For the best user experience, we recommend logging into the LogDNA web app and following the account-tailored add a log source instructions. You may also follow the more generic instructions below

TCP+TLS (recommended)

To configure syslog-ng to send logs to LogDNA via TCP secured with TLS, follow the steps below.

1. Download the LogDNA Root CA Certificate to /etc/ld-root-ca.crt

2. Append the contents below to /etc/syslog-ng/syslog-ng.conf on your host machine. Be sure to insert your LogDNA Ingestion Key.

### START syslog-ng LogDNA Logging Directives ###

source s_logdna {
    system();    # Check which OS & collect system logs
    internal();    # Collect syslog-ng logs
};

template LogDNAFormat { template("<%PRI%>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [[email protected] key=\"INSERT-YOUR-INGESTION-KEY-HERE\"] $MSG\n");
    template_escape(no);
};

destination d_logdna {
    tcp("syslog-a.logdna.com" port(6514)
    tls(cert-file("/etc/ld-root-ca.crt"))
    template(LogDNAFormat));
};

log {
    source(s_logdna);
    destination(d_logdna);
};

### END syslog-ng LogDNA logging directives ###

3. Restart syslog: sudo /etc/init.d/syslog-ng restart

TCP

To configure syslog-ng to send logs to LogDNA via TCP, follow the steps below.

1. Append the contents below to /etc/syslog-ng/syslog-ng.conf on your host machine. Be sure to insert your LogDNA Ingestion Key.

### START syslog-ng LogDNA Logging Directives ###

source s_logdna {
    system();    # Check which OS & collect system logs
    internal();    # Collect syslog-ng logs
};

template LogDNAFormat { template("<%PRI%>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [[email protected] key=\"INSERT-YOUR-INGESTION-KEY-HERE\"] $MSG\n");
    template_escape(no);
};

destination d_logdna {
    tcp("syslog-a.logdna.com" port(514)
    template(LogDNAFormat));
};

log {
    source(s_logdna);
    destination(d_logdna);
};

### END syslog-ng LogDNA logging directives ###

2. Restart syslog: sudo /etc/init.d/syslog-ng restart

UDP

Warning: UDP does not guarantee log line order. More information is available in this section of RFC 5426

To configure syslog-ng to send logs to LogDNA via UDP, follow the steps below.

1. Add the contents below to /etc/syslog-ng/syslog-ng.conf on your host machine. Be sure to insert your LogDNA Ingestion Key.

### START syslog-ng LogDNA Logging Directives ###

source s_logdna {
    system();    # Check which OS & collect system logs
    internal();    # Collect syslog-ng logs
};

template LogDNAFormat { template("<%PRI%>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [[email protected] key=\"INSERT-YOUR-INGESTION-KEY-HERE\"] $MSG\n");
    template_escape(no);
};

destination d_logdna {
    udp("syslog-a.logdna.com" port(514)
    template(LogDNAFormat));
};

log {
    source(s_logdna);
    destination(d_logdna);
};

### END syslog-ng LogDNA logging directives ###

2. Restart syslog: sudo /etc/init.d/syslog-ng restart

Custom port

If you are unable to change the message template for syslog-ng, you may provision a custom port by logging into the LogDNA web app and following the account-tailored add a log source instructions

Host tags

Host tags allow you to group hosts automatically without having to explicitly assign a host to a group within the LogDNA web app.

Host tags follow the syslog RFC-defined STRUCTURED-DATA format and requires configuring the template line in /etc/rsyslog.d/22-logdna.conf to include the IANA-approved LogDNA Private Enterprise Number (PEN), 48950. For example:

template LogDNAFormat { template("<%PRI%>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [[email protected] key=\"INSERT-YOUR-INGESTION-KEY-HERE\" tags=\"prod,web\"] $MSG\n");
    template_escape(no);
};

This would send up log lines from with the host tags prod and web, which would add this host to the prod and web tags.

Log Level Parsing

We'll attempt to parse the log level from the log line itself if syslog-ng emits the log line with the log level of "err" or "info". We'll preserve the original syslog-ng level in the _original_level property of a log line and store the parsed log level in the level property.

Additional options

If possible, we highly recommend setting up a keepalive inside your rsyslog forwarding configuration. This ensures that bad connections are properly terminated and re-initiated and increases the reliability of log delivery. You can learn about rsyslog keepalive options here.