Syslog-ng TLS Configuration

Loggly provides the infrastructure to aggregate and normalize log events so they are available to explore interactively, build visualizations, or create threshold-based alerting. In general, any method to send logs from a system or application to an external source can be adapted to send logs to Loggly. The following instructions provide one scenario for sending logs to Loggly.

You can securely send your logs to Loggly using TLS encryption. This guide shows you how to set it up for syslog-ng on Linux.

Syslog-ng TLS Configuration Setup

1. Update Configuration file

Open up the configuration file (syslog-ng.conf) and update the content by replacing the configuration given below.

sudo vim /etc/syslog-ng/syslog-ng.conf

### Syslog-ng Logging Directives for Loggly.com ###
source s_loggly {
  system();	# Check which OS & collect system logs
  internal();	# Collect syslog-ng logs
};

template LogglyFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [TOKEN@41058 tag=\"syslog-ng\"] $MSG\n");
  template_escape(no);
};

destination d_loggly {
  tcp("logs-01.loggly.com" port(6514) 
  tls(peer-verify(required-untrusted)
  template(LogglyFormat));
};

log { 
  source(s_loggly); 
  destination(d_loggly); 
};
### END Syslog-ng Logging Directives for Loggly.com ###

Replace:

• TOKEN: your customer token from the source setup page

Restart the syslog-ng service for the changes to take place.

NOTE: Syslog-ng over TLS uses port 6514, so make sure to update your syslog-ng configuration

2. Verify Events

Search Loggly for events with the logtype as syslog over the past hour. It may take few minutes to index the event. If if doesn’t work, see the troubleshooting section below.

logtype:syslog

Advanced Syslog-ng TLS Configuration Options

• Syslog-ng Manual Configuration

Troubleshooting Your Syslog-ng TLS Configuration

• Wait a few minutes in case indexing needs to catch up
• Make sure you restarted syslog-ng
• Syslog over TLS uses port 6514, so check that you’ve updated your rsyslog configuration
• Make sure port 6514 outbound is open on your firewall and network settings
• Run "sudo tcpdump -i lo -A udp and port 6514″ to verify UDP events are being sent to localhost
• Verify your operating system has support for TLS 1.1 or 1.2. Older OSes like CentOS 5 do not have support, but CentOS 6 and higher do.
• Search or post your own syslog-ng TLS questions in the community forum.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.