As a follow-up to my RPM blog, here are instructions installing syslog-ng Open Source Edition (syslog-ng OSE) on the Debian / Ubuntu version. If you read my previous blog, skip to the installation part at the end, otherwise: read on.
The syslog-ng application is part of all major Linux distributions, and you can usually install syslog-ng from the official repositories. If you use just the core functionality of syslog-ng, use the package in your distribution repository (apt-get install syslog-ng), and you can stop reading here. However, if you want to use the features of newer syslog-ng versions (for example, send log messages to Elasticsearch or Apache Kafka), you have to either compile the syslog-ng from source, or install it from unofficial repositories. This post explains you how to do that.
For information on all platforms that could be relevant to you, check out all my blog posts about installing syslog-ng on major Linux distributions, collected in one place.
In addition, syslog-ng is also available as a Docker image. To learn more, read our tutorial about logging in Docker using syslog-ng.
Why is syslog-ng in my distribution so old?
Most Linux distributions have a number of limitations. Of course these are not limitations in the traditional sense, rather ways of quality control.
- Distribution releases are done on a schedule: after a release candidate is out, software in the distribution cannot be upgraded. This ensures that a known state of the distribution can be tested and polished, and external applications are installed on a stable base. But it also means that distributions include an older version of syslog-ng, which lags behind a few minor or major versions.
- The use of bundled libraries is often prohibited. Some functionality of syslog-ng is only available in bundled libraries, either because it requires a modified version, or requires a version that is not yet available in distributions.
- Distributions may lack certain depencencies (tools, sources) that are required to enable certain features in syslog-ng. This makes compiling Java-based destinations nearly impossible, as most tools and dependencies are missing, or have a different version than required by syslog-ng.
All of this means that syslog-ng in distributions is locked to a given version with a limited feature set from half a year to up to half a decade, depending on the release cycle. Thus, the included syslog-ng version can be five years old.
If you need a feature or fix not available for some reason in the distribution package, you can either compile syslog-ng for yourself or use one of the unofficial syslog-ng DEB repositories. Using the repositories is usually easier
Where to find new DEB packages of syslog-ng?
We, the developers of syslog-ng maintain several unofficial repositories for different distributions. The natural question is: why are these called “unofficial”? The short answer is: these packages are not officially supported by One Identity or a Linux distribution. If you need tested binaries, commercial support with guaranteed response times and other goodies, you either need a commercial Linux distribution, which includes syslog-ng (see possible problems above), or the commercial syslog-ng Premium Edition developed by One Identity. We support the unofficial repositories on a best effort level, which is sometimes quicker than commercial support, but most often is not
Looking for RPM packages? Check my previous blog covering RPM packages.
Which package to install?
You can use many sources and destinations in syslog-ng. The majority of these require additional dependencies to be installed. If all of the features would be packaged into a single package, installing syslog-ng would also install dozens of other smaller and larger dependencies, including such behemoths as Java. This is why the syslog-ng-core package includes only the core functionality, whereas features requiring additional dependencies are available as sub-packages. The most popular sub-package is syslog-ng-mod-http, which allows you to log to Elasticsearch and many cloud services, but there are many others as well. The command “apt-cache search syslog-ng” will list you all the possibilities.
Install syslog-ng on Ubuntu or Debian
The installation steps below are for Ubuntu 20.04, but you can use them with minimal modifications in any other supported distributions, just change the URLs.
1. Download and install the release key:
wget -qO - https://ose-repo.syslog-ng.com/apt/syslog-ng-ose-pub.asc | sudo apt-key add -
2. Add the repository containing the latest stable build of syslog-ng to the APT sources. For example, on Ubuntu 20.04:
echo "deb https://ose-repo.syslog-ng.com/apt/ stable ubuntu-focal" | sudo tee -a /etc/apt/sources.list.d/syslog-ng-ose.list
Run the following command:
3. Install syslog-ng and any of its subpackages:
apt-get install syslog-ng-core
Note: packages in the Open Build Service at https://build.opensuse.org/project/show/home:laszlo_budai:syslog-ng (which were previously recommended here) are no more maintained. If you are using those packages, it is recommended to switch the new repositories. First, follow instructions below to add the new repository, update syslog-ng, then remove the old repository.