Syslog-ng

Get setup to start collecting, centralizing, monitoring, and analyzing your syslog-ng log files. Send log data from a variety of sources including syslog, rsyslog, AWS, JavaScript, JSON, Kubernetes, Docker, and more.

For the best user experience, we recommend logging into the LogDNA web app and following the account-tailored add a log source instructions. You may also follow the more generic instructions below

TCP+TLS (recommended)

To configure syslog-ng to send logs to LogDNA via TCP secured with TLS, follow the steps below.

  1. Download the LogDNA Root CA Certificate to /etc/ld-root-ca.crt

  2. Append the contents below to /etc/syslog-ng/syslog-ng.conf on your host machine. Be sure to insert your LogDNA Ingestion Key.

### START syslog-ng LogDNA Logging Directives ###

source s_logdna {
    system();    # Check which OS & collect system logs
    internal();    # Collect syslog-ng logs
};

template LogDNAFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [[email protected] key=\"INSERT-YOUR-INGESTION-KEY-HERE\"] $MSG\n");
    template_escape(no);
};

destination d_logdna {
    tcp("syslog-a.logdna.com" port(6514)
    tls(cert-file("/etc/ld-root-ca.crt"))
    template(LogDNAFormat));
};

log {
    source(s_logdna);
    destination(d_logdna);
};

### END syslog-ng LogDNA logging directives ###
  1. Restart syslog: sudo /etc/init.d/syslog-ng restart

TCP

To configure syslog-ng to send logs to LogDNA via TCP, follow the steps below.

  1. Append the contents below to /etc/syslog-ng/syslog-ng.conf on your host machine. Be sure to insert your LogDNA Ingestion Key.
### START syslog-ng LogDNA Logging Directives ###

source s_logdna {
    system();    # Check which OS & collect system logs
    internal();    # Collect syslog-ng logs
};

template LogDNAFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [[email protected] key=\"INSERT-YOUR-INGESTION-KEY-HERE\"] $MSG\n");
    template_escape(no);
};

destination d_logdna {
    tcp("syslog-a.logdna.com" port(514)
    template(LogDNAFormat));
};

log {
    source(s_logdna);
    destination(d_logdna);
};

### END syslog-ng LogDNA logging directives ###
  1. Restart syslog: sudo /etc/init.d/syslog-ng restart

UDP

Warning: UDP does not guarantee log line order. More information is available in this section of RFC 5426

To configure syslog-ng to send logs to LogDNA via UDP, follow the steps below.

  1. Add the contents below to /etc/syslog-ng/syslog-ng.conf on your host machine. Be sure to insert your LogDNA Ingestion Key.
### START syslog-ng LogDNA Logging Directives ###

source s_logdna {
    system();    # Check which OS & collect system logs
    internal();    # Collect syslog-ng logs
};

template LogDNAFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [[email protected] key=\"INSERT-YOUR-INGESTION-KEY-HERE\"] $MSG\n");
    template_escape(no);
};

destination d_logdna {
    udp("syslog-u.logdna.com" port(514)
    template(LogDNAFormat));
};

log {
    source(s_logdna);
    destination(d_logdna);
};

### END syslog-ng LogDNA logging directives ###
  1. Restart syslog: sudo /etc/init.d/syslog-ng restart

Custom port

If you are unable to change the message template for syslog-ng, you may provision a custom port by logging into the LogDNA web app and following the account-tailored add a log source instructions.

Host tags

Host tags allow you to group hosts automatically without having to explicitly assign a host to a group within the LogDNA web app.

Host tags follow the syslog RFC-defined STRUCTURED-DATA format and requires configuring the template line in /etc/syslog-ng/syslog-ng.conf to include the IANA-approved LogDNA Private Enterprise Number (PEN), 48950. For example:

template LogDNAFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [[email protected] key=\"INSERT-YOUR-INGESTION-KEY-HERE\" tags=\"prod,web\"] $MSG\n");
    template_escape(no);
};

This would send log lines with tags prod and web, which would subsequently add these tags to the host.

Additional options

If possible, we highly recommend setting up a keepalive inside your syslog-ng forwarding configuration. This ensures that bad connections are properly terminated and re-initiated and increases the reliability of log delivery. You can learn about syslog-ng keepalive options here.

Note: We accept the Syslog-ng default format, RFC 5424 and RFC 3164 for auto parsing Syslog-ng.