using syslog-ng PE on SELinux
Installing syslog-ng PE on Debian-based platforms
Installing syslog-ng in Docker
Installing syslog-ng using the .run installer
The syslog-ng PE quick-start guide
Installing syslog-ng PE in client or relay mode
Installing syslog-ng PE in server mode
Installing syslog-ng PE without user-interaction
Upgrading syslog-ng PE
Upgrading from syslog-ng PE 7.0.x to version 7
Upgrading from syslog-ng PE 6.0.x to version 7
Upgrading syslog-ng PE to other package versions
Upgrading from syslog-ng PE to syslog-ng OSE
Upgrade from syslog-ng OSE to syslog-ng PE
Upgrading from complete syslog-ng PE to client setup version of syslog-ng PE
Upgrading the sql() source of syslog-ng PE
Uninstalling syslog-ng PE
Configuring Microsoft SQL Server to accept logs from syslog-ng
Configuring syslog-ng on client hosts
Configuring syslog-ng on server hosts
Configuring syslog-ng relays
Managing and checking syslog-ng PE service on Linux
The syslog-ng PE configuration file
Location of the syslog-ng configuration file
The configuration syntax in detail
Notes about the configuration syntax
Defining configuration objects inline
Using channels in configuration objects
Global and environmental variables
Logging configuration changes
Modules in syslog-ng Premium Edition (syslog-ng PE)
Managing complex syslog-ng configurations
Collecting log messages — sources and source drivers
Including configuration files
Reusing configuration blocks
Generating configuration blocks from a script
Python code in external files
Logging from your Python code
How sources work
default-network-drivers: Receive and parse common syslog messages
internal: Collecting internal messages
file: Collecting messages from text files
google-pubsub: collecting messages from the Google Pub/Sub messaging service
Sending and storing log messages — destinations and destination drivers
Prerequisites
Limitations
Supported platforms
Declaration
The Google Pub/Sub message format in syslog-ng PE
wildcard-file: Collecting messages from multiple text files
linux-audit: Collecting messages from Linux audit logs
mssql, oracle, sql: collecting messages from an SQL database
The contents of the Google Pub/Sub Message body on the syslog-ng Premium Edition (syslog-ng PE) side
The contents of the Google Pub/Sub Message attributes on the syslog-ng PE (syslog-ng PE) side
Processing incoming message contents in raw message format and in .JSON format
google-pubsub() source options
Preventing message duplication resulting from the At-Least-Once delivery behavior
Error messages you may encounter while using the google-pubsub() source
mssql(), oracle(), and sql() source options
Customizing mssql() queries
Configuring TLS encryption for MSSQL servers
Possible connection errors between the MSSQL server (2019) and syslog-ng PE 7 LTS
network: Collecting messages using the RFC3164 protocol (network() driver)
office365: Fetching logs from Office 365
Configuring Office 365 to permit fetching logs
office365() source options
Troubleshooting audit logging in Office 365
osquery: Collect and parse osquery result logs
pipe: Collecting messages from named pipes
program: Receiving messages from external applications
python: writing server-style Python sources
python-fetcher: writing fetcher-style Python sources
snmptrap: Read Net-SNMP traps
syslog: Collecting messages using the IETF syslog protocol (syslog() driver)
system: Collecting the system-specific log messages of a platform
systemd-journal: Collecting messages from the systemd-journal system log storage
systemd-syslog: Collecting systemd messages using a socket
tcp, tcp6,udp, udp6: Collecting messages from remote hosts using the BSD syslog protocol
udp-balancer: Receiving UDP messages at very high rate
unix-stream, unix-dgram: Collecting messages from UNIX domain sockets
windowsevent: Collecting Windows event logs
elasticsearch2>: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED)
Routing messages: log paths, flags, and filters
Prerequisites
How syslog-ng PE interacts with Elasticsearch
Client modes
Elasticsearch2 destination options (DEPRECATED)
elasticsearch-http: Sending messages to Elasticsearch HTTP Event Collector
file: Storing messages in plain-text files
google_pubsub(): Sending logs to the Google Cloud Pub/Sub messaging service
Limitations
Configuring the google_pubsub() destination
google_pubsub() destination options
Available endpoints for the google_pubsub() destination
Error messages you may encounter while using the google_pubsub() destination
google_pubsub-managedaccount(): Sending logs to the Google Cloud Pub/Sub messaging service authenticated by Google Cloud managed service account
Limitations
Configuring the google_pubsub_managedaccount() destination
google_pubsub_managedaccount() destination options
Available endpoints for the google_pubsub_managedaccount() destination
Error messages you can encounter while using the google_pubsub_managedaccount() destination
hdfs: Storing messages on the Hadoop Distributed File System (HDFS)
Prerequisites
How syslog-ng PE interacts with HDFS
Storing messages with MapR-FS
Kerberos authentication with syslog-ng hdfs() destination
HDFS destination options
http: Posting messages over HTTP
kafka(): Publishing messages to Apache Kafka (Java implementation) (DEPRECATED)
kafka-c(): Publishing messages to Apache Kafka using the librdkafka client (C implementation)
kafka-c(): Prerequisites and limitations
kafka-c(): Shifting from the Java implementation to the C implementation
kafka-c(): Flow control in syslog-ng PE and the Kafka client
Options of the kafka-c() destination
logstore: Storing messages in encrypted files
mongodb: Storing messages in a MongoDB database
network: Sending messages to a remote log server using the RFC3164 protocol (network() driver)
pipe: Sending messages to named pipes
program: Sending messages to external applications
python: writing custom Python destinations
sentinel(): Sending logs to the Microsoft Azure Sentinel cloud
Configuring the sentinel() destination to send logs to the Microsoft Azure Sentinel cloud
snmp: Sending SNMP traps
smtp: Generating SMTP messages (email) from logs
splunk-hec: Sending messages to Splunk HTTP Event Collector
sql(): Storing messages in an SQL database
Getting the required credentials to configure syslog-ng PE as a Data Connector for Microsoft Azure Sentinel
Log types
sentinel() destination options
Using the sql() driver with an Oracle database
Using the sql() driver with a Microsoft SQL database
The way syslog-ng PE interacts with the database
sql() destination options
stackdriver: Sending logs to the Google Stackdriver cloud
syslog: Sending messages to a remote logserver using the IETF-syslog protocol
syslog-ng(): Forward logs to another syslog-ng node
tcp, tcp6, udp, udp6: Sending messages to a remote log server using the legacy BSD-syslog protocol (tcp(), udp() drivers)
unix-stream, unix-dgram: Sending messages to UNIX domain sockets
usertty: Sending messages to a user terminal — usertty() destination
Client-side failover
Log paths
Managing incoming and outgoing messages with flow-control
Using the disk-buffer option and memory buffering
Global options of syslog-ng PE
TLS-encrypted message transfer
Enabling the reliable disk-buffer option
Enabling the normal disk-buffer option
How to get information about disk-buffer files
Filters
Information about disk-buffer files
Getting the list of disk-buffer files
Getting the status information of disk-buffer files
Printing the content of disk-buffer files
Orphan disk-buffer files
How to process messages from an orphan disk-buffer file using a separate syslog-ng PE instance
How to empty disk-buffer files
Enabling memory buffering
About disk queue files
Using filters
Combining filters with boolean operators
Comparing macro values in filters
Using wildcards, special characters, and regular expressions in filters
Tagging messages
Filter functions
Dropping messages
Secure logging using TLS
Encrypting log messages with TLS
Mutual authentication using TLS
Password-protected keys
TLS options
Advanced Log Transport Protocol
Reliability and minimizing the loss of log messages
Introduction
Flow control, no disk-buffer option, no ALTP
Flow control, normal disk-buffer option, no ALTP
Flow control, reliable disk-buffer option, no ALTP
Flow control, reliable disk-buffer option, ALTP
Deciding which loss prevention mechanism to apply
Manipulating messages
Customizing message format using macros and templates
parser: Parse and segment structured messages
Formatting messages, filenames, directories, and tablenames
Templates and macros
Date-related macros
Hard versus soft macros
Macros of syslog-ng PE
Using template functions
Template functions of syslog-ng PE
Modifying the on-the-wire message format
Modifying messages using rewrite rules
Replacing message parts
Setting message fields to specific values
Unsetting message fields
Creating custom SDATA fields
Setting multiple message fields to specific values
Conditional rewrites
Anonymizing credit card numbers
Regular expressions
Parsing syslog messages
Parsing messages with comma-separated and similar values
Parsing key=value pairs
JSON parser
XML parser
Parsing dates and timestamps
Cisco Parser
Linux audit parser
Python parser
Parsing enterprise-wide message model (EWMM) messages
Sudo parser
iptables parser
Processing message content with a pattern database
Classifying log messages
Using pattern databases
Correlating log messages using pattern databases
Triggering actions for identified messages
Creating pattern databases
Correlating log messages
Enriching log messages with external data
Monitoring statistics and metrics of syslog-ng
Metrics and counters of syslog-ng PE
Log statistics from the internal() source
The monitoring() source
Multithreading and scaling in syslog-ng PE
Multithreading concepts of syslog-ng PE
Configuring multithreading
Optimizing multithreaded performance
Troubleshooting syslog-ng
Possible causes of losing log messages
Creating syslog-ng core files
Collecting debugging information with strace, truss, or tusc
Running a failure script
Stopping syslog-ng
Reporting bugs and finding help
Error messages
Best practices and examples
General recommendations
Handling large message load
Using name resolution in syslog-ng
Collecting logs from chroot
Configuring log rotation
Load balancing logs between multiple destinations
The syslog-ng manual pages
Glossary
The syslog-ng manual pages
The syslog-ng manual pages
The syslog-ng manual pages
The syslog-ng manual pages
This chapter collects the manual pages of syslog-ng PE and other related applications that are usually distributed and packaged together with the syslog-ng Premium Edition application.
dqtool.1
Name
dqtool — Display the contents of a disk-buffer file created with syslog-ng PE.
Synopsis
dqtool [command] [options]
Description
NOTE: The dqtool application is distributed with the syslog-ng PE system logging application, and is usually part of the syslog-ng PE package.
This manual page is only an abstract, for the complete documentation of syslog-ng PE, see the
The dqtool application is a utility that can be used to display and format the messages stored in a disk-buffer file.
The cat command
cat [options] [file]
Use the cat command to display the log messages stored in the disk-buffer (also called disk-queue) file, and also information from the header of the disk queue file. The messages are printed to the standard output (stdout), so it is possible to use grep and other tools to find particular log messages, for example, dqtool cat /var/log/messages.qf |grep 192.168.1.1.
The cat command has the following options:
-
--debug or -d
Print diagnostic and debugging messages to stderr.
-
--help or -h
Display a brief help message.
-
--template=<template> or -t
Format the messages using the specified template.
-
--verbose or -v
Print verbose messages to stderr.
-
--version or -V
Display version information.
Example: The cat command
./dqtool cat ../var/syslog-ng-00000.qf
The output looks like:
Disk-buffer state loaded; filename='../var/syslog-ng-00000.qf', qout_length='65', qbacklog_length='0', qoverflow_length='9205', qdisk_length='0' Mar 3 10:52:05 tristram localprg[1234]: seq: 0000011630, runid: 1267609923, stamp: 2010-03-03T10:52:05 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD Mar 3 10:52:05 tristram localprg[1234]: seq: 0000011631, runid: 1267609923, stamp: 2010-03-03T10:52:05 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD
Files
/opt/syslog-ng/bin/dqtool
See also
The syslog-ng.conf manual page
NOTE: For the detailed documentation of syslog-ng PE see
If you experience any problems or need help with syslog-ng PE, visit the syslog-ng mailing list.
For news and notifications about syslog-ng PE, visit the syslog-ng blogs.
lgstool.1
Synopsis
lgstool [command] [options]
Description
NOTE: The lgstool application is distributed with the syslog-ng PE system logging application, and is usually part of the syslog-ng PE package.
This manual page is only an abstract, for the complete documentation of syslog-ng PE, see the
The lgstool application is a utility that can be used to:
-
Display and format the messages stored in logstore files
-
Display the record structure of logstore files
-
Process log messages from orphaned journal files and write them into logstore files
-
Follow (tail) messages arriving to a logstore file real-time
-
Validate the digital signature and timestamp of encrypted logstore files
The cat command
cat [options] [file]
Use the cat command to display the log messages stored in the logstore file. Log messages available in the journal file of the logstore (but not yet written to the logstore file itself) are displayed as well. The messages are printed to the standard output (stdout), so it is possible to use grep and other tools to find particular log messages, for example, lgstool cat /var/log/messages.lgs |grep 192.168.1.1. Note that syslog-ng PE can also follow logstore files — for details on this feature, see The tail command.
The cat command has the following options:
- --debug or -d
Print diagnostic and debugging messages to stderr.
- --filter<expression> or -i
Only print messages matching the specified syslog-ng PE filter. All possible macros regular expressions and logical expressions can be specified in a filter.
Example: lgstool cat filter
lgstool cat -t 'host: ${HOST} program: ${PROGRAM} msg: ${MSG}\n' --filter='program("prg0000[0]")' /tmp/logstore-serialized.lgs - --help or -h
Display a brief help message.
- --key=<keyfile> or -k
Use the specified private key to decrypt encrypted logstore files.
Example: lgstool cat key
lgstool cat --key=mykey.pem mylogstore.lgs
- --seek=<ID> or -s
Display only messages newer than the message specified.
- --template=<template> or -t
Format the messages using the specified template.
- --verbose or -v
Print verbose messages to stderr.
- --version or -V
Display version information.
The inspect command
inspect [options] [file]
Use the inspect command to display structure of the logstore file. The following information is displayed:
-
cipher: The cipher algorithm used to encrypt the logstore file.
-
digest: The digest (hash) algorithm used.
-
encrypt: TRUE if the logstore file is encrypted.
-
compress: TRUE if the logstore file is compressed.
-
hmac: TRUE if the logstore file includes HMAC (Hash-based Message Authentication Code) information for the chunks.
-
chunk_mac: The MAC (Message Authentication Code) of the chunk.
-
file_mac: The MAC (Message Authentication Code) of the chunk.
For timestamped logstore files, the following information is also displayed:
-
chunk_id: The ID of the chunk.
-
Version: The version of the logstore file format used.
-
Policy OID: The OID of the timestamping policy used in the timestamping request.
-
Hash Algorithm: The digest (hash) algorithm used to create the hash of the chunk.
-
Serial number: The serial number of the timestamp.
-
Timestamp: The date when the Timestamping Authority timestamped the chunk.
-
Accuracy: The accuracy of the timestamp.
-
Ordering: Indicates the status of the ordering field in the timestamping request.
-
Nonce: The nonce (a large random number with a high probability that it is generated by the client only once) included in the timestamping request (if any).
-
TSA: The Distinguished Name (DN) of the Timestamping Authority.
The inspect command has the following options:
-
--debug or -d
Print diagnostic and debugging messages to stderr.
-
--help or -h
Display a brief help message.
-
--key=<keyfile> or -k
Use the specified private key to decrypt encrypted logstore files.
Example: lgstool inspect key
lgstool inspect --key=mykey.pem mylogstore.lgs
A sample output looks like this:
XFRM_INFO @941 cipher: aes-128-cbc digest: sha1 CHUNK 0@1079: [1 - 1000]: encrypt: TRUE compress: TRUE hmac: TRUE chunk_mac: e4d5d813979cf865d5ae4624f7aa98047123cd52 file_mac: 6600600ca5befb002a73b15be8f0ac04973d5936 TIMESTAMP @36481: chunk_id: 0 Status info: Status: Granted. Status description: unspecified Failure info: unspecified TST info: Version: 1 Policy OID: 1.2.3.4 Hash Algorithm: sha1 Message data: 0000 - 66 00 60 0c a5 be fb 00-2a 73 b1 5b e8 f0 ac 04 f.`.....*s.[.... 0010 - 97 3d 59 36 .=Y6 Serial number: 0x029A Time stamp: Mar 19 13:48:57 2010 GMT Accuracy: 0x01 seconds, 0x01F4 millis, 0x64 micros Ordering: no Nonce: 0xB613F55AEFFA6DC0 TSA: unspecified Extensions:
-
--verbose or -v
Print verbose messages to stderr.
-
--version or -V
Display version information.
The recover command
recover [options] [file]
|
|
CAUTION: Hazard of data loss! Always stop syslog-ng PE first. Do NOT use the lgstool recover command on logstore files that are actively used by syslog-ng PE. It might lead to data loss. |
The recover command can process and correct broken logstore files. It can also process orphaned journal files and move their contents to the respective logstore file. Encrypted, compressed, and timestamped logstore files can be recovered as well — the private key of the logstore is not needed to recover encrypted logstore files (recovering the encrypted file does not give access to its contents). Note that the recover option is not available in the Windows-version of lgstoole.
NOTE:The lgstool application cannot fetch timestamps to the chunks (message blocks), so chunks recovered with lgstool are not timestamped (the internal timestamp of the syslog messages is included in the messages).
The recover command has the following options:
-
--compress-level or -c
Set the level of compression when processing a journal file into a compressed logstore. Default value: 3
-
--debug or -d
Print diagnostic and debugging messages to stderr.
-
--help or-h
Display a brief help message.
-
--verbose or -v
Print verbose messages to stderr.
-
--version or -V
Display version information.
Example: lgstool recover
lgstool recover mylogstore.lgs
The tail command
tail [options] [file]
Use the tail -f command to follow the contents of a logstore file like the traditional tail command does on Linux/UNIX systems. The messages are printed to the standard output (stdout). Contents of the journal file related to the logstore file are displayed as well.
The tail command has the following options.
-
--debug or -d
Print diagnostic and debugging messages to stderr.
-
--help or -h
Display a brief help message.
-
--filter=<expression> or -i
Only print messages matching the specified syslog-ng PE filter. All possible macros, regular expressions and logical expressions can be specified in a filter.
Example: lgstool tail filter
lgstool tail -t 'host: ${HOST} program: ${PROGRAM} msg: ${MSG}\n' --filter='program("prg0000[0]")' /tmp/logstore-serialized.lgs -
--follow or -f
Follow mode: display messages as they arrive into the logstore.
-
--key=<keyfile> or -k
Use the specified private key to decrypt encrypted logstore files.
-
--lines=<N> or -n
Display the last N lines of the logstore file instead of the last 10. Alternatively, use +N to display lines starting with Nth.
-
--sleep_interval=<seconds> or -s
Number of seconds to wait before displaying new messages in follow mode.
-
--template=<template> or -t
Format the messages using the specified template.
-
--verbose or -v
Print verbose messages to stderr.
-
--version or -V
Display version information.
Example:
lgstool tail -f -n=20 --key=mykey.pem mylogstore.lgs
The validate command
validate [options] [file]
Use the validate command to validate the signatures and timestamps of a logstore file. The validate command has the following options:
-
--ca-dir=<directory> or -C
The directory that stores the certificates of the trusted Certificate Authorities. Use this option if the timestamps of your logstore files were signed with certificates belonging to different Certificate Authorities.
-
--ca-dir-layout=<md5|sha1>
The type of the hash used for the CA certificates. The default value (md5) is expected to change to sha1 in subsequent releases of syslog-ng PE.
-
--ca-file=<file> or -P
A file that stores the certificate of the trusted Certificate Authority. Use this option if the timestamps of your logstore files were signed with a single certificate, or if every such certificate belongs to the same Certificate Authority.
-
--crl-dir=<directory> or -R
The directory that stores the Certificate Revocation Lists of the trusted Certificate Authorities.
-
--debug or -d
Print diagnostic and debugging messages to stderr.
-
--help or -h
Display a brief help message.
-
--key=<keyfile> or -k
Use the specified private key to decrypt encrypted logstore files.
-
--require-ts or -T
Consider the logstore file invalid unless the entire file is protected by a valid timestamp.
-
--seed or -S
Use the ~/.rnd file or the file specified in the $RANDFILE environmental variable as seed. This is needed only on platforms that do not have a /dev/random device (for example, Solaris) and the entropy gathering daemon egd application is not installed on the system.
-
--ts-name=<name> or -D
Consider the logstore file invalid unless the timestamps are signed by the specified Timestamping Authority. Specify the Distinguished Name (DN) of the Timestamping Authority.
-
--verbose or -v
Print verbose messages to stderr.
-
--version or -V
Display version information.
By default, the lgstool validate command checks only the checksum of the file. Use the --require-ts option to validate the timestamps as well. The digital signature of the timestamps is checked only if the --ca-dir or the --ca-file parameter is set.
Example: lgstool validate key
lgstool validate --key=mykey.pem --ca-file=mycacert.pem --ts-name=MYTSA mylogstore.lgs
The reindex command
reindex [options] [file]
The reindex command is an experimental, currently unsupported tool. Do not attempt to use it unless your syslog-ng PE support team explicitly instructs you to do so.
Files
/opt/syslog-ng/bin/lgstool
See also
The syslog-ng.conf manual page
NOTE: For the detailed documentation of syslog-ng PE see
If you experience any problems or need help with syslog-ng PE, visit the syslog-ng mailing list.
For news and notifications about syslog-ng PE, visit the syslog-ng blogs.