This is the sixth part of my syslog-ng tutorial. Last time, we learned about syslog-ng source definitions and how to check the syslog-ng version. Today, we learn about syslog-ng destinations and the log path. At the end of the session, we will also perform a quick syntax check.
You can watch the video or read the text below.
YouTube link: https://youtu.be/mqIQqeSm4W4
Destination definition
A destination definition is a collection of one or more destination drivers. It consists of two parts. It starts with the word “destination”, followed by an identifier for the destination which you will use later to refer to the given destination. After that, it lists the destination drivers with their parameters. Here is how its syntax looks like:
And here is a simple file destination:
Destination drivers
You have already seen the file() destination, but there are many more destination drivers available in syslog-ng. Some of the more common destination drivers are the following:
- file(): Writes log messages to a file.
- pipe(), unix-stream() and unix-dgram(): Writes log messages to a pipe or socket.
- network: Sends legacy (RFC 3164) messages over the network.
- syslog(): Sends new (RFC 5424) syslog messages over the network.
- usertty(): Writes to the terminal of the logged in user. Make sure to use this carefully, as it can slow down syslog-ng considerably!
- program(): Writes to a program’s standard input.
- http(): Sends log messages to HTTP, like Elasticsearch, Slack, Sumologic and others.
- python(): Allows you to write your own destination driver in Python.
For the complete list, see the syslog-ng documentation.
Further elements
We have already seen the most basic syslog-ng configuration elements: sources and destinations. So let me show you now some additional elements. We will learn more about these in later tutorials.
- Options: Allows you to set the global behavior of syslog-ng. Many of these settings can be overridden in later parts of the configuration. For example, you do not have to configure each destination separately – instead, you can set a common value in Options and override it only at the destinations necessary.
- Macro: Macros are elements of a parsed log message. They can be used to reconstruct messages.
- Template: Templates are user-defined expressions for reformatting (restructuring) log messages from macros and name-value pairs. For example, adding time zone information or changing to JSON formatting.
- Filter: Filters are expressions for selecting (filtering) messages.
- Parser: Parsers separate a message into smaller parts with a separator. The resulting name-value pairs can be used in templates.
- Rewrite: A sed-like tool that modifies part of the message. This is not meant for falsifying messages of course, but rather for use cases like anonymization to meet various compliance requirements.
The log path
The log path connects the various building blocks of syslog-ng, and thus defines the route of incoming log messages. It can contain sources, destinations, filters, flags and other objects. It refers to the various building blocks by their name (identifier).
Here you can see a log path, which simply connects a source to a destination, without any further processing:
syslog-ng.conf: minimal
Here you can see a minimal syslog-ng configuration. It contains just a version declaration, a source, a destination, and a log path that connects the source with the destination:
syslog-ng.conf: most typical components
The next configuration is still quite simple, but already includes many of the typical configuration elements. We have seen int previously and learned about most of its elements. So the only configuration element we have not yet talked about is the filter.
Syntax check
Before finishing this part of my syslog-ng tutorial, I want to introduce you to a syslog-ng command line option. Using -s you can check if your syslog-ng configuration is syntactically correct. As such, it can only detect syntax problems but not typos, which means your syslog-ng configuration can still blow up on start if you, for example, misspelled a source name. Still, as a rule of thumb, no output for -s means no problem.
Save one of the example configurations, then check how it works by combining -s with -f (the configuration file name):
In a later part, we will check how you can use the -s option during a syslog-ng version upgrade.
Source: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-6-destinations-and-log-path
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.