syslog-ng.conf listen for remote servers

syslog-ng

8,987

Okay, in my version of syslog-ng 3.5.6-2 (from standard Debian Jessie vanilla package), you have to do a couple things. First, leave this uncommented:

source s_src {
   system();
   internal();
};

Then change the s_net line to read:

source s_net { tcp(ip(0.0.0.0) port(514) max-connections (5000)); udp(); };

Now you have to modify a line to put remote host syslog logs in a certain place delineated by hostname so you can figure out which host syslog is which like:

destination d_syslog { file("/var/log/remotelogs/$HOST/syslog"); };

Or if you want them all in the same file to analyze a single file just do:

destination d_syslog { file("/var/log/remotelogs/syslog"); };

Then put it all together like:

#log { source(s_src); filter(f_syslog3); destination(d_syslog); };
log { source(s_net); filter(f_syslog3); destination(d_syslog); };

Note the log entry for syslog now referenced S_NET as a source, rather than S_SRC. Now you can restart syslog-ng and see if it's listening like:

/etc/init.d/syslog-ng restart
netstat -plunt | grep syslog-ng
tcp        0      0 0.0.0.0:514           0.0.0.0:*               LISTEN      26853/syslog-ng
udp        0      0 0.0.0.0:514             0.0.0.0:*                           26853/syslog-n

8,987

batflaps

Updated on September 18, 2022

Comments

batflaps almost 2 years

I'm configuring /etc/syslog-ng/syslog-ng.conf on version 3.5.6-2 to listen to remote hosts on port 514 by changing the configuration like

#source s_src {
#   system();
#   internal();
#};
# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
source s_net { tcp(ip(127.0.0.1) port(514)); udp(); };

but when I comment out s_src, as I think it suggests like:

#source s_src {
#   system();
#   internal();
#};

syslog-ng won't start due to config errors. If I just comment out these:

source s_src {
#   system();
#   internal();
};

it starts, but won't log standard syslog messages from localhost. Is there some other directive I need to add in source s_src to get it to listen on port 514 for remote hosts?

(Other possibly relevant lines in config)

log { source(s_src); filter(f_syslog3); destination(d_syslog); };   
filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); };
destination d_syslog { file("/var/log/remotelogs/$HOST/syslog"); };

batflaps over 5 years

Okay, that helps, will look into it. Other relevant lines: log { source(s_src); filter(f_syslog3); destination(d_syslog); }; and destination d_syslog { file("/var/log/remotelogs/$HOST/syslog"); }; . The comments in the OP are the defaults in the config file. The version is the latest for Debian Jessie from repositories, though I may be able to upgrade distro to Stretch if needed.