Amazon Linux 2 is just one of many Linux distributions and other operating systems running in AWS. As Amazon Linux 2 is a close relative of RHEL 7 / CentOS 7, the user experience is also very close to these operating systems. All you need to learn is an extra command for enabling EPEL (Extra Packages for Enterprise Linux). Best of all: the very same commands work both on x86 and Graviton2 (Arm/Aarch64) instances.
Before you begin
These instructions are valid only for Amazon Linux 2, so before you begin, make sure that you are running Amazon Linux 2, and not one of the many other Linux distributions or FreeBSD also available on AWS.
You also need to decide which syslog-ng version you want to use. There are two possibilities:
EPEL has syslog-ng version 3.5. EPEL is a semi-official repository for RHEL/CentOS users, maintained by Fedora developers. There are many interesting new features missing from this release, but it works and receives occasional fixes without the need to upgrade the version. This version is widely accepted even by companies with strict repository policies.
Latest, unofficial syslog-ng package from a personal repository. It has all the latest features, but it is not officially supported, and if you run into a problem, most of the time it is fixed only in the next syslog-ng release. While not officially supported, tens of thousands of machines run these packages, as it has support for JSON parsing, Elasticsearch, various LaaS (Logging as a Service) providers and many other technologies.
Installing syslog-ng from EPEL
The following command enables the EPEL repository on Amazon Linux 2:
amazon-linux-extras install epel
From here, the process is pretty much the same as on any other RHEL 7 / CentOS 7 system. You install syslog-ng using yum, and then use systemctl to enable and start it. Finally, remove rsyslog (or at least stop and disable it) to avoid confusion, like duplicated log messages.
yum install syslog-ng systemctl enable syslog-ng systemctl start syslog-ng yum erase rsyslog
Installing unofficial syslog-ng packages
Installing the unofficial syslog-ng packages is almost the same process as installing them from EPEL. The reason is that some of the dependencies are actually coming from the EPEL repository. There is just one additional step: enabling the unofficial syslog-ng repository. The current latest syslog-ng version is 3.29, so – once you enable EPEL – you can download the repo file with the following commands:
cd /etc/yum.repos.d/ wget https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng329/repo/epel-7/czanik-syslog-ng329-epel-7.repo
You can check the latest available version by looking at https://copr.fedorainfracloud.org/coprs/czanik/ and read more about the various repositories at https://www.syslog-ng.com/community/b/blog/posts/overview-of-syslog-ng-rpm-repositories Note that not all repositories have Aarch64 support enabled. Let me know either on Twitter or GitHub issues if you need Aarch64, but it is not enabled for the given repository.
Once the unofficial repository is enabled, installing syslog-ng is the same process as with the basic EPEL package.
After installation, you should do at least some minimal testing. The method below works both with EPEL and unofficial packages, as it only tests local log sending using the default configuration.
# systemctl status syslog-ng ● syslog-ng.service - System Logger Daemon Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-11-02 13:44:28 UTC; 5s ago Docs: man:syslog-ng(8) Main PID: 9245 (syslog-ng) CGroup: /system.slice/syslog-ng.service └─9245 /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid
Finally, send a test message to it and check if the message arrived successfully in /var/log/messages:
# logger this is a test # tail -1 /var/log/messages Nov 2 13:44:56 ip-1-2-3-4.us-east-2.compute.internal ec2-user: this is a test
What is next?
Once syslog-ng is up and running in your test environment, you should prepare for the next steps:
The default syslog-ng configuration collects log messages locally, while the main strengths of syslog-ng are central log collection and its many destination drivers. Centralize your logs using syslog-ng, and after careful processing and filtering, forward them for further analysis.
The steps above detailed how to install syslog-ng manually, while in a production environment, syslog-ng should be installed and configured using your favorite configuration management system.
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik.