Table of Contents

Preface

1. Summary of contents

2. Target audience and prerequisites

3. Products covered in this guide

4. Typographical conventions

5. Contact and support information

5.1. Sales contact

5.2. Support contact

5.3. Training

6. About this document

6.1. Version information

6.2. Feedback

6.3. Acknowledgments

1. Introduction to syslog-ng

1.1. What syslog-ng is

1.2. What syslog-ng is not

1.3. Why is syslog-ng needed?

1.4. Who uses syslog-ng?

1.5. Supported platforms

2. The concepts of syslog-ng

2.1. The philosophy of syslog-ng

2.2. Logging with syslog-ng

2.3. Modes of operation

2.3.1. Client mode

2.3.2. Relay mode

2.3.3. Server mode

2.4. Global objects

2.5. Timezone handling

2.6. Daylight saving changes

2.7. Secure logging using TLS

2.8. Licensing

2.9. High availability support

2.10. The structure of a log message

2.10.1. The PRI message part

2.10.2. The HEADER message part

2.10.3. The MSG message part

3. Configuring syslog-ng

3.1. The syslog-ng configuration file

3.2. Defining global objects

3.3. Sources and source drivers

3.4. Destinations and destination drivers

3.5. Log paths

3.6. Filters

3.7. Template objects

3.8. Configuring syslog-ng options

3.9. Encrypting log messages with TLS

3.10. Mutual authentication using TLS

3.11. Configuring syslog-ng clients

3.12. Configuring syslog-ng relays

3.13. Configuring syslog-ng servers

3.14. Installing and upgrading the license

4. Installing syslog-ng

4.1. Installing syslog-ng on RPM-based platforms (Red Hat, SUSE, AIX)

4.2. Installing syslog-ng on Debian-based platforms

4.3. Installing syslog-ng on FreeBSD

4.4. Installing syslog-ng on HP-UX systems

4.5. Installing syslog-ng on Sun Solaris 8 and 9

4.6. Installing syslog-ng on Sun Solaris 10

4.7. Compiling syslog-ng from source

4.8. Configuring Microsoft SQL Server to accept logs from syslog-ng

5. Collecting logs from Windows hosts

5.1. Installing and configuring the syslog-ng agent

5.2. File sources and logrotation

5.3. Using SSL-encrypted connections with the syslog-ng agent

5.3.1. Using mutual authentication with syslog-ng agent

5.4. Customizing the message format

5.5. Controlling the syslog-ng agent services

5.6. Sending messages and CPU load

5.7. Configuring the auditing policy on Windows

5.7.1. Turning on security logging on Windows XP and Windows 2000

5.7.2. Turning on security logging for domain controllers

5.7.3. Turning on auditing on Windows 2003 Server

6. Collecting logs from IBM System i

6.1. Supported sources

6.2. Supported output formats

6.3. Filtering log entries

6.4. Installing the syslog-ng Agent for IBM System i

6.4.1. Installing from an Internet download

6.4.2. Installing from a product CD

6.4.3. Upgrading the syslog-ng Agent for IBM System i

6.5. Configuring System i security auditing

6.5.1. Enabling security auditing manually

6.5.2. Enabling user auditing

6.5.3. Enabling object auditing

6.5.4. Configuring syslog-ng Agent for IBM System i

6.5.5. Configuring Alliance Syslog for System i

6.5.6. Configuring communication between the syslog-ng Agent and the server

6.5.7. Work with security types

6.6. Controlling the syslog-ng Agent for IBM System i

6.6.1. Starting the Alliance subsystem

6.6.2. Automating the start of the Alliance subsystem ALLSYL100

6.7. Application maintenance

6.8. View application logs

6.9. Configuring IBM System i Servers

6.9.1. Configuring Apache server logs

6.9.2. OpenSSH server logs

6.9.3. Other server logs

6.10. Troubleshooting the syslog-ng Agent for IBM System i

6.10.1. System operator messages

6.10.2. Application logging

6.10.3. Cannot install the product from CD

6.10.4. Logs are not being transferred to my log server

6.10.5. I get a license error when trying to use configuration options

6.10.6. The product no longer works after a system upgrade

6.10.7. Security events are not being captured

6.10.8. I am not capturing information about our security administrators

6.10.9. I am not capturing information about programs and files

6.10.10. I am not capturing QSYSOPR messages

6.10.11. I would like to turn off some audit journal events

6.10.12. Where do I find error messages?

7. Best practices and examples

7.1. General recommendations

7.2. Using name resolution in syslog-ng

7.2.1. Resolving hostnames locally

7.3. Collecting logs from chroot

7.4. Replacing klogd on Linux

7.5. A note on timezones and timestamps

7.6. Dropping messages

8. Troubleshooting and performance tuning

8.1. Handling lots of parallel connections

8.2. Handling large message load

8.3. Managing incoming and outgoing messages with flow-control

8.4. Using disk-based buffering

8.5. The sync() parameter

8.6. Optimizing regular expressions in filters

8.7. Possible causes of losing log messages

9. Reference

9.1. Source drivers

9.1.1. Options common for every source

9.1.2. file()

9.1.3. internal()

9.1.4. pipe()

9.1.5. sun-streams() driver

9.1.6. tcp(), tcp6(), udp() and udp6()

9.1.7. unix-stream() and unix-dgram()

9.2. Destination drivers

9.2.1. Options common for every destination

9.2.2. file()

9.2.3. pipe()

9.2.4. program()

9.2.5. sql()

9.2.6. tcp(), tcp6(), udp(), and udp6(),

9.2.7. unix-stream() & unix-dgram()

9.2.8. usertty()

9.3. Log path flags

9.4. Filter functions

9.5. Macros

9.6. Options

9.7. TLS options

1. The syslog-ng manual pages

syslog-ng — syslog-ng system logger application

syslog-ng.conf — syslog-ng configuration file

2. BalaBit syslog-ng Premium Edition License contract

2.1. SUBJECT OF THE License CONTRACT

2.2. DEFINITIONS

2.3. Words and expressions

2.4. LICENSE GRANTS AND RESTRICTIONS

2.5. SUBSIDIARIES

2.6. INTELLECTUAL PROPERTY RIGHTS

2.7. TRADE MARKS

2.8. NEGLIGENT INFRINGEMENT

2.9. INTELLECTUAL PROPERTY INDEMNIFICATION

2.10. LICENSE FEE

2.11. WARRANTIES

2.12. DISCLAIMER OF WARRANTIES

2.13. LIMITATION OF LIABILITY

2.14. DURATION AND TERMINATION

2.15. AMENDMENTS

2.16. WAIVER

2.17. SEVERABILITY

2.18. NOTICES

2.19. MISCELLANEOUS

3. GNU General Public License

3.1. Preamble

3.2. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

3.2.1. Section 0

3.2.2. Section 1

3.2.3. Section 2

3.2.4. Section 3

3.2.5. Section 4

3.2.6. Section 5

3.2.7. Section 6

3.2.8. Section 7

3.2.9. Section 8

3.2.10. Section 9

3.2.11. Section 10

3.2.12. NO WARRANTY Section 11

3.2.13. Section 12

3.3. How to Apply These Terms to Your New Programs

Glossary

Index