syslog-ng Open Source Edition 3.36 - Administration Guide

Preface Introduction to syslog-ng The concepts of syslog-ng Installing syslog-ng The syslog-ng OSE quick-start guide The syslog-ng OSE configuration file source: Read, receive, and collect log messages
How sources work default-network-drivers: Receive and parse common syslog messages internal: Collecting internal messages file: Collecting messages from text files wildcard-file: Collecting messages from multiple text files linux-audit: Collecting messages from Linux audit logs mqtt: receiving messages from an MQTT broker network: Collecting messages using the RFC3164 protocol (network() driver) nodejs: Receiving JSON messages from nodejs applications mbox: Converting local email messages to log messages osquery: Collect and parse osquery result logs pipe: Collecting messages from named pipes pacct: Collecting process accounting logs on Linux program: Receiving messages from external applications python: writing server-style Python sources python-fetcher: writing fetcher-style Python sources snmptrap: Read Net-SNMP traps sun-streams: Collecting messages on Sun Solaris syslog: Collecting messages using the IETF syslog protocol (syslog() driver) system: Collecting the system-specific log messages of a platform systemd-journal: Collecting messages from the systemd-journal system log storage systemd-syslog: Collecting systemd messages using a socket tcp, tcp6, udp, udp6: Collecting messages from remote hosts using the BSD syslog protocol— OBSOLETE unix-stream, unix-dgram: Collecting messages from UNIX domain sockets stdin: Collecting messages from the standard input stream
destination: Forward, send, and store log messages
amqp: Publishing messages using AMQP collectd: sending metrics to collectd discord: Sending alerts and notifications to Discord elasticsearch2: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED) elasticsearch-http: Sending messages to Elasticsearch HTTP Bulk API file: Storing messages in plain-text files graphite: Sending metrics to Graphite Sending logs to Graylog hdfs: Storing messages on the Hadoop Distributed File System (HDFS) Posting messages over HTTP http: Posting messages over HTTP without Java kafka: Publishing messages to Apache Kafka (Java implementation) kafka-c(): Publishing messages to Apache Kafka using the librdkafka client (C implementation) loggly: Using Loggly logmatic: Using Logmatic.io mongodb(): Storing messages in a MongoDB database mqtt() destination: sending messages from a local network to an MQTT broker network: Sending messages to a remote log server using the RFC3164 protocol (network() driver) osquery: Sending log messages to osquery's syslog table pipe: Sending messages to named pipes program: Sending messages to external applications pseudofile() python: writing custom Python destinations redis: Storing name-value pairs in Redis riemann: Monitoring your data with Riemann slack: Sending alerts and notifications to a Slack channel smtp: Generating SMTP messages (email) from logs snmp: Sending SNMP traps Splunk: Sending log messages to Splunk sql: Storing messages in an SQL database stomp: Publishing messages using STOMP Sumo Logic destinations: sumologic-http() and sumologic-syslog() syslog: Sending messages to a remote logserver using the IETF-syslog protocol syslog-ng(): Forward logs to another syslog-ng node tcp, tcp6, udp, udp6: Sending messages to a remote log server using the legacy BSD-syslog protocol (tcp(), udp() drivers) Telegram: Sending messages to Telegram unix-stream, unix-dgram: Sending messages to UNIX domain sockets usertty: Sending messages to a user terminal: usertty() destination Write your own custom destination in Java or Python Client-side failover
log: Filter and route log messages using log paths, flags, and filters Global options of syslog-ng OSE TLS-encrypted message transfer template and rewrite: Format, modify, and manipulate log messages parser: Parse and segment structured messages
Parsing syslog messages Parsing messages with comma-separated and similar values Parsing key=value pairs JSON parser XML parser Parsing dates and timestamps Python parser Parsing tags Apache access log parser Linux audit parser Cisco parser Parsing enterprise-wide message model (EWMM) messages iptables parser Netskope parser panos-parser(): parsing PAN-OS log messages Sudo parser Websense parser Fortigate parser Check Point Log Exporter parser Regular expression (regexp) parser db-parser: Process message content with a pattern database (patterndb)
Correlating log messages Enriching log messages with external data Statistics of syslog-ng Multithreading and scaling in syslog-ng OSE Troubleshooting syslog-ng Best practices and examples The syslog-ng manual pages Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License Glossary

sumologic-syslog()

The sumologic-http() and sumologic-syslog() destinations send log messages to Sumo Logic, a cloud-based log management and security analytics service.

Using the sumologic-syslog() destination, you can send data (both in JSON and in non-JSON format) to the Sumo Logic service.

For more information about the sumologic-http() destination, see sumologic-http() .

Sending data using the sumologic-syslog() destination
Example: Sending data using the sumologic-syslog() destination

The following example illustrates how you can use the sumologic-syslog() destination to send data to your Sumo Logic account.

log {
  source { system(); };

  destination{
    sumologic-syslog(token("USER-TOKEN-AS-PROVIDED-BY-sumologic")
      deployment("ENDPOINT")
      tls(peer-verify(required-trusted) ca-dir('/etc/syslog-ng/ca.d'))
    );
};
};
Sending JSON data using the sumologic-syslog destination
Example: Sending data using the sumologic-syslog() destination

The following example illustrates how you can use the sumologic-syslog() destination to send JSON data to your Sumo Logic account.

log {
  source{ system(); };

  destination{
    sumologic-syslog(token("USER-TOKEN-AS-PROVIDED-BY-sumologic")
      deployment("ENDPOINT")
      tls(peer-verify(required-trusted) ca-dir('/etc/syslog-ng/ca.d'))
      template("$(format-json --scope all-nv-pairs)")
    );
  };
};

Was this topic helpful?

[Select Rating]



sumologic-http() and sumologic-syslog() destination options

The sumologic-http() and sumologic-syslog() destinations have the following options.

Topics:

Was this topic helpful?

[Select Rating]



sumologic-http() destination options

The sumologic-http() destination supports all HTTP destination options.

In addition, the sumologic-http() destination also has the following options.

ca-dir()
Accepted values: Directory name
Default: none

Description: The name of a directory that contains a set of trusted CA certificates in PEM format. The CA certificate files have to be named after the 32-bit hash of the subject's name. This naming can be created using the c_rehash utility in openssl. For an example, see Configuring TLS on the syslog-ng clients. The syslog-ng OSE application uses the CA certificates in this directory to validate the certificate of the peer.

This option can be used together with the optional ca-file() option.

ca-file()
Accepted values: File name
Default: empty

Description: Optional. The name of a file that contains a set of trusted CA certificates in PEM format. The syslog-ng OSE application uses the CA certificates in this file to validate the certificate of the peer.

Example format in configuration:

ca-file("/etc/pki/tls/certs/ca-bundle.crt")

NOTE: The ca-file() option can be used together with the ca-dir() option, and it is relevant when peer-verify() is set to other than no or optional-untrusted.

collector()
Type: string
Default: empty

Description: The Cloud Syslog Cloud Token that you received from the Sumo Logic service while configuring your cloud syslog source.

For details on the option in the destination's declaration, see Declaration for the sumologic-http() destination.

deployment()
Type: string
Default: empty string

Description: Required. This option specifies your Sumo Logic deployment.

For details on the deployment() option in the sumologic-http() destination's declaration, see Declaration for the sumologic-http() destination.

For details on the deployment() option in the sumologic-syslog() destination's declaration, see Declaration for the sumologic-syslog() destination.

headers()
Type: string list
Default: empty

Description: Custom HTTP headers to include in the request, for example, headers("HEADER1: header1", "HEADER2: header2"). If not set, only the default headers are included, but no custom headers.

The following headers are included by default:

  • X-Syslog-Host: <host>

  • X-Syslog-Program: <program>

  • X-Syslog-Facility: <facility>

  • X-Syslog-Level: <loglevel/priority>

NOTE: The headers() option is a required option for the sumologic-http() destination.

time-reopen()
Accepted values: number [seconds]
Default: 60

Description: The time to wait in seconds before a dead connection is reestablished.

tls()
Type: tls options
Default: n/a

Description: Required option. This option sets various options related to TLS encryption, for example, key/certificate files and trusted CA locations. TLS can be used only with tcp-based transport protocols. For details, see TLS options.


Was this topic helpful?

[Select Rating]



sumologic-syslog() destination options

The sumologic-syslog() destination supports all network() destination options.

In addition, the sumologic-syslog() destination also has the following options.

ca-dir()
Accepted values: Directory name
Default: none

Description: The name of a directory that contains a set of trusted CA certificates in PEM format. The CA certificate files have to be named after the 32-bit hash of the subject's name. This naming can be created using the c_rehash utility in openssl. For an example, see Configuring TLS on the syslog-ng clients. The syslog-ng OSE application uses the CA certificates in this directory to validate the certificate of the peer.

This option can be used together with the optional ca-file() option.

ca-file()
Accepted values: File name
Default: empty

Description: Optional. The name of a file that contains a set of trusted CA certificates in PEM format. The syslog-ng OSE application uses the CA certificates in this file to validate the certificate of the peer.

Example format in configuration:

ca-file("/etc/pki/tls/certs/ca-bundle.crt")

NOTE: The ca-file() option can be used together with the ca-dir() option, and it is relevant when peer-verify() is set to other than no or optional-untrusted.

deployment()
Type: string
Default: empty string

Description: Required. This option specifies your Sumo Logic deployment.

For details on the deployment() option in the sumologic-http() destination's declaration, see Declaration for the sumologic-http() destination.

For details on the deployment() option in the sumologic-syslog() destination's declaration, see Declaration for the sumologic-syslog() destination.

port()
Type: number
Default: 6514

Description: Optional. This option sets the port number of the Sumo Logic server to connect to.

tag()
Type: string list
Default: "tag"

Description: Optional. This option specifies the list of tags to add as the tags fields of Sumo Logic messages. If not specified, syslog-ng OSE automatically adds the tags already assigned to the message. If you set the tag() option, only the tags you specify will be added to the messages.

tls()
Type: tls options
Default: n/a

Description: Required option. This option sets various options related to TLS encryption, for example, key/certificate files and trusted CA locations. TLS can be used only with tcp-based transport protocols. For details, see TLS options.

token()
Type: string
Default:

Description: Required option. The Cloud Syslog Cloud Token that you received from the Sumo Logic service while configuring your cloud syslog source.


Was this topic helpful?

[Select Rating]



Related Documents