petru

How to receive logs from a remote host using syslog-ng

In this post, I would like to show you how you can configure syslog-ng to receive logs from a remote host.

Search for syslog-ng package

I will install syslog-ng on a Ubuntu machine.

To search for syslog-ng package, run the below command:

petru@ubuntu-dev:~$ apt-cache search syslog | grep 'syslog-ng '
syslog-ng - Enhanced system logging daemon (metapackage)
petru@ubuntu-dev:~$
Search for syslog-ng package
Search for syslog-ng package

Install syslog-ng on Ubuntu

After you have found the packet for syslog-ng, you need to install it.

Run the following command and when prompted pres the ‘Y’ key.

petru@ubuntu-dev:~$ sudo apt-get install syslog-ng
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libestr0 libfastjson4
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libbson-1.0-0 libdbi1 libesmtp6 libhiredis0.14 libivykis0 libmongoc-1.0-0
  libmongocrypt0 libnet1 libprotobuf-c1 librabbitmq4 librdkafka1
  libriemann-client0 libsnappy1v5 syslog-ng-core
  syslog-ng-mod-add-contextual-data syslog-ng-mod-amqp syslog-ng-mod-examples
  syslog-ng-mod-extra syslog-ng-mod-geoip2 syslog-ng-mod-getent
  syslog-ng-mod-graphite syslog-ng-mod-http syslog-ng-mod-map-value-pairs
  syslog-ng-mod-mongodb syslog-ng-mod-python syslog-ng-mod-rdkafka
  syslog-ng-mod-redis syslog-ng-mod-riemann syslog-ng-mod-slog
  syslog-ng-mod-smtp syslog-ng-mod-snmp syslog-ng-mod-sql
  syslog-ng-mod-stardate syslog-ng-mod-stomp syslog-ng-mod-xml-parser
Suggested packages:
  rabbitmq-server graphite-web mongodb-server libdbd-mysql libdbd-pgsql
  libdbd-sqlite3 activemq
The following packages will be REMOVED:
  rsyslog
The following NEW packages will be installed:
  libbson-1.0-0 libdbi1 libesmtp6 libhiredis0.14 libivykis0 libmongoc-1.0-0
  libmongocrypt0 libnet1 libprotobuf-c1 librabbitmq4 librdkafka1
  libriemann-client0 libsnappy1v5 syslog-ng syslog-ng-core
  syslog-ng-mod-add-contextual-data syslog-ng-mod-amqp syslog-ng-mod-examples
  syslog-ng-mod-extra syslog-ng-mod-geoip2 syslog-ng-mod-getent
  syslog-ng-mod-graphite syslog-ng-mod-http syslog-ng-mod-map-value-pairs
  syslog-ng-mod-mongodb syslog-ng-mod-python syslog-ng-mod-rdkafka
  syslog-ng-mod-redis syslog-ng-mod-riemann syslog-ng-mod-slog
  syslog-ng-mod-smtp syslog-ng-mod-snmp syslog-ng-mod-sql
  syslog-ng-mod-stardate syslog-ng-mod-stomp syslog-ng-mod-xml-parser
0 upgraded, 36 newly installed, 1 to remove and 6 not upgraded.
Need to get 2,604 kB of archives.
After this operation, 8,003 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Install syslog-ng
Install syslog-ng

Check if syslog-ng is up and running

After the installation process finishes, check if syslog-ng is up and running.

petru@ubuntu-dev:~$ systemctl status syslog-ng.service 
● syslog-ng.service - System Logger Daemon
     Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled; vendor pre>
     Active: active (running) since Thu 2023-06-29 18:08:13 BST; 1min 49s ago
       Docs: man:syslog-ng(8)
   Main PID: 9773 (syslog-ng)
      Tasks: 2 (limit: 4573)
     Memory: 151.8M
        CPU: 6.658s
     CGroup: /system.slice/syslog-ng.service
             └─9773 /usr/sbin/syslog-ng -F

Jun 29 18:08:13 ubuntu-dev systemd[1]: Starting System Logger Daemon...
Jun 29 18:08:13 ubuntu-dev syslog-ng[9773]: [2023-06-29T18:08:13.642828] WARNIN>
Jun 29 18:08:13 ubuntu-dev syslog-ng[9773]: DIGEST-MD5 common mech free
Jun 29 18:08:13 ubuntu-dev syslog-ng[9773]: [2023-06-29T18:08:13.726643] WARNIN>
Jun 29 18:08:13 ubuntu-dev systemd[1]: Started System Logger Daemon.
petru@ubuntu-dev:~$
Check the status of syslog-ng service
Check the status of syslog-ng service

Change the default configuration

Now, you need to change the default configuration for syslog-ng according to your needs. You can find the default configuration files in the directory /etc/syslog-ng. Before editing the main configuration file, make a backup in case you need it later.

petru@ubuntu-dev:~$ cd /etc/syslog-ng/
petru@ubuntu-dev:/etc/syslog-ng$ ls
conf.d  patterndb.d  scl.conf  syslog-ng.conf
petru@ubuntu-dev:/etc/syslog-ng$ sudo cp syslog-ng.conf syslog-ng.conf.bk
[sudo] password for petru: 
petru@ubuntu-dev:/etc/syslog-ng$ ls
conf.d  patterndb.d  scl.conf  syslog-ng.conf  syslog-ng.conf.bk
petru@ubuntu-dev:/etc/syslog-ng$
Make a backup for the default syslog-ng configuration file
Make a backup for the default syslog-ng configuration file

In order to receive the logs from remote hosts, you need to make some changes to the default configuration file. I added the following lines to the default configuration file:

petru@ubuntu-dev:/etc/syslog-ng$ grep 'Lines added by Petru' -A 2 syslog-ng.conf
# Lines added by Petru

source s_network { udp(ip(172.16.10.150) port(514)); };
--
# Lines added by Petru
destination d_$HOST { file("/var/log/remote/$HOST.log"); };

--
# Lines added by Petru
log { source(s_network); destination(d_$HOST); };

petru@ubuntu-dev:/etc/syslog-ng$
Change the default configuration according to your needs
Change the default configuration according to your needs

source s_network { udp(ip(172.16.10.150) port(514)); }; -> Here you specify the interface on which the syslog-ng server will listen for new connections.

As you can see from the below screenshot my Ubuntu machine is listening for UDP connections on IP address 172.16.10.150 and port 514.

Check for UDP listening ports
Check for UDP listening ports

destination d_$HOST { file(“/var/log/remote/$HOST.log”); }; -> Here you specify where the logs will be stored.

log { source(s_network); destination(d_$HOST); }; -> This line glues the above 2 options together.

Location where the new logs will be stored
Location where the new logs will be stored

Restart the syslog-ng service

After you finish changing the configuration according to your environment, you need to restart the syslog-ng service in order for the new changes to take effect.

petru@ubuntu-dev:/etc/syslog-ng$ sudo systemctl restart syslog-ng
petru@ubuntu-dev:/etc/syslog-ng$ sudo systemctl status syslog-ng
● syslog-ng.service - System Logger Daemon
     Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-06-29 19:03:38 BST; 5s ago
       Docs: man:syslog-ng(8)
   Main PID: 11652 (syslog-ng)
      Tasks: 4 (limit: 4573)
     Memory: 3.4M
        CPU: 36ms
     CGroup: /system.slice/syslog-ng.service
             └─11652 /usr/sbin/syslog-ng -F

Jun 29 19:03:38 ubuntu-dev systemd[1]: Starting System Logger Daemon...
Jun 29 19:03:38 ubuntu-dev syslog-ng[11652]: [2023-06-29T19:03:38.666396] WARNING: Configuration>
Jun 29 19:03:38 ubuntu-dev syslog-ng[11652]: DIGEST-MD5 common mech free
Jun 29 19:03:38 ubuntu-dev syslog-ng[11652]: [2023-06-29T19:03:38.697903] WARNING: The internal_>
Jun 29 19:03:38 ubuntu-dev systemd[1]: Started System Logger Daemon.
petru@ubuntu-dev:/etc/syslog-ng$
Restart the syslog-ng service
Restart the syslog-ng service

Check the logs for syslog-ng service

If you make any mistakes in the configuration file, the syslog-ng service will not start. When you check the status for syslog-ng service you will see something similar.

syslog-ng service failed
syslog-ng service failed

You can check the logs for more details about why the syslog-ng service failed.

To check the logs, run this command:

petru@ubuntu-dev:/etc/syslog-ng$ journalctl -u syslog-ng -f
Jun 29 19:07:18 ubuntu-dev syslog-ng[11709]: syslog-ng documentation: https://www.syslog-ng.com/technical-documents/list/syslog-ng-open-source-edition
Jun 29 19:07:18 ubuntu-dev syslog-ng[11709]: contact: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Jun 29 19:07:18 ubuntu-dev systemd[1]: syslog-ng.service: Main process exited, code=exited, status=1/FAILURE
Jun 29 19:07:18 ubuntu-dev systemd[1]: syslog-ng.service: Failed with result 'exit-code'.
Jun 29 19:07:18 ubuntu-dev systemd[1]: Failed to start System Logger Daemon.
Jun 29 19:07:18 ubuntu-dev systemd[1]: syslog-ng.service: Scheduled restart job, restart counter is at 5.
Jun 29 19:07:18 ubuntu-dev systemd[1]: Stopped System Logger Daemon.
Jun 29 19:07:18 ubuntu-dev systemd[1]: syslog-ng.service: Start request repeated too quickly.
Jun 29 19:07:18 ubuntu-dev systemd[1]: syslog-ng.service: Failed with result 'exit-code'.
Jun 29 19:07:18 ubuntu-dev systemd[1]: Failed to start System Logger Daemon.
Check syslog-ng logs
Check syslog-ng logs

In my case the service failed because I forgot to add ; at the end of the line.

It should be like this:

After adding the missing ; the syslog-ng is running as it should.

Confirm that you receive the logs from the remote hosts

Now that the syslog-ng service is up and running, you need to confirm that the logs from the remote hosts are received by your machine. I configured a Cisco switch to send the logs to this Ubuntu machine.

Confirm that the logs from remote hosts are received successfully
Confirm that the logs from remote hosts are received successfully

As you can see, the logs are present. Everything is working fine.

For more information regarding syslog-ng, check the official documentation.

For more Linux posts, check this page.

In the next post, I will show you how to configure the Cisco switch or router to send logs to a remote syslog server.

I hope you find this post useful. Share it on your social media channels so that other people can read it too.

By clicking submit, you agree to share your email address with the site owner and Mailchimp to receive marketing, updates, and other emails from the site owner. Use the unsubscribe link in those emails to opt out at any time.

Processing…
Success! You're on the list.

One comment

Leave a Reply