Questions tagged [syslog-ng]
The syslog-ng application is a flexible and highly scalable system logging application that is ideal for creating centralized and trusted logging solutions.
208 questions
2 votes
0 answers
99 views
syslog-ng spamming logs with HTTP header info since 4.8.2 update
I'm running syslog-ng OSE on Ubuntu 24.04, using the official syslog-ng.com repo. I'm feeding logs to the OpenObserve HTTP destination. destination d_openobserve_http { openobserve-log( ...
- 21
0 votes
0 answers
96 views
syslog-ng not recognising unix-dgram destination
version info: rful011@secmgrprd01:/usr/local/etc/syslog-ng/conf.d$ sudo /usr/local/sbin/syslog-ng --version syslog-ng 3 (3.35.1) Config version: 3.35 Installer-Version: 3.35.1 Revision: Compile-Date: ...
- 313
0 votes
1 answer
208 views
Why does my syslog-ng Docker container restart every ~1 minute?
I have a Docker Swarm with various services running. I've added a syslog-ng OSE service using https://github.com/linuxserver/docker-syslog-ng. The syslog-ng stack has the following docker-compose.yml: ...
- 121
0 votes
0 answers
61 views
Exclusions and Inclusion in syslog-ng
I have 2 syslog filter that I want to merge together but not getting the right syntax {netmask(192.168.0.1/32) or netmask(192.16.0.5/32);}; and {not(match("sso_login") or match("fake-...
- 1
0 votes
2 answers
254 views
syslog-ng not logging info level logs
I have the following syslog-ng config @version: 4.6 # # Syslog-ng default configuration file for Gentoo Linux # https://bugs.gentoo.org/426814 @include "scl.conf" options { threaded(...
1 vote
2 answers
756 views
syslog-ng adds a prefix to syslog messages
I have a squid proxy logging access logs to a file and syslog-ng reading those logs and based on squid's action it sets a severity - either info or notice - and forwards that as a syslog message to a ...
- 143
0 votes
2 answers
657 views
Syslog-ng, sending logs to elasticsearch with basic auth using https
Right now I'm running syslog-ng 3 (3.35.1) on Ubuntu 22.04.1 LTS. The goal is to use https secured protocol to send data and to use basic authentication. Syslog-ng is sending properly logs to ...
- 129
2 votes
2 answers
624 views
How to tell syslog-ng to ignore source files if they are absent
I'm trying to deploy a standard configuration file for syslog-ng on multiple linux servers. My infrastructure includes many services (apache, confluence, ...) with log file located at various places. ...
- 31
0 votes
1 answer
572 views
Postgrey logging options
I am running Debian 12, Postfix with Postgrey. I can not seem to get Postgrey to log to mail.log. I am using syslog-ng, was using rsyslog. I have mail pointing to the mail.log file and inside /etc/...
1 vote
2 answers
2k views
Syslog-ng multiple filters
I am fairly new to syslog-ng and I have the following issue. I have a Checkpoint firewall that sends the logs to a Splunk server. Due to the huge amount of data sent by the firewall, I tried to filter ...
- 23
1 vote
1 answer
1k views
Syslog-NG TLS configuration issue (peer did not return a certificate)
Configuring a syslog-ng server to receive syslog messages from a cloud service over TLS. The syslog-ng server is on an Ubuntu instance on Azure and the latest version (4.5). This is a basic ...
- 99
0 votes
1 answer
1k views
Syslog-ng Syslog Format to JSON Format are there pre-requisite?
My first time posting to Stack Overflow. I apologize if I am re-asking a question. I tried to search but nothing is really clear about what I'm trying to understand. Do I need to configure additional ...
0 votes
1 answer
758 views
How to forward logs from syslog-ng to journald?
journald does everything I need except listen on the UDP port. I want to use syslog-ng as a forwarder from the UDP port to journald. There's a simple program called 'udp514-journal' that can handle ...
- 195
0 votes
1 answer
136 views
Can't exclude a specific message from a remote logging
I manage logs FreeBSD 13.2 via syslog-ng. The current syslog-ng config has some lines to send data to a remote server (Debian 10 - 192.168.0.2:3000). destination lc_net { tcp("192.168.0.2" ...
0 votes
1 answer
561 views
Syslog-ng to Azure Event Hub
I'm looking to send specific logs from my syslog-ng cluster to Azure event hub so it can utilize ADX instead of Log Analytics workspace. Per the documentation found on syslog-ng's website (here), the ...
- 1,403
-1 votes
1 answer
683 views
Sending rotated files with syslog-ng
Hello I am currently sending the suricata logs from a probe to a Syslog-ng server(172.16.238.15): @version: 3.25 options { keep-timestamp (no); chain_hostnames (off); keep_hostname (no); };...
- 49
1 vote
1 answer
1k views
syslog-ng: Timezone change and $HOUR macro
Here's a log line from an appliance coming in as UTC: <166>2023-06-13T16:03:44Z .................. We store this as in files, in Europe/London timezone: destination d_all { file("/srv/...
1 vote
2 answers
402 views
syslog-ng filter log by frequency to destination file
I have a syslog-ng that receives too many logs and I am trying a way to 'sample' them using some filter. I assume editing the /etc/syslog-ng/syslog-ng.conf with something like log { source(s_udp514); ...
- 119
0 votes
1 answer
559 views
Syslog-ng enable TCP framing
I'm trying to send file entries as messages via TCP, where syslog-ng is in a container and it is sending to another container. I've had two different attempts both with problematic behavior. The first ...
- 109
1 vote
2 answers
1k views
Find process that makes outbound HTTP calls, trying auditd with syslog-ng
Some of application (it's unknown) makes sporadic nonregular rare short outbound HTTP(S) requests to a known host/port/url (this is a WAF honeypot, host/url/port is known) using HTTPS protocol. ...
- 946
1 vote
2 answers
1k views
Why would you want to change the log_msg_size from syslog-ng's default of 64k?
Per the syslog-ng admin guide, the log_msg_size defaults to 64k (65536 bytes) However, I have seen some sample syslog-ng config files (like this one) that drop this to <18k (18192 bytes) Why would ...
- 19.4k
0 votes
1 answer
1k views
Traefik don't keep real ip
I have a problem with Traefik, I want to log from a server with syslog-ng (docker). I have logs but I have reverse_proxy name and I want source IP not the name of traefik. I wish to keep source IP ...
- 1
1 vote
1 answer
293 views
syslog-ng freezes when reloading config changes in log msg size
I'm having a weird case of syslog-ng freezing on some reloads and under some conditions. syslog-ng version is ubuntu 20.04's default 3.25.1. It has to be something related to log_msg_size as this ...
- 1,269
0 votes
0 answers
1k views
syslog-ng duplicate log message
Not duplicate of this question because that one uses rsyslog on client whereas I use syslog-ng on both sides. I have a syslog-ng instance on both the client and the server and for whatever reason the ...
- 1
0 votes
1 answer
6k views
syslog-ng: how to configure sending RFC5424 messages with octet-counting framing
Please don't bother reading this question. syslog-ng is already set up to send RFC5424 messages with octet-counting framing by default. I was confused by the behaviour of another component. This ...
- 393
0 votes
1 answer
1k views
syslog-ng / telegraf : EOF occurred when idle - incompatible?
This is a follow-on question from this previous question, created because I found out more information and it's cleaner to pose this as a new question. I'm using syslog-ng OSE v3.31.2 to receive ...
- 393
0 votes
2 answers
2k views
syslog-ng: How to reduce high latency when forwarding logs to a syslog tcp consumer?
UPDATE 2: I've answered this via my new question at the link below. The root cause is behaviour by telegraf where by default it disconnects the TCP connection 5 seconds after the last received message....
- 393
0 votes
0 answers
506 views
RSyslogd is sending multiples CEF messages in the same Syslog message
There is a Python script sending multiple events to a remote host with Rsyslogd: CEF:0|Test|SIEMintegration|1|1|Normal|0| fileId=767000670128771115 CEF:0|Test|SIEMintegration|1|1|Normal|0| fileId=...
- 174
2 votes
1 answer
2k views
Syslog-NG Error processing log message using IETF format
we've just changed our logging application on our AS/400 partitions and are now using a product called PowerTech SIEM agent for IBM I The tool used to format messages using the old syslog convention ...
- 533
1 vote
1 answer
5k views
running syslog-ng in verbose mode
EDIT1: syslog-ng launch command : /usr/sbin/syslog-ng -u syslog -g syslog -R /tmp/syslog-ng.persist -F commands used: syslog-ng-ctl verbose --set=on and syslog-ng-ctl verbose I am trying to run syslog-...
- 23
0 votes
1 answer
2k views
"EOF occurred while idle" when using network directive in syslog-ng
I want to forward logs from a local machine to a distant server. Thanks to an SSH tunnel, the distant server is reachable through localhost:5514. I wrote the following conf: # Filters filter f_local0 {...
- 162
0 votes
1 answer
56 views
Save incoming log with suffix to its logfile-suffix.log using syslog-ng
I've been searching on the internet for answers relating to syslog-ng and how I can configure syslog-ng to save incoming log files with a specific suffix to a file and also carry over the suffix ...
- 156
0 votes
1 answer
536 views
using syslog-ng to parse snmptrapd - not keeping up
(centos 7.x) I have syslog-ng setup to parse snmptrapd messages so I can format them for later digestion. The issue is that syslog-ng only outputs the n-1 message. IE if there are 10 lines in ...
- 2,361
0 votes
1 answer
479 views
How can I set up syslog-ng to send only invalid JSON logs to a destination
I've set up syslog-ng 3.25.1 to read log messages from a file, parse them as JSON, and forward them to an ElasticSearch cluster. This works well when the messages are formatted correctly as JSON, ...
- 111
0 votes
1 answer
2k views
syslog-ng set loglevel/priority to warning or more to be less verbose
How to run/configure syslog-ng to log only above the security loglevel/priority WARNING? I would like to discard NOTICES like: Destination timeout has elapsed, closing connection; fd='36' From the ...
- 568
-3 votes
1 answer
472 views
How to hack proof my syslog-ng server
I recently built a Ubuntu syslog-ng server that is behind a firewall. I have opened TCP ports 514, 515, and 516. I have noticed that hackers are writing to my syslog-ng server, they are from China. ...
- 325
0 votes
1 answer
756 views
Seprate json part of incoming log with syslog-ng by config
I'm receiving my log without any parse: source s_network { network( transport(tcp) port(601) flags(no-parse)); }; My saved log have two part: reciver information json part of log ( like below )...
- 3
0 votes
1 answer
2k views
Set a Macro before sending log over network with syslog-ng
I have created a syslog server and client. I want to set client serial number in SOURCE macro in all logs being sent to server so that on server side I can retrieve the macro and can create the log ...
0 votes
1 answer
334 views
How to set-up Syslog-NG with MonitorWare schema?
we are setting up a centralized logging server which receives logs from many devices and servers and stored them into a database. The syslog on the central server is syslog-ng. It is chosen because ...
- 15.9k
1 vote
1 answer
1k views
syslog-ng configuration works in debug mode, but not without
I am trying to run syslog-ng as an OCF resource in an HA cluster. I am encountering some terribly strange behavior - when I start a single instance in debug mode, the filters match and it forwards ...
- 141
0 votes
1 answer
1k views
Disable process id showing in Syslog-ng logs
I configured syslog-ng (version 3.21.1) on a CentOS7 server and found that logs are in following format. Aug 26 12:59:28 xyz74hd.com radiusd[20142]: 92djvd4654654164nadskj795234dc Reason: pldap: ...
- 5
1 vote
1 answer
608 views
syslog-ng freezes/doesnt log when it encounters log messages with older time stamp
we are seeing issue with syslog-ng 3.8.1 dropping logs with older timestamp. Our system has an issue in persisting hardware clock after a reboot however, it might be an issue even with ntp jitter as ...
1 vote
2 answers
3k views
syslog-ng execute script on syslog pattern
I have a simple requirement. I want to receive all syslog messages coming from user facility and store them in a file. If the syslog message contains a specific pattern, I want to execute a script. ...
1 vote
2 answers
892 views
Syslog-ng: Hostnames with slashes
We have a problem where we have a device type logging with hostnames like slot1/devicename. Unfortunately, when the logs are written to disk, only the slot1 is written; since we have a number of ...
- 141
1 vote
2 answers
21k views
syslog-ng.conf listen for remote servers
I'm configuring /etc/syslog-ng/syslog-ng.conf on version 3.5.6-2 to listen to remote hosts on port 514 by changing the configuration like #source s_src { # system(); # internal(); #}; # If you ...
- 199
-1 votes
2 answers
2k views
Extract values from MESSAGE in Syslog-NG
I receive syslog messages as follows: [[email protected] net_id="325" station="431" fault="16384"] [NotificationHandler] NMS error: STCRC/NOTTS Net: Enas Station: CED Elmas serial-...
- 1
1 vote
2 answers
2k views
How can I extract tag from syslog message, and us it as path variable?
I have severals servers logging to the central syslog server, which collect the logs using syslog-ng. I send logs with a tag using the logger command : $ logger -n 01.02.03.04 "Hello from $HOST at $(...
- 133
0 votes
1 answer
469 views
using mysql to send a database of log messages to syslog-ng?
I want to create a database of my proxy-server log messages and then modify and change them then finally send them to syslog-ng!! Is it possible?
- 3
1 vote
1 answer
702 views
rsyslog/syslog-ng pattern to log ssh and related sftp session for an user
I'd like to log an user specific ssh and following sftp session into a file which would have username in the filename: I have this: Jan 8 13:43:38 mx1 sshd[84622]: Connection from 17x.xx.xx.xx port ...
- 627
-1 votes
1 answer
2k views
syslog-ng | How to separate Logs from different Applications from one Client without to use different Ports ???
I have some Samba-Domain-Controllers and one central Syslog-Server. All of them running the latest syslog-ng and SUSE Leap15. Every Log from Samba, Winbind and Bind/Named should go to the central ...
- 9