Welcome to the first part of my syslog-ng tutorial series. In this part, I give you a quick introduction what to expect from this series and try to define what syslog-ng is.
Before introducing you to syslog-ng, let me introduce myself in a few words. I am Peter Czanik from Hungary, syslog-ng user for about two decades. I work as an open-source evangelist at One Identity, the company behind syslog-ng. I do syslog-ng packaging, support and advocacy. Syslog-ng was originally developed by Balabit, which is now part of One Identity.
About this tutorial series
I plan to release parts of my tutorial around every week. Of course, the Christmas holidays and the upcoming conference season may cause some delays. Each part will be released as a blog accompanied by a video. It is up to you, which version you follow. However, even if you go with the video, it is worth visiting the blog: you will be able to copy and paste configuration samples from there.
Basic Linux/UNIX administration knowledge is important, but prior knowledge about logging and syslog-ng is not necessary to be able to follow the tutorials. The examples expect that you use a systemd-based Linux distribution to run syslog-ng, as close to 90% of our users run syslog-ng in such an environment. However, the syslog-ng concepts are the same everywhere and it is easy to adopt examples to FreeBSD or to other operating systems.
Saying that it is syslog-ng from zero to hero would be a bit of an overstatement. We start with some basic concepts, and what you use syslog-ng for. Once you are also familiar with the four major roles of syslog-ng, we talk a bit about syslog-ng editions and installation. With syslog-ng installed, we can start to configure and test syslog-ng. First, we get to know the various parts of the configuration and logging to files. Then, we also learn about network logging. The next steps are filters and parsers. Finally, we store parsed and filtered logs to Elasticsearch.
You need at least syslog-ng 3.23 to follow this tutorial. Some examples will require syslog-ng version 4.0 (or at least 3.37, which you can switch to 4.0 mode). Installing Elasticsearch or Opensearch is optional, but of course helps you to see your logs on a graphical user interface.
What is syslog-ng?
So, what is syslog-ng? Before we define that, we should define what logging is. When it is not about forestry but IT, logging is a recording of events on a computer. The event could be anything: a new IP address through DHCP, a failing HDD, or a user logging in through SSH. Here is an example for the last one:
Jan 14 11:38:48 linux-0jbu sshd: Accepted publickey for root from 127.0.0.1 port 48806 ssh2
Depending on your host, you can find many similar log messages under the /var/log directory in a file called messages, auth or security.
I define syslog-ng as an enhanced logging daemon with a focus on portability and high-performance central log collection. Originally developed in C, but it can also be extended in Python.
(to be continued)
Author: Peter Czanik – an engineer – open source evangelist at One Identity
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.