The syslog-ng Open Source Edition 3.11 Administrator Guide Publication date June 19, 2018 Abstract This manual is the primary documentation of the syslog-ng Open Source Edition 3.11 application. Most popular topics: ■ The syslog-ng OSE quick-start guide ■ How syslog-ng OSE works ■ Filter functions ■ Sending and storing log messages — destinations and destination drivers ■ Collecting log messages — sources and source drivers Copyright © 1996-2018 One Identity LLC This guide is published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. See Appendix C, Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License (p. 545) for details. The latest version is always available at the syslog-ng Documentation page. Some rights reserved. This documentation and the product it describes are considered protected by copyright according to the applicable laws. AIX™, AIX 5L™, AS/400™, BladeCenter™, eServer™, IBM™, the IBM™ logo, IBM System i™, IBM System i5™, IBM System x™, iSeries™, i5/OS™, Netfinity™, NetServer™, OpenPower™, OS/400™, PartnerWorld™, POWER™, ServerGuide™, ServerProven™, and xSeries™ are trademarks or registered trademarks of International Business Machines. Alliance Log Agent for System i™ is a registered trademark of Patrick Townsend & Associates, Inc. The Balabit™ name and the Balabit™ logo are registered trademarks of Balabit SA. Debian™ is a registered trademark of Software in the Public Interest Inc. Hadoop™ and the Hadoop elephant logo are trademarks of the Apache Software Foundation. Linux™ is a registered trademark of Linus Torvalds. MapR™, is a trademark of MapR Technologies, Inc. Elasticsearch™ and Kibana™ is a trademark of Elasticsearch BV, registered in the U.S. and in other countries. Apache Kafka and the Apache Kafka Logo are trademarks of the Apache Software Foundation. MySQL™ is a registered trademark of Oracle and/or its affiliates. Oracle™, JD Edwards™, PeopleSoft™, and Siebel™ are registered trademarks of Oracle Corporation and/or its affiliates. Red Hat™, Inc., Red Hat™Enterprise Linux™ and Red Hat™ Linux™ are trademarks of Red Hat, Inc. SUSE™ is a trademark of SUSE AG, a Novell business. Solaris™ is a registered trademark of Oracle and/or its affiliates. Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of Balabit. Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008, 7, 8, and Server 2012 are registered trademarks of Microsoft Corporation. All other product names mentioned herein are the trademarks of their respective owners. DISCLAIMER. One Identity is not responsible for any third-party websites mentioned in this document. One Identity does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. One Identity will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (https://www.openssl.org/). This product includes cryptographic software written by Eric Young ([email protected]) This product includes open source software components. For details on the licenses and availability of these software components, see Appendix B, Open source licenses (p. 530). syslog-ng.com ii Table of Contents Preface ............................................................................................................................................... x 1. Summary of contents ................................................................................................................ x 2. Target audience and prerequisites ............................................................................................. xi 3. Products covered in this guide .................................................................................................. xi 4. Typographical conventions ..................................................................................................... xii 5. Contact and support information ............................................................................................. xii 5.1. Sales contact .............................................................................................................. xiii 5.2. Support contact .......................................................................................................... xiii 5.3. Training ..................................................................................................................... xiii 6. About this document ............................................................................................................. xiii 6.1. Summary of changes .................................................................................................. xiii 6.2. Feedback ................................................................................................................... xix 6.3. Acknowledgments ...................................................................................................... xix 1. Introduction to syslog-ng ................................................................................................................ 1 1.1. What syslog-ng is .................................................................................................................. 1 1.2. What syslog-ng is not ............................................................................................................ 2 1.3. Why is syslog-ng needed? ...................................................................................................... 2 1.4. What is new in syslog-ng Open Source Edition 3.11? .............................................................. 2 1.5. Who uses syslog-ng? ............................................................................................................. 3 1.6. Supported platforms .............................................................................................................. 3 2. The concepts of syslog-ng ............................................................................................................... 4 2.1. The philosophy of syslog-ng .................................................................................................. 4 2.2. Logging with syslog-ng ......................................................................................................... 4 2.2.1. The route of a log message in syslog-ng ....................................................................... 4 2.3. Modes of operation ................................................................................................................ 6 2.3.1. Client mode ............................................................................................................... 6 2.3.2. Relay mode ................................................................................................................ 7 2.3.3. Server mode ............................................................................................................... 7 2.4. Global objects ....................................................................................................................... 7 2.5. Timezones and daylight saving ............................................................................................... 8 2.5.1. How syslog-ng OSE assigns timezone to the message ................................................... 9 2.5.2. A note on timezones and timestamps .......................................................................... 10 2.6. The license of syslog-ng OSE ............................................................................................... 10 2.7. High availability support ...................................................................................................... 10 2.8. The structure of a log message .............................................................................................. 10 2.8.1. BSD-syslog or legacy-syslog messages ...................................................................... 11 2.8.2. IETF-syslog messages ............................................................................................... 13 2.9. Message representation in syslog-ng OSE ............................................................................. 16 2.10. Structuring macros, metadata, and other value-pairs ............................................................. 17 2.10.1. Specifying data types in value-pairs ......................................................................... 18 2.11. Things to consider when forwarding messages between syslog-ng OSE hosts ........................ 23 3. Installing syslog-ng ....................................................................................................................... 25 3.1. Compiling syslog-ng from source ......................................................................................... 25 3.2. Compiling options of syslog-ng OSE .................................................................................... 27 3.3. Uninstalling syslog-ng OSE ................................................................................................