A few weeks ago I wrote about syslog-ng in Microsoft’s own Linux distribution, CBL-Mariner. Vmware Photon OS 4.0 is another niche Linux distribution. It not only features syslog-ng, but syslog-ng is also up-to-date. The syslog-ng package in Photon, though, is also the strangest one I have ever encountered.
Before you begin
I must admit that I installed Photon only out of curiosity. It is a minimalist operating system, optimized to run container-based workloads. A real unique feature I could find in it is that it has a Vmware-optimized kernel. The other unique feature is that it has an up-to-date syslog-ng package which is not maintained by me :-)
It might also be interesting to know that CBL-Mariner inherited its syslog-ng package from Photon OS. That was years ago, and it was quite an old syslog-ng version. The two distros maintain now syslog-ng separately; Photon seems to be a lot more active. They even opened a number of bug reports and feature requests for syslog-ng.
In most Linux distributions, the syslog-ng package is modular. The one in Photon is monolithic. While most monolithic packages usually only include core syslog-ng features and enable JSON and HTTP support in addition, syslog-ng in Photon enables some rareto-see syslog-ng features. It has the strangest combination of extra features I have ever seen: Python and MQTT support.
Installation
Installation of Photon OS is not the scope of my blog. Luckily, it does not mean that it is difficult: the toughest part was configuring the root password (there are some obscure checks, meaning that the simple passwords I use on test machines did not work).
Once the installation of the operating system is ready, installing syslog-ng is easy:
tdnf install syslog-ng systemctl enable syslog-ng systemct start syslog-ng
Note, that the package manager is not called dnf, but tdnf.
Testing
Check the version of the installed syslog-ng package and the list of available modules:
root@photon4 [ ~ ]# syslog-ng -V syslog-ng 3 (3.37.1) Config version: 3.35 Installer-Version: 3.37.1 Revision: Compile-Date: Jul 6 2022 03:06:15 Module-Directory: /usr/lib/syslog-ng Module-Path: /usr/lib/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: csvparser,xml,kvformat,linux-kmsg-format,tfgetent,disk-buffer,hook-commands,afsocket,stardate,affile,pseudofile,graphite,secure-logging,appmodel,syslogformat,add-contextual-data,json-plugin,system-source,examples,confgen,basicfuncs,http,regexp-parser,timestamp,cryptofuncs,tags-parser,map-value-pairs,afprog,afstomp,afuser,rate-limit-filter,mqtt,cef,dbparser,azure-auth-header,mod-python,sdjournal Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off Enable-Systemd: on
Next to the core modules you will see json-plugin, mod-python, http and mqtt.
The bundled configuration is simple. It collects local log messages in /var/log/messages and /var/log/messages-kv.log. Both contain the same log messages, but the second one also includes any parsed data as key-value pairs.
root@photon4 [ ~ ]# logger this is a test root@photon4 [ ~ ]# tail -1 /var/log/messages Jul 25 13:37:48 photon4 root[894]: this is a test root@photon4 [ ~ ]#
As the syslog-ng configuration uses the system() source, some of the log messages are automatically parsed. The messages-kv.log file contains name-value pairs from the journal, and also any name-value pairs created by syslog-ng. You can check it by running a command through sudo and checking logs for name-value pairs starting with .sudo in their names.
What is next?
If you need a minimalist Linux OS to run your containers in a Vmware environment and you also happen to like syslog-ng, give Photon OS a try. Its maintainers follow upstream syslog-ng development closely and keep the syslog-ng package nicely updated.
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik.