Documentation forLoggly

Syslog-ng Configuration

Loggly provides the infrastructure to aggregate and normalize log events so they are available to explore interactively, build visualizations, or create threshold-based alerting. In general, any method to send logs from a system or application to an external source can be adapted to send logs to Loggly. The following instructions provide one scenario for sending logs to Loggly.

The Basic configuration will send your local system logs to Loggly, and offer a foundation to add file and application logs. If you are unable to use our automated configure-syslog script, this guide will help you setup manually with a quick copy & paste. It assumes you have sudo access, you’re on a common linux distribution with syslog-ng 3.2 or higher, it receives local system logs, and port 514 is open to outbound connections. If you have different requirements, please see the Advanced section.

Syslog-ng Configuration Guide

1. Update syslog-ng.conf

Open your syslog-ng.conf file, which is usually found in the /etc/syslog-ng/ directory.

sudo vim /etc/syslog-ng/syslog-ng.conf 

Paste in this configuration:

### Syslog-ng Logging Directives for Loggly.com ###
source s_loggly {
  system();	# Check which OS & collect system logs
  internal();	# Collect syslog-ng logs
};

template LogglyFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [TOKEN@41058 tag=\"TAG\" ] $MSG\n");  
  template_escape(no);
};

destination d_loggly {
  tcp("logs-01.loggly.com" port(514) template(LogglyFormat));
};

log { 
  source(s_loggly); 
  destination(d_loggly); 
};
### END Syslog-ng Logging Directives for Loggly.com ###

Replace the above variables:

  • TOKEN: Replace with your customer token
  • TAG: Replace with a tag that describes the syslog source.

2. Restart syslog-ng

$ /etc/init.d/syslog-ng restart

3. Verify

Use Logger to send a test event. Alternatively, use the automatic verification option in configure-syslog.

$ logger 'Hello World!' 

Verify it shows up in Loggly by doing a search over the past hour (click to expand screenshot). If it doesn’t work, see the troubleshooting section below.
Syslog-ng Configuration

4. Send Application Data

Advanced Syslog-ng Configuration Options

Troubleshooting Syslog-ng

If you don’t see any data show up in the verification step, then check for these common problems.

  • Make sure you restarted syslog-ng
  • Check the syslog-ng logs in /var/log/messages
  • Verify syslog-ng is sending data to Loggly by running "logger test" then searching for that event in Loggly
  • Use a "syslog-ng -s" before reloading / restarting syslog-ng to minimize down time after editing the configuration
  • Make sure port 514 is open for regular syslog or 6514 for TLS encrypted
  • SELinux / Apparmor can cause mysterious troubles as both of these technologies limit what syslog-ng can read and write on a system. SELinux can even prevent you sending or receiving longs on other port than 514. Check the content of /var/log/audit if you think that your configuration is correct and you still get permission denied / unable to connect messages or just silent failures.
  • You can start syslog-ng in verbose / debug mode in the foreground to see on the console what syslog-ng is doing. Use: syslog-ng Fevd
  • It is not enough to define sources and destinations, they also need to be connected using a log statement.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.