As a follow-up to my RPM blog last week, here are instructions installing syslog-ng Open Source Edition (syslog-ng OSE) on the Debian / Ubuntu version. If you read my previous blog, skip to the installation part at the end, otherwise: read on.
The syslog-ng application is part of all major Linux distributions, and you can usually install syslog-ng from the official repositories. If you use just the core functionality of syslog-ng, use the package in your distribution repository (apt-get install syslog-ng), and you can stop reading here. However, if you want to use the features of newer syslog-ng versions (for example, send log messages to Elasticsearch or Apache Kafka), you have to either compile the syslog-ng from source, or install it from unofficial repositories. This post explains you how to do that.
For information on all platforms that could be relevant to you, check out all my blog posts about installing syslog-ng on major Linux distributions, collected in one place.
In addition, syslog-ng is also available as a Docker image. To learn more, read our tutorial about logging in Docker using syslog-ng.
Why is syslog-ng in my distribution so old?
Most Linux distributions have a number of limitations. Of course these are not limitations in the traditional sense, rather ways of quality control.
- Distribution releases are done on a schedule: after a release candidate is out, software in the distribution cannot be upgraded. This ensures that a known state of the distribution can be tested and polished, and external applications are installed on a stable base. But it also means that distributions include an older version of syslog-ng, which lags behind a few minor or major versions.
- The use of bundled libraries is often prohibited. Some functionality of syslog-ng is only available in bundled libraries, either because it requires a modified version, or requires a version that is not yet available in distributions.
- Distributions may lack certain depencencies (tools, sources) that are required to enable certain features in syslog-ng. This makes compiling Java-based destinations nearly impossible, as most tools and dependencies are missing, or have a different version than required by syslog-ng.
All of this means that syslog-ng in distributions is locked to a given version with a limited feature set from half a year to up to half a decade, depending on the release cycle. Thus, the included syslog-ng version can be five years old.
If you need a feature or fix not available for some reason in the distribution package, you can either compile syslog-ng for yourself or use one of the unofficial syslog-ng DEB repositories. Using the repositories is usually easier
Where to find new DEB packages of syslog-ng?
We, the developers of syslog-ng maintain several unofficial repositories for different distributions. The natural question is: why are these called “unofficial”? The short answer is: these packages are not officially supported by Balabit or a Linux distribution. If you need tested binaries, commercial support with guaranteed response times and other goodies, you either need a commercial Linux distribution, which includes syslog-ng (see possible problems above), or the commercial syslog-ng Premium Edition developed by Balabit. We support the unofficial repositories on a best effort level, which is sometimes quicker than commercial support, but most often is not
Looking for RPM packages? Check my previous blog covering RPM packages.
Which package to install?
You can use many sources and destinations in syslog-ng. The majority of these require additional dependencies to be installed. If all of the features would be packaged into a single package, installing syslog-ng would also install dozens of other smaller and larger dependencies, including such behemoths as Java. This is why the syslog-ng-core package includes only the core functionality, whereas features requiring additional dependencies are available as sub-packages. The most popular sub-package is syslog-ng-mod-elastic, which installs the Java-based Elasticsearch destination driver, but there are many others as well. The command “apt-cache search syslog-ng” will list you all the possibilities.
Install syslog-ng on Ubuntu or Debian
At the time of writing, the latest syslog-ng version is 3.11 and Debian and Ubuntu packages are available on the Open Build Service at https://build.opensuse.org/project/show/home:laszlo_budai:syslog-ng . The installation steps below are for Ubuntu 17.04, but you can use them with minimal modifications in any other supported distributions, just change the URLs. You can see the list of supported distributions at the upper right side of the page, when you open the above URL.
1. Download and install the release key:
wget -qO - http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/xUbuntu_17.04/Release.key | sudo apt-key add -
2. Add the repository containing the latest unofficial build of syslog-ng to the APT sources. Under the /etc/apt/sources.list.d/ directory create a new file, for example syslog-ng-obs.list. Add the following line to this file:
deb http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/xUbuntu_17.04 ./
Run the following command:
3. Install syslog-ng and any of its subpackages:
apt-get install syslog-ng-core