Linux HOWTOs

About | Home | Search


HOWTO: syslog-ng
Description: Replacement for syslog
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything


# syslog-ng 3.19.1
# ================
# This HOWTO covers the "Open Source Edition".  If you're interested in the
# "Premium Edition" go here:
# http://www.balabit.com/network-security/syslog-ng/central-syslog-server/

# syslog-ng 1.x used libol, syslog-ng 2.x used GLib and EventLog
# syslog-ng now includes EventLog in the source (lib/eventlog)
# I no longer use ~/src/syslog-ng/ or ~/installed/syslog-ng/ because there
# is now only the syslog-ng tarball, so ~/src/ and ~/installed/ are used
# below.
#
# If you have libol or libevent installed system-wide, try 'make uninstall'
# as root from the source.  As long as it has been ./configure'd that
# should work, look for ginstall in the output of 'make -n install' if not.

# Nearly every time I look for an upgrade, or at least when I update this
# HOWTO, I find that some or all of the old URLs no longer work.  The
# site has significant changes, regularly, not necessarily including
# redirects or links.  Also, you may find that several of the links in
# README.md no longer exist and just redirect you to the main page of a
# site, not the page you requested.  If you can't find something, try
# one of these, then look around for syslog-ng OSE:
#
# www.balabit.com
# www.syslog-ng.com
# Wikipedia: syslog-ng
# www.oneidentity.com
#
# The release announcement posts in the mailing list will include URLs
# that are valid at that time.

# syslog-ng Community
# syslog-ng mailing list
# GitHub: syslog-ng Releases

# 3.19.1 release announcement
# 3.19 Release Notes
# 3.19 Administration Guide

# Prerequisites:
# bison
# flex
# pkg-config
# Python (optional)
# tcp wrappers (optional)
# libdbi (optional; for database support --enable-sql)
# GLib >= 2.10.1
# Maxmind GeoIP
# PCRE
# OpenSSL (optional)
# libnet (optional; used for spoof-source support)
# Criterion (optional)
# libjson (optional; for JSON support)
# MongoDB (optional)
# libESMTP (optional)
# libcurl
# Hiredis >= 0.11.0
# librabbitmq-c (optional)
# riemann-client (optional)
# Java (optional)
# libcap (optional)
# AMQP (optional)
# Valgrind (optional)

# Get it
cd
test -f installed/syslog-ng-3.19.1.tar.gz &&
 mv installed/syslog-ng-3.19.1.tar.gz .
test ! -f syslog-ng-3.19.1.tar.gz &&
 wget https://github.com/balabit/syslog-ng/releases/download/\
syslog-ng-3.19.1/syslog-ng-3.19.1.tar.gz

# Verify tarball w/ sha256sum:
# (this is from me, not the developers, so this only proves yours is the
# same as mine)
echo "5cf931a9d7bead0e6d9a2c65eee8f6005a005878f59aa280f3c4294257ed51\
78  syslog-ng-3.19.1.tar.gz" | sha256sum -c

# Extract the source
mkdir -p -m 0700 ~/src
find ~/src -type d -name "syslog-ng-*" -exec rm -r {} \;
cd ~/src
tar xzvf ~/syslog-ng-3.19.1.tar.gz
cd syslog-ng-3.19.1
test $UID = 0 && chown -R root:root .

# Read ./README.md and if upgrading, read ./NEWS.md

# --enable-dynamic-linking is for when you don't have the GLib static
# library (.a) but only have the shared (.so) one.  If you have both
# and leave that off, and syslog-ng will use the static library for
# GLib and EventLog.  ...meaning, if GLib is upgraded, you would have to
# re-compile and re-install syslog-ng to use the new GLib with it, rather
# than just restarting it.

# If you do need IPv6 support, you'll want to leave off --disable-ipv6 below

# I tried --enable-tcp-wrapper with 3.3.4 and 3.3.11, but it failed with
# undefined symbol: sock_host
# I didn't particularly care at the time and just stopped there.
# Either I didn't bother to try again until 3.19.1, or never noted any
# releases in between, but it did compile successfully with 3.19.1

# To build-in support for SQL destinations, pass --enable-sql
# That will use libdbi to then use MySQL/MariaDB, PostgreSQL, SQLite

# If you're building-in OpenSSL support and your OpenSSL is installed in the
# usual < 1.1.0 source-installed place, put this before the configure line
# (or lib64 if 64-bit):
LDFLAGS=-L/usr/local/ssl/lib CPPFLAGS=-I/usr/local/ssl/include \

# Configure the build for 64-bit:
test $(uname -m) = 'x86_64' &&
 ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
  --enable-dynamic-linking --with-module-dir=/usr/local/lib64/syslog-ng \
  --enable-tcp-wrapper --enable-sql --disable-ipv6

# Configure the build for anything else:
test $(uname -m) != 'x86_64' &&
 ./configure --mandir=/usr/local/man --enable-dynamic-linking \
  --enable-tcp-wrapper --enable-sql --disable-ipv6

# Build it
make

# Become root to install and configure it
su

# If you have klogd and syslogd installed from the Slackware 'sysklogd'
# package and want to get rid of them:
test -x /etc/rc.d/rc.syslog && /etc/rc.d/rc.syslog stop
sleep 2
test -f /var/run/klogd.pid && kill `cat /var/run/klogd.pid`
test -f /var/run/syslogd.pid && kill `cat /var/run/syslogd.pid`
sleep 2
killall klogd syslogd > /dev/null 2>&1
sleep 2
killall -9 klogd syslogd > /dev/null 2>&1
test -f /etc/syslog.conf &&
 mv -f /etc/syslog.conf ~/backup/syslog.conf-`date +%Y%m%d`
test -x /sbin/removepkg && /sbin/removepkg sysklogd
rm -f /etc/rc.d/rc.syslog
# You may also want to zap logs in /var/log that you won't be using with
# syslog-ng (if there are any)

# If you have a config file from an old version in /etc/syslog-ng or
# /usr/local/etc/syslog-ng, move them to /usr/local/etc
test ! -f /usr/local/etc/syslog-ng.conf &&
 ( test -f /etc/syslog-ng/syslog-ng.conf &&
    mv -f /etc/syslog-ng/syslog-ng.conf /usr/local/etc/
   test ! -f /usr/local/etc/syslog-ng.conf &&
    test -f /usr/local/etc/syslog-ng/syslog-ng.conf &&
     mv -f /usr/local/etc/syslog-ng/syslog-ng.conf /usr/local/etc/ )
test -d /etc/syslog-ng && rmdir /etc/syslog-ng
test -d /usr/local/etc/syslog-ng && rmdir /usr/local/etc/syslog-ng

# Backup your existing configuration, if you have one
test -f /usr/local/etc/syslog-ng.conf &&
 cp -a /usr/local/etc/syslog-ng.conf ~/backup/syslog-ng.conf-$(date +%Y%m%d)

# Remove old shared library files and symlinks to avoid issues
find /usr/local/lib*/ -type f -name "libsyslog-ng*" -exec rm {} \;
find /usr/local/lib*/ -type l -name "libsyslog-ng*" -exec rm {} \;

# Install it
make install
ldconfig

# Look in here for old files from previous versions, look for a date that
# is not today:
# /usr/local/lib64/syslog-ng/
# /usr/local/include/syslog-ng/

## If you don't have a config file, you can use this sample for RedHat
## you'll have to fix it up though...
## (it may not be updated for 3.x either)
# cp -i contrib/syslog-ng.conf.RedHat /usr/local/etc/syslog-ng.conf
#
# Unless one is already there, a sample syslog-ng.conf and scl.conf will
# be installed to /usr/local/etc/  That handles plugins by including files
# in /usr/local/share/syslog-ng/include/scl/

# Fix permissions on the configuration file (nobody but root needs to read
# it), if there is one
test -f /usr/local/etc/syslog-ng.conf &&
 ( chown root:root /usr/local/etc/syslog-ng.conf ; \
   chmod 640 /usr/local/etc/syslog-ng.conf )

# If you use Slackware >= 8.1 (or if you want to set an rc script to run it)
# you can grab this /etc/rc.d/rc.syslog replacement that'll handle
# syslog-ng.  If you don't use klogd, open up the script and set USE_KLOG
# to 0.  If you use Slackware < 8.1, add something to rc.local to run
# '/etc/rc.d/rc.syslog start'.
cd /etc/rc.d
test -f rc.syslog &&
 ( mv -f rc.syslog rc.syslog.old ; chmod 600 rc.syslog.old )
wget http://englanders.us/pub/linux/misc/rc.syslog
chmod 755 rc.syslog

# Set up logrotate to rotate the common log files:
test -d /etc/logrotate.d &&
 ( cd /etc/logrotate.d
   test -f syslog && mv -f syslog syslog.old
   wget http://englanders.us/pub/linux/misc/logrotate-syslog-ng -O syslog )

# If you've configured it and have the init-script in place, fire it up
test -x /etc/rc.d/rc.syslog && /etc/rc.d/rc.syslog start

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Become yourself again
exit

# Save the tarball for later
cd
mkdir -p -m 0700 installed/syslog-ng
rm -f installed/syslog-ng*.tar.*
mv syslog-ng-3.19.1.tar.gz installed/

# If you're setting up a central logging server, check out the stunnel howto
# for an encrypted log connection with remote machines, or read through
# the following section in the documentation:
# Mutual authentication using TLS

Back to the list


Last updated: Wed, 29 Apr 2020 22:04:50 -0400
Jason Englander <jason at englanders dot us>