Installing syslog-ng on Microsoft Linux

Yes, Microsoft has its own Linux distribution, called CBL-Mariner. It is an internal Linux distribution by Microsoft used for cloud infrastructure and edge products and services. And even if it is not installed in the OS by default, CBL-Mariner also includes syslog-ng.

Before you begin

I must admit, I installed CBL-Mariner only out of curiosity. I am not sure how useful it could be in your environment. However, I was happy to see that syslog-ng is included in it, so I wanted to see what version and which features are available. The previous version of CBL-Mariner included a quite old syslog-ng version. I wanted to help upgrading it, but it turned out that there was no installer for that version of the OS. However, version 2.0 was released recently, and an installer ISO is also available for that.

Version 2.0 of CBL-Mariner includes an up-to-date version of syslog-ng. In most cases, the syslog-ng package is modular. However, syslog-ng in CBL-Mariner is a monolithic package, which includes some of the most popular syslog-ng features in a single package. Besides the basic features that do not require external dependencies, JSON, HTTP and Python support are also enabled.

Installation and testing

The installation of CBL-Mariner is not in the scope of this article. However, it was a Next→Next→Finish type of installation in a virtual machine, so nothing really difficult.

Once the OS is installed, you can install syslog-ng:

dnf install syslog-ng

You can enable and start syslog-ng automatically using the regular systemd commands:

systemctl enable syslog-ng
systemctl start syslog-ng

You can check its version and enabled modules with the -V option of syslog-ng:

root [ ~ ]# syslog-ng -V
syslog-ng 3 (3.33.2)
Config version: 3.33
Installer-Version: 3.33.2
Compile-Date: Apr 23 2022 17:23:04
Module-Directory: /usr/lib/syslog-ng
Module-Path: /usr/lib/syslog-ng
Include-Path: /usr/share/syslog-ng/include
Available-Modules: hook-commands,syslogformat,cryptofuncs,pseudofile,map-value-pairs,add-contextual-data,afuser,cef,affile,timestamp,afsocket,secure-logging,afprog,http,disk-buffer,azure-auth-header,appmodel,kvformat,json-plugin,graphite,afstomp,tfgetent,xml,sdjournal,stardate,basicfuncs,confgen,tags-parser,mod-python,linux-kmsg-format,examples,system-source,dbparser,csvparser
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-Linux-Caps: on
Enable-Systemd: on

The bundled configuration is really simple, the default syslog-ng configuration shipped in the syslog-ng sources. It collects all local log messages into a single file: /var/log/messages.

Testing is also really easy:

logger this is a test

The log message will show up in the log file:

root [ ~ ]# logger this is a test
root [ ~ ]# tail -1 /var/log/messages
Jun  9 10:33:04 mariner2 root[1335]: this is a test

What is next?

As I wrote above, I only tested CBL-Mariner out of curiosity upon learning that Microsoft also has a Linux distribution (“What?! Microsoft Linux?”). However, it seems to me that Microsoft is making an effort to make CBL-Mariner actually useful outside of its own infrastructure. There is now an installer, all kinds of virtual machine and container images, and even an up-to-date syslog-ng version in it :-) So, I keep an eye on this, and if you work in a Microsoft-centric environment, you might want to check it out as well.


If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at On Twitter, I am available as @Pczanik.

Related Content