Syslog-ng

From Gentoo Wiki
Jump to: navigation, search

syslog-ng is a powerful, massively configurable monitoring and logging daemon.

Installation

USE flags

USE flags for app-admin/syslog-ng syslog replacement with advanced filtering features

amqp Enable support for AMQP destinations local
caps Use Linux capabilities library to control privilege global
dbi Enable dev-db/libdbi (database-independent abstraction layer) support global
geoip Add geoip support for country and city lookup based on IPs global
ipv6 Add support for IP version 6 global
json Enable support for JSON template formatting via dev-libs/json-c local
libressl Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag global
mongodb Enable support for mongodb destinations local
pacct Enable support for reading Process Accounting files (EXPERIMENTAL, Linux only) local
python Add optional support/bindings for the Python language global
redis Enable support for Redis destinations local
smtp Enable support for SMTP destinations local
spoof-source Enable support for spoofed source addresses local
systemd Enable use of systemd-specific libraries and features like socket activation or session tracking global
tcpd Add support for TCP wrappers global

Emerge

Install app-admin/syslog-ng:

root #emerge --ask app-admin/syslog-ng
Note
It is a bad idea to run more than one system logger on a physical host. Other local loggers should be removed or disabled.

Additional software

When using a system logger such as syslog-ng, it is a wise idea to install log rotation software to appropriately trim the logs as they consume more disk space. Logrotate is a fine option:

root #emerge --ask app-admin/logrotate

Configuration

The default configuration provided by the ebuild is quite minimal. For a more comprehensive configuration see the configuration provided for Hardened Gentoo in:

/usr/share/doc/syslog-ng-*/syslog-ng.conf.gentoo.hardened.bz2

Files

The default source for syslog messages is:

FILE /etc/syslog-ng/syslog-ng.conf
source src { unix-stream("/dev/log"); internal(); };

If the system is running systemd, the default source needs to be changed to the following[1]:

FILE /etc/syslog-ng/syslog-ng.conf
source src { systemd-journal(); internal(); };

Service

OpenRC

Add the syslog-ng daemon to the default runlevel so that logging starts on system boot:

root #rc-update add syslog-ng default

Start the syslog-ng daemon now:

root #service syslog-ng start

systemd

To start the syslog-ng daemon when the system boots enable the service:

root #systemctl enable syslog-ng

To start the daemon now:

root #systemctl start syslog-ng

See also

External resources

References