CentOS 7 – Setting up and configuring Syslog-ng

How to change the time zone on Windows Server 2019

By default, with the installation of CentOS 7, there will be Rsyslog installed for storing the log of the system and its applications. Luckily, we will have all our system log files stored and organized the way syslog wants. We will be using these log files with the installation of Syslog-ng, and we will have them organized in a more suitable way:

First, before starting the installation, we need to set up the EPEL repository:


$ sudo yum install epel-release

Tip

All of the upcoming package repository checking and application availability is optional. We can always proceed with the installation of Syslog-ng.

To verify that the EPEL repository has been added, we can use the following command:


$ sudo yum repolist

This command shows the list of repositories available for the YUM package manager to download and install the packages from. Now, after having the EPEL repository, we need to check whether any change needs to be made after adding it. So, we need to type in this command:


$ sudo yum check-update

Note

This command is not necessary; we wanted to use it for additional knowledge on how to check the Yum repository update.

Finally, to check the availability of the syslog-ng application in the newly added EPEL repository, we need to type the following:


$ sudo yum list *syslog-ng*

Now, we go back to the installation phase. We will be using yum since we have properly verified the existence of the application package:


$ sudo yum install syslog-ng syslog-ng-libdbi

We need to confirm the installation of these packages. Then, we wait until it is done.

To activate syslog-ng and make it the default logging tool, we need to start by disabling rsyslog:


$ sudo systemctl stop rsyslog
$ sudo systemctl disable rsyslog

Then, we go to its configuration file to have it working in a proper way. We open the file using any text editor:


$ sudo nano /etc/syslog-ng/syslog-ng.conf

Next, we make the required change to make it look like the following:

@version:3.5
@include "scl.conf"
#----------------------------------------------------------------------------
# /etc/syslog-ng/syslog-ng.conf: configuration file
# $Revision: 0.3-r5 (CentOS Edition by Wakko Warner) $
# $Comment: Any comments please send to wakko@acmelabs.spb.ru $
#----------------------------------------------------------------------------
 
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/
 
# Global Options
options {
  # Enable or disable the chained hostname format
  chain_hostnames (off);
  # The number of lines buffered before written to file
  flush_lines (0);
  log_fifo_size (1000);
  # The default action of syslog-ng is to log a STATS line
  # to the file every 10 minutes.  That's pretty ugly after a while.
  # Change it to every 12 hours so you get a nice daily update of
  # how many messages syslog-ng missed (0).
  stats_freq (43200);
  time_reopen (10);
  # The default action of syslog-ng is to log a MARK line
  # to the file every 20 minutes.  That's seems high for most
  # people so turn it down to once an hour.  Set it to zero
  # if you don't want the functionality at all.
  mark_freq(3600);
  # Enable or disable hostname rewriting
  keep_hostname (yes);
  # Enable or disable directory creation for destination files
  create_dirs (yes);
  # userid/groupid/permission value for files
  owner ("root");
  group ("adm");
  perm (0640);
  # userid/groupid/permission value for directories
  dir_owner ("root");
  dir_group ("adm");
  dir_perm (0750);
  # Enable or disable DNS usage
  use_dns (no);
  # Add Fully Qualified Domain Name instead of short hostname
  use_fqdn (no);
  long_hostnames (off);
};

source s_sys {
    system();
    internal();
    # udp(ip(0.0.0.0) port(514));
};

# Sources of syslog messages (both local and remote messages on the server)
source s_local {
  system();
  internal();
};
source s_tcp { tcp (ip ("127.0.0.1") port (514) max-connections (1) ); };
source s_udp { udp (ip ("0.0.0.0") port (514)); };
 
# By default messages are logged to tty12...
#destination d_console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination d_console_all { file("/dev/console"); };
#destination d_console_all { file("/dev/null"); };
destination d_console_all { program("/bin/cat >/dev/null"); };

# Destinations
destination d_usertty { usertty("*"); };
destination d_everything {
  file("/var/log/syslog-$HOST/$YEAR-$MONTH/$FACILITY.$PRIORITY.log"
    template("$FULLDATE $MSGHDR$MSG\n")
    template_escape(no)
  );
};

# Filters
filter f_emergency { level(emerg); };
filter f_fetchmail_warnings {
  not(match("fetchmail" value("PROGRAM"))
  and match("Warning: the connection is insecure, continuing anyways." value("MESSAGE")));
};

log {
  source(s_local);
  filter(f_emergency);
  destination(d_usertty);
};
log {
  source(s_local);
  filter(f_fetchmail_warnings);
  destination(d_everything);
};
log {
  source(s_local);
  filter(f_fetchmail_warnings);
  destination(d_console_all);
};

log {
  source(s_tcp);
  destination(d_everything);
};
log {
  source(s_tcp);
  destination(d_console_all);
};

log {
  source(s_udp);
  destination(d_everything);
};
log {
  source(s_udp);
  destination(d_console_all);
};

# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

At this point, we can start the syslog-ng service and enable it to start during system startup:


$ sudo systemctl start syslog-ng.service
$ sudo systemctl enable syslog-ng.service

With this step, we have configured our logging server using syslog-ng to perform well-organized and useful logging.

Comments are closed.