Support Logging setup Syslog-ng configuration

Syslog-ng Configuration

The Basic configuration will send your local system logs to Loggly, and offer a foundation to add file and application logs. If you are unable to use our automated configure-syslog script, this guide will help you setup manually with a quick copy & paste. It assumes you have sudo access, you’re on a common linux distribution with syslog-ng 3.2 or higher, it receives local system logs, and port 514 is open to outbound connections. If you have different requirements, please see the Advanced section.

Syslog-ng Configuration Guide

1. Update syslog-ng.conf

Open your syslog-ng.conf file, which is usually found in the /etc/syslog-ng/ directory.

sudo vim /etc/syslog-ng/syslog-ng.conf

Paste in this configuration:

### Syslog-ng Logging Directives for ###
source s_loggly {
	system();	# Check which OS & collect system logs
	internal();	# Collect syslog-ng logs

template LogglyFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [TOKEN@41058 tag=\"TAG\" ] $MSG\n");

destination d_loggly {
	tcp("" port(514) template(LogglyFormat));

log { 
### END Syslog-ng Logging Directives for ###

Replace the above variables:

  • TOKEN: Replace with your customer token
  • TAG: Replace with a tag that describes the syslog source.

2. Restart syslog-ng

$ /etc/init.d/syslog-ng restart

3. Verify

Use Logger to send a test event. Alternatively, use the automatic verification option in configure-syslog.

$ logger 'Hello World!'

Verify it shows up in Loggly by doing a search over the past hour (click to expand screenshot). If it doesn’t work, see the troubleshooting section below.
Syslog-ng Configuration

4. Send Application Data

Advanced Syslog-ng Configuration Options

Troubleshooting Syslog-ng

If you don’t see any data show up in the verification step, then check for these common problems.

  • Make sure you restarted syslog-ng
  • Check the syslog-ng logs in /var/log/messages
  • Verify syslog-ng is sending data to Loggly by running “logger test” then searching for that event in Loggly
  • Use a “syslog-ng -s” before reloading / restarting syslog-ng to minimize down time after editing the configuration
  • Make sure port 514 is open for regular syslog or 6514 for TLS encrypted
  • SELinux / Apparmor can cause mysterious troubles as both of these technologies limit what syslog-ng can read and write on a system. SELinux can even prevent you sending or receiving longs on other port than 514. Check the content of /var/log/audit if you think that your configuration is correct and you still get permission denied / unable to connect messages or just silent failures.
  • You can start syslog-ng in verbose / debug mode in the foreground to see on the console what syslog-ng is doing. Use: syslog-ng Fevd
  • It is not enough to define sources and destinations, they also need to be connected using a log statement.
  • Search or post your own question in the community forum.
Thanks for the feedback! We'll use it to improve our support documentation.