Syslog-ng Configuration

The Basic configuration will send your local system logs to Loggly, and offer a foundation to add file and application logs. If you are unable to use our automated configure-syslog script, this guide will help you setup manually with a quick copy & paste. It assumes you have sudo access, you’re on a common linux distribution with syslog-ng 3.2 or higher, it receives local system logs, and port 514 is open to outbound connections. If you have different requirements, please see the Advanced section.

Syslog-ng Configuration Guide

  1. Update syslog-ng.conf
    Open your syslog-ng.conf file, which is usually found in the /etc/syslog-ng/ directory.

    sudo vim /etc/syslog-ng/syslog-ng.conf

    Paste in this configuration:

    ### Syslog-ng Logging Directives for Loggly.com ###
    source s_loggly {
    	system();	# Check which OS & collect system logs
    	internal();	# Collect syslog-ng logs
    };
    
    template LogglyFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [TOKEN@41058 tag=\"TAG\" ] $MSG\n");
    	template_escape(no);
    };
    
    destination d_loggly {
    	tcp("logs-01.loggly.com" port(514) template(LogglyFormat));
    };
    
    log { 
    	source(s_loggly); 
    	destination(d_loggly); 
    };
    ### END Syslog-ng Logging Directives for Loggly.com ###
    

    Replace the above variables:

    • TOKEN: Replace with your customer token
    • TAG: Replace with a tag that describes the syslog source.
  2. Restart syslog-ng

    $ /etc/init.d/syslog-ng restart
    
  3. Verify
    Use Logger to send a test event. Alternatively, use the automatic verification option in configure-syslog.

    $ logger 'Hello World!'

    Verify it shows up in Loggly by doing a search over the past hour (click to expand screenshot). If it doesn’t work, see the troubleshooting section below.
    Syslog-ng Configuration

  4. Send Application Data

Advanced Syslog-ng Configuration Options

Troubleshooting Syslog-ng

If you don’t see any data show up in the verification step, then check for these common problems.

  • Make sure you restarted syslog-ng
  • Check the syslog-ng logs in /var/log/messages
  • Verify syslog-ng is sending data to Loggly by running “logger test” then searching for that event in Loggly
  • Use a “syslog-ng -s” before reloading / restarting syslog-ng to minimize down time after editing the configuration
  • Make sure port 514 is open for regular syslog or 6514 for TLS encrypted
  • SELinux / Apparmor can cause mysterious troubles as both of these technologies limit what syslog-ng can read and write on a system. SELinux can even prevent you sending or receiving longs on other port than 514. Check the content of /var/log/audit if you think that your configuration is correct and you still get permission denied / unable to connect messages or just silent failures.
  • You can start syslog-ng in verbose / debug mode in the foreground to see on the console what syslog-ng is doing. Use: syslog-ng Fevd
  • It is not enough to define sources and destinations, they also need to be connected using a log statement.
  • Search or post your own question in the community forum.
Thanks for the feedback! We'll use it to improve our support documentation.


Top