Syslog-NG
Syslog-NG is a flexible, high-performance system logging daemon that processes, parses, and routes log messages with advanced filtering, content-based routing, and structured data support. It offers superior performance and features compared to traditional syslog.
Installation
Ubuntu/Debian
# Install syslog-ng
sudo apt update
sudo apt install syslog-ng syslog-ng-core
# Install optional modules
sudo apt install syslog-ng-mod-json syslog-ng-mod-python \
syslog-ng-mod-sql syslog-ng-mod-date
# Or from official repository
curl https://download.opensuse.org/repositories/syslog-ng/xUbuntu_20.04/Release.key | apt-key add -
echo "deb https://download.opensuse.org/repositories/syslog-ng/xUbuntu_20.04 ./" | tee /etc/apt/sources.list.d/syslog-ng.list
sudo apt update && sudo apt install syslog-ngRHEL/CentOS/Fedora
# Install syslog-ng
sudo dnf install syslog-ng
# Optional modules
sudo dnf install syslog-ng-json-plugin syslog-ng-python \
syslog-ng-sql-pluginmacOS
# Homebrew
brew install syslog-ng
# Build from source
brew install bison flex
git clone https://github.com/syslog-ng/syslog-ng.git
cd syslog-ng
./autogen.sh && ./configure
make && sudo make installService Management
Control Syslog-NG Daemon
# Start service
sudo systemctl start syslog-ng
# Stop service
sudo systemctl stop syslog-ng
# Restart service
sudo systemctl restart syslog-ng
# Reload configuration (without restarting)
sudo systemctl reload syslog-ng
# Check status
sudo systemctl status syslog-ng
# Enable on boot
sudo systemctl enable syslog-ng
# Check version
syslog-ng --version
# Syntax check configuration
syslog-ng -F -i /etc/syslog-ng/syslog-ng.conf
# Run in foreground (debug)
syslog-ng -F -dConfiguration Structure
Main Configuration Sections
# /etc/syslog-ng/syslog-ng.conf
# Options (global settings)
options {
ts_format(iso);
frac_digits(6);
log_fifo_size(1000);
};
# Sources (input)
source s_local {
unix-dgram("/dev/log");
internal();
};
# Filters (conditions)
filter f_auth {
facility(auth, authpriv);
};
# Destinations (output)
destination d_auth {
file("/var/log/auth.log");
};
# Paths (routes)
log {
source(s_local);
filter(f_auth);
destination(d_auth);
};Sources (Inputs)
System Logging Sources
# Unix domain socket (standard)
source s_local {
unix-dgram("/dev/log");
};
# Kernel logs
source s_kernel {
internal();
};
# TCP input
source s_network_tcp {
tcp(
ip(0.0.0.0)
port(514)
max-connections(256)
);
};
# UDP input (less reliable)
source s_network_udp {
udp(
ip(0.0.0.0)
port(514)
);
};
# UNIX domain stream socket
source s_local_stream {
unix-stream("/dev/log" max-connections(256));
};
# File tail (monitoring files)
source s_file_tail {
file("/var/log/app.log" follow-freq(1));
};Advanced Sources
# SYSLOG source (RFC3164)
source s_rfc3164 {
syslog(
ip(192.168.1.100)
port(514)
transport(tcp)
);
};
# RFC5424 (newer format)
source s_rfc5424 {
network(
ip(0.0.0.0)
port(601)
transport(tls)
tls(
cert-file("/etc/syslog-ng/cert.pem")
key-file("/etc/syslog-ng/key.pem")
)
);
};
# Windows Events
source s_windows {
windows-eventlog(
log-source("Application")
log-source("System")
log-source("Security")
);
};Destinations (Outputs)
File-Based Destinations
# Simple file
destination d_messages {
file("/var/log/messages");
};
# File with rotation
destination d_rotate {
file(
"/var/log/messages"
dir_perm(0750)
perm(0640)
owner(syslog)
group(adm)
);
};
# Time-based directory structure
destination d_hosts {
file("/var/log/hosts/$HOSTNAME/messages.log");
};
# Dated file rotation
destination d_daily {
file(
"/var/log/messages-$YEAR$MONTH$DAY"
template("${TIMESTAMP} ${HOST} ${MESSAGE}\n")
);
};
# Pipe to command
destination d_pipe {
pipe("/usr/bin/mail -s 'Alert' admin@example.com");
};
# User's terminal
destination d_usermsg {
usertty("*");
};Network Destinations
# TCP to remote syslog server
destination d_remote_tcp {
syslog(
"logserver.example.com"
port(514)
transport(tcp)
);
};
# TLS encrypted
destination d_remote_tls {
syslog(
"logserver.example.com"
port(601)
transport(tls)
tls(
peer-verify(required-trusted)
ca-dir("/etc/ssl/certs")
)
);
};
# UDP (faster, lossy)
destination d_remote_udp {
syslog(
"logserver.example.com"
port(514)
transport(udp)
);
};
# Generic network (non-syslog)
destination d_network {
network(
"server.example.com"
port(8514)
transport(tcp)
);
};Database and Structured Destinations
# MySQL
destination d_mysql {
sql(
type(mysql)
host("dbserver")
port(3306)
user("syslog")
password("password")
database("syslog")
table("messages")
columns(
"timestamp"
"host"
"facility"
"priority"
"program"
"pid"
"message"
)
values(
"${ISODATE}"
"${HOST}"
"${FACILITY}"
"${PRIORITY}"
"${PROGRAM}"
"${PID}"
"${MESSAGE}"
)
);
};
# JSON to file/network
destination d_json {
file(
"/var/log/messages.json"
template("@json {\n timestamp: \"$ISODATE\"\n host: \"$HOST\"\n message: \"$MESSAGE\"\n}\n")
);
};Filters
Basic Filters
# By facility
filter f_auth {
facility(auth, authpriv);
};
filter f_kern {
facility(kern);
};
filter f_mail {
facility(mail);
};
# By priority/severity
filter f_warning {
level(warning..emerg);
};
filter f_error {
level(err, crit, alert, emerg);
};
filter f_info {
level(info, notice);
};
# Negation
filter f_not_debug {
not level(debug);
};Content-Based Filters
# Match message content
filter f_errors {
match("error" value("MESSAGE") type("string"));
};
filter f_critical {
match("CRITICAL|FATAL|PANIC" value("MESSAGE"));
};
# By program/hostname
filter f_apache {
program("apache2");
};
filter f_webservers {
host("web[0-9]+" type("pcre"));
};
# Complex expressions
filter f_high_priority {
level(warning..emerg) and
(facility(auth, authpriv, kern) or
program("sshd", "sudo"));
};
# Exclude patterns
filter f_not_spam {
not match("heartbeat|keepalive" value("MESSAGE"));
};Parsers
Structured Parsing
# Key-value parser
parser p_kv {
key_value(prefix(".kv."));
};
# JSON parser
parser p_json {
json-parser();
};
# CSV parser
parser p_csv {
csv-parser(
columns("timestamp", "host", "severity", "message")
delimiter(,)
);
};
# Apache access log parser
parser p_apache {
regexp-parser(
pattern("^(?<IP>[^ ]*) (?<IDENT>[^ ]*) (?<USER>[^ ]*) \\[(?<TIME>[^\\]]*)] \"(?<REQUEST>[^\"]*)\" (?<STATUS>[^ ]*) (?<SIZE>[^ ]*)")
);
};Templates
Log Formats
# ISO 8601 timestamp
template t_iso {
template("${ISODATE} ${HOST} ${PROGRAM}[${PID}]: ${MESSAGE}\n");
};
# Detailed format
template t_detailed {
template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC}.${MSEC} [${FACILITY}/${PRIORITY}] ${HOSTNAME} ${PROGRAM}[${PID}]: ${MESSAGE}\n");
};
# JSON format
template t_json {
template("@json {\n\"timestamp\": \"${ISODATE}\"\n\"host\": \"${HOSTNAME}\"\n\"program\": \"${PROGRAM}\"\n\"pid\": ${PID}\n\"facility\": \"${FACILITY}\"\n\"severity\": \"${PRIORITY}\"\n\"message\": \"${MESSAGE}\"\n}\n");
};
# Short format
template t_short {
template("${HOST} ${PROGRAM}: ${MESSAGE}\n");
};Practical Examples
Multi-Destination Routing
# Route different facilities to different files
source s_local { unix-dgram("/dev/log"); internal(); };
destination d_auth { file("/var/log/auth.log"); };
destination d_mail { file("/var/log/mail.log"); };
destination d_cron { file("/var/log/cron.log"); };
destination d_kern { file("/var/log/kern.log"); };
destination d_all { file("/var/log/syslog"); };
filter f_auth { facility(auth, authpriv); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_kern { facility(kern); };
log { source(s_local); filter(f_auth); destination(d_auth); };
log { source(s_local); filter(f_mail); destination(d_mail); };
log { source(s_local); filter(f_cron); destination(d_cron); };
log { source(s_local); filter(f_kern); destination(d_kern); };
log { source(s_local); destination(d_all); };Centralized Logging with Failover
# Centralized collection with failover
source s_network {
syslog(ip(0.0.0.0) port(514) transport(tcp));
};
destination d_central {
syslog(
"primary-logs.example.com"
port(514)
transport(tcp)
);
};
destination d_backup {
syslog(
"backup-logs.example.com"
port(514)
transport(tcp)
);
};
log {
source(s_network);
destination(d_central);
destination(d_backup);
};Content-Based Routing
# Route based on message content
source s_local { unix-dgram("/dev/log"); internal(); };
destination d_alerts { file("/var/log/alerts.log"); };
destination d_security { file("/var/log/security.log"); };
destination d_normal { file("/var/log/normal.log"); };
filter f_alert { match("ALERT|CRITICAL" value("MESSAGE")); };
filter f_security { facility(auth, authpriv); };
log { source(s_local); filter(f_alert); destination(d_alerts); };
log { source(s_local); filter(f_security); destination(d_security); };
log { source(s_local); destination(d_normal); };Troubleshooting
Common Issues
Issue: Logs not being collected
# Check if syslog-ng is running
sudo systemctl status syslog-ng
# Syntax validation
sudo syslog-ng -F -i /etc/syslog-ng/syslog-ng.conf
# Run in debug mode
sudo syslog-ng -F -d
# Check file permissions
ls -la /dev/log
ls -la /var/log/Issue: Configuration doesn’t apply
# Reload configuration
sudo systemctl reload syslog-ng
# Or restart
sudo systemctl restart syslog-ng
# Verify new config is loaded
ps aux | grep syslog-ngIssue: High memory or CPU usage
# Check process stats
ps aux | grep syslog-ng
# Reduce log volume by filtering
# Add more specific filters to reduce processing
# Check for stuck connections
netstat -an | grep syslog-ng port
# Adjust queue sizes in options{}
options {
log_fifo_size(500);
log-iw-size(100);
};Issue: Remote logging not working
# Test network connectivity
telnet logserver.example.com 514
# Check firewall
sudo ufw allow 514/tcp
sudo firewall-cmd --add-port=514/tcp --permanent
# Verify destination config
sudo syslog-ng -F -i /etc/syslog-ng/syslog-ng.conf
# Test with logger
logger "Test message"Best Practices
Configuration
- Use drop-in files in
/etc/syslog-ng/conf.d/for modular config - Test all configuration changes with
-iflag before reloading - Comment all custom filters and destinations
- Use meaningful names for sources, filters, and destinations
- Implement log rotation via syslog-ng or logrotate
- Back up working configurations before major changes
- Version control syslog-ng configurations
Security
- Run syslog-ng as unprivileged user (syslog)
- Use TLS for remote syslog collection
- Restrict file permissions (640 or 600 for sensitive logs)
- Implement log file encryption for sensitive data
- Monitor log access with audit trails
- Use authentication for remote destinations
- Separate logs by sensitivity level
- Implement log integrity checks
Performance
- Use appropriate queue sizes based on message volume
- Monitor disk I/O and memory usage
- Filter unnecessary logs at source
- Use disk queues for reliable delivery
- Adjust timestamp precision based on needs
- Implement log sampling for high-volume sources
- Use UDP only for non-critical logs
- Monitor network latency for remote destinations
Operations
- Set up centralized log collection architecture
- Implement log rotation and archival
- Create alerts for critical log patterns
- Document all custom configurations
- Test disaster recovery procedures
- Monitor syslog-ng daemon health
- Implement backup logging paths
- Plan capacity for log growth
Related Tools
- Rsyslog - Alternative syslog daemon
- Elasticsearch - Log indexing and search
- Kibana - Log visualization
- Logrotate - Log file rotation
Last updated: 2026-03-30