The syslog-ng 3.0 Administrator Guide
Table of Contents
- Preface
- 1. Summary of contents
- 2. Target audience and prerequisites
- 3. Products covered in this guide
- 4. Typographical conventions
- 5. Contact and support information
- 5.1. Sales contact
- 5.2. Support contact
- 5.3. Training
- 6. About this document
- 6.1. What is new in this main edition of The syslog-ng Administrator Guide?
- 6.2. Feedback
- 6.3. Acknowledgments
- 1. Introduction to syslog-ng
- 1.1. What syslog-ng is
- 1.2. What syslog-ng is not
- 1.3. Why is syslog-ng needed?
- 1.4. What is new in syslog-ng 3.0?
- 1.5. Who uses syslog-ng?
- 1.6. Supported platforms
- 2. The concepts of syslog-ng
- 2.1. The philosophy of syslog-ng
- 2.2. Logging with syslog-ng
- 2.2.1. Embedded log statements
- 2.3. Modes of operation
- 2.3.1. Client mode
- 2.3.2. Relay mode
- 2.3.3. Server mode
- 2.4. Global objects
- 2.5. Timezone handling
- 2.6. Daylight saving changes
- 2.7. Secure logging using TLS
- 2.8. Secure storage of log messages
- 2.9. Formatting messages, filenames, directories, and tablenames
- 2.10. Segmenting messages
- 2.11. Modifying messages
- 2.12. Classifying log messages
- 2.12.1. The structure of the pattern database
- 2.12.2. How pattern matching works
- 2.12.3. Artificial ignorance
- 2.13. Managing incoming and outgoing messages with flow-control
- 2.13.1. Flow-control and multiple destinations
- 2.14. Using disk-based buffering
- 2.15. Licensing
- 2.16. High availability support
- 2.17. Possible causes of losing log messages
- 2.18. The structure of a log message
- 2.18.1. BSD-syslog or legacy-syslog messages
- 2.18.2. IETF-syslog messages
- 3. Configuring syslog-ng
- 3.1. The syslog-ng configuration file
- 3.1.1. Including configuration files
- 3.1.2. Logging configuration changes
- 3.2. Defining global objects
- 3.2.1. Notes about the configuration syntax
- 3.3. Sources and source drivers
- 3.3.1. Collecting internal messages
- 3.3.2. Collecting messages from text files
- 3.3.3. Collecting messages from named pipes
- 3.3.4. Collecting messages on Sun Solaris
- 3.3.5. Collecting messages using the IETF syslog protocol
- 3.3.6. Collecting messages from remote hosts using the BSD syslog protocol
- 3.3.7. Collecting messages from UNIX domain sockets
- 3.4. Destinations and destination drivers
- 3.4.1. Storing messages in plain-text files
- 3.4.2. Storing messages in encrypted files
- 3.4.3. Sending messages to named pipes
- 3.4.4. Sending messages to external applications
- 3.4.5. Storing messages in an SQL database
- 3.4.6. Sending messages to a remote logserver using the IETF-syslog protocol
- 3.4.7. Sending messages to a remote logserver using the legacy BSD-syslog protocol
- 3.4.8. Sending messages to UNIX domain sockets
- 3.4.9. usertty()
- 3.5. Log paths
- 3.5.1. Using embedded log statements
- 3.5.2. Configuring flow-control
- 3.6. Filters
- 3.6.1. Optimizing regular expressions in filters
- 3.7. Templates and macros
- 3.8. Parsing messages
- 3.9. Classifying messages
- 3.9.1. Using parser results in filters and templates
- 3.10. Rewriting messages
- 3.11. Configuring global syslog-ng options
- 3.12. Enabling disk-based buffering
- 3.13. Encrypting log messages with TLS
- 3.14. Mutual authentication using TLS
- 3.15. Configuring syslog-ng clients
- 3.16. Configuring syslog-ng relays
- 3.17. Configuring syslog-ng servers
- 3.18. Installing and upgrading the license
- 3.19. Troubleshooting syslog-ng
- 3.19.1. Creating syslog-ng core files
- 3.19.2. Running a failure script
- 3.19.3. Stopping syslog-ng
- 4. Installing syslog-ng
- 4.1. Installing syslog-ng using the .run installer
- 4.1.1. Installing syslog-ng in client or relay mode
- 4.1.2. Installing syslog-ng in server mode
- 4.1.3. Installing syslog-ng without user-interaction
- 4.2. Installing syslog-ng on RPM-based platforms (Red Hat, SUSE, AIX)
- 4.3. Installing syslog-ng on Debian-based platforms
- 4.4. Compiling syslog-ng from source
- 4.5. Uninstalling syslog-ng
- 4.6. Configuring Microsoft SQL Server to accept logs from syslog-ng
- 5. Collecting logs from Windows hosts
- 5.1. Installing the syslog-ng agent
- 5.1.1. Installing the syslog-ng agent in standalone mode
- 5.1.2. Installing the syslog-ng agent on the domain controller and the hosts of a domain
- 5.1.3. Upgrading syslog-ng Agent for Windows to the latest version
- 5.1.4. Upgrading syslog-ng Agent for Windows 2.x to 3.0.x
- 5.1.5. Upgrading syslog-ng Agent for Windows 3.0.1 to version 3.0.2
- 5.1.6. Upgrading syslog-ng Agent for Windows 3.0.2 to version 3.0.3
- 5.1.7. Upgrading syslog-ng Agent for Windows to version 3.0.4
- 5.2. Configuring destinations
- 5.2.1. Limiting the rate of messages
- 5.3. Configuring message sources
- 5.3.1. Eventlog sources
- 5.3.2. File sources and logrotation
- 5.3.3. Global settings of the syslog-ng agent
- 5.4. Using SSL-encrypted connections with the syslog-ng agent
- 5.4.1. Using mutual authentication with syslog-ng agent
- 5.4.2. Importing certificates with the Microsoft Management Console
- 5.5. Filtering messages
- 5.6. Customizing the message format
- 5.6.1. Customizing the timestamp used by the syslog-ng Agent
- 5.6.2. Macros available in the syslog-ng Agent
- 5.7. Using an XML-based configuration file
- 5.7.1. Sample configuration files for the syslog-ng Agent
- 5.8. Controlling the syslog-ng agent services
- 5.8.1. Command-line options
- 5.9. Domain versus local settings
- 5.10. Troubleshooting syslog-ng Agent for Windows
- 5.10.1. Sending messages and CPU load
- 5.10.2. Creating core and memory dumps
- 5.10.3. Logging domain update errors
- 5.11. Configuring the auditing policy on Windows
- 5.11.1. Turning on security logging on Windows XP
- 5.11.2. Turning on security logging for domain controllers
- 5.11.3. Turning on auditing on Windows 2003 Server
- 6. Collecting logs from IBM System i
- 6.1. Supported sources
- 6.2. Supported output formats
- 6.3. Filtering log entries
- 6.4. Installing the syslog-ng Agent for IBM System i
- 6.4.1. Installing from an Internet download
- 6.4.2. Installing from a product CD
- 6.4.3. Upgrading the syslog-ng Agent for IBM System i
- 6.5. Configuring System i security auditing
- 6.5.1. Enabling security auditing manually
- 6.5.2. Enabling user auditing
- 6.5.3. Enabling object auditing
- 6.5.4. Configuring syslog-ng Agent for IBM System i
- 6.5.5. Configuring Alliance Syslog for System i
- 6.5.6. Configuring communication between the syslog-ng Agent and the server
- 6.5.7. Work with security types
- 6.6. Controlling the syslog-ng Agent for IBM System i
- 6.6.1. Starting the Alliance subsystem
- 6.6.2. Automating the start of the Alliance subsystem ALLSYL100
- 6.7. Application maintenance
- 6.8. View application logs
- 6.9. Configuring IBM System i Servers
- 6.9.1. Configuring Apache server logs
- 6.9.2. OpenSSH server logs
- 6.9.3. Other server logs
- 6.10. Troubleshooting the syslog-ng Agent for IBM System i
- 6.10.1. System operator messages
- 6.10.2. Application logging
- 6.10.3. Cannot install the product from CD
- 6.10.4. Logs are not being transferred to my log server
- 6.10.5. I get a license error when trying to use configuration options
- 6.10.6. The product no longer works after a system upgrade
- 6.10.7. Security events are not being captured
- 6.10.8. I am not capturing information about our security administrators
- 6.10.9. I am not capturing information about programs and files
- 6.10.10. I am not capturing QSYSOPR messages
- 6.10.11. I would like to turn off some audit journal events
- 6.10.12. Where do I find error messages?
- 7. Best practices and examples
- 7.1. General recommendations
- 7.2. Handling lots of parallel connections
- 7.3. Handling large message load
- 7.4. Using name resolution in syslog-ng
- 7.4.1. Resolving hostnames locally
- 7.5. Collecting logs from chroot
- 7.6. Replacing klogd on Linux
- 7.7. A note on timezones and timestamps
- 7.8. Dropping messages
- 8. Reference
- 8.1. Source drivers
- 8.1.1. internal()
- 8.1.2. file()
- 8.1.3. pipe()
- 8.1.4. program()
- 8.1.5. sun-streams() driver
- 8.1.6. syslog()
- 8.1.7. tcp(), tcp6(), udp() and udp6()
- 8.1.8. unix-stream() and unix-dgram()
- 8.2. Destination drivers
- 8.2.1. file()
- 8.2.2. logstore()
- 8.2.3. pipe()
- 8.2.4. program()
- 8.2.5. sql()
- 8.2.6. syslog()
- 8.2.7. tcp(), tcp6(), udp(), and udp6(),
- 8.2.8. unix-stream() & unix-dgram()
- 8.2.9. usertty()
- 8.3. Log path flags
- 8.4. Filter functions
- 8.5. Macros
- 8.6. Message parsers
- 8.6.1. CSV parsers
- 8.6.2. Pattern databases
- 8.7. Rewriting messages
- 8.8. Regular expressions
- 8.9. Global options
- 8.10. TLS options
- 1. The syslog-ng manual pages
-
syslog-ng — syslog-ng system logger application
-
syslog-ng.conf — syslog-ng configuration file
-
loggen — Generate syslog messages at a specified rate
- 2. BalaBit syslog-ng Premium Edition License contract
- 2.1. SUBJECT OF THE License CONTRACT
- 2.2. DEFINITIONS
- 2.3. Words and expressions
- 2.4. LICENSE GRANTS AND RESTRICTIONS
- 2.5. SUBSIDIARIES
- 2.6. INTELLECTUAL PROPERTY RIGHTS
- 2.7. TRADE MARKS
- 2.8. NEGLIGENT INFRINGEMENT
- 2.9. INTELLECTUAL PROPERTY INDEMNIFICATION
- 2.10. LICENSE FEE
- 2.11. WARRANTIES
- 2.12.
DISCLAIMER OF WARRANTIES
- 2.13. LIMITATION OF LIABILITY
- 2.14. DURATION AND TERMINATION
- 2.15. AMENDMENTS
- 2.16. WAIVER
- 2.17. SEVERABILITY
- 2.18. NOTICES
- 2.19. MISCELLANEOUS
- 3. GNU General Public License
- 3.1. Preamble
- 3.2. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
- 3.2.1. Section 0
- 3.2.2. Section 1
- 3.2.3. Section 2
- 3.2.4. Section 3
- 3.2.5. Section 4
- 3.2.6. Section 5
- 3.2.7. Section 6
- 3.2.8. Section 7
- 3.2.9. Section 8
- 3.2.10. Section 9
- 3.2.11. Section 10
- 3.2.12. NO WARRANTY Section 11
- 3.2.13. Section 12
- 3.3. How to Apply These Terms to Your New Programs
- 4. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
- Glossary
- Index
© 2007-2008 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com
