Recently I have found that the number of syslog-ng users on OpenBSD is growing, even with an ancient syslog-ng version in OpenBSD ports that is unable to collect local log messages. Then I remembered that Todd Miller – maintainer of sudo, and my colleague at One Identity – is also an OpenBSD user and developer. I asked him for a little help, which turned out to be quite a lot in the end, but syslog-ng is now updated to the latest version in OpenBSD ports!
Before you begin
Note: the OpenBSD project recommends the use of ready to use packages built from ports instead of using ports directly. Version 6.9 of OpenBSD comes with syslog-ng version 3.12. Version 3.32 of syslog-ng is now in the -CURRENT branch of OpenBSD ports. The next OpenBSD release will already feature an up-to-date syslog-ng package.
In the previous paragraph I tried to discourage you from compiling the latest syslog-ng from ports. If you want just a basic syslog server collecting remote logs, you can safely stay with the old version, you will get the latest version once a new version of OpenBSD is available. Instructions for installing the syslog-ng package are available at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-on-bsds
If you would like to know what changed in syslog-ng and in the syslog-ng OpenBSD port and what is still expected to come, read on.
This was not simply a version update from 3.12 to 3.32. Many things have changed in syslog-ng and in the port as well:
The new openbsd() source can collect local OpenBSD log messages through the new sendsyslog() function of OpenBSD. It means that syslog-ng can replace syslogd from the base system.
Syslog-ng needed many patches to compile on OpenBSD. They are now merged upstream and a few additional problems are fixed.
Many bugs were fixed in syslog-ng, performance was improved, and many new parsers, source and destination drivers were added to syslog-ng.
The port now includes the syslog-ng configuration library (SCL), a growing collection of configuration snippets enabling finding and overwriting credit-card numbers in logs, sending logs to Elasticsearch, Splunk and various cloud services and parsers for logs coming from sudo and various networking devices.
Many syslog-ng destinations require syslog-ng to be linked with various client libraries. Trying to keep a careful balance, the most popular ones are now enabled in ports, including http() support through curl.
What is expected to come?
The current state has been a huge step forward already, but there is even more to come:
SCL is now available, but not enabled in syslog-ng.conf (you can do it yourself: copy scl.conf from /usr/local/share/examples/syslog-ng/ to /etc/syslog-ng/ and add @include “scl.conf” close to the beginning of syslog-ng.conf
once SCL is enabled, replacing the openbsd() source with system() turns on automatic message parsing for sudo and other log messages
at least semi-regular syslog-ng updates in ports
Compiling syslog-ng from ports
According to the OpenBSD documentation, it is not recommended, unless you know what you are doing. I was able to do this after booting OpenBSD for the second time, however, I only had syslog-ng and dependencies on the test machine, so your mileage may vary.
First of all, you have to update ports to the latest snapshot of the -CURRENT branch. It is described on the OpenBSD AnonCVS page at https://www.openbsd.org/anoncvs.html
The syslog-ng port itself resides in the /usr/ports/sysutils/syslog-ng directory. In an ideal case, a single make command is enough to compile syslog-ng and its dependencies. In practice, the build complained about version problems. I had to delete all pre-built packages and recompile all dependencies. Along the way the build failed a couple of times, missing various build-time dependencies. Once I had built and installed them, I could successfully build syslog-ng as well.
Using an OpenBSD snapshot
Another option is to use an OpenBSD snapshot, built between official releases. They are not for production use, but for development and testing. However, they also include packages built from the latest ports, so you can skip building syslog-ng on your own and use prebuilt packages. You can learn more about this at https://www.openbsd.org/faq/current.html
What is next?
Congratulations! You are now ready to use the latest syslog-ng on OpenBSD. You can help us by reporting any problems you encounter while using the syslog-ng port at https://github.com/syslog-ng/syslog-ng/issues
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @Pczanik.