The syslog-ng Administrator Guide

Document version: 1.0.20
Release date: April 11, 2008
Latest version available at the BalaBit Documentation Page

2.2. Logging with syslog-ng

The syslog-ng application reads incoming messages and forwards them to the selected destinations. The syslog-ng application can receive messages from files, remote hosts, and other sources.

Log messages enter syslog-ng in one of the defined sources, and are sent to one or more destinations.

Sources and destinations are independent objects; log paths define what syslog-ng does with a message, connecting the sources to the destinations. A log path consists of one or more sources and one or more destinations; messages arriving to a source are sent to every destination listed in the log path. A log path defined in syslog-ng is called a log statement.

Optionally, log paths can include filters. Filters are rules that select only certain messages, for example, selecting only messages sent by a specific application. If a log path includes filters, syslog-ng sends only the messages satisfying the filter rules to the destinations set in the log path.

The following procedure illustrates the route of a log message from its source on the syslog-ng client to its final destination on the central syslog-ng server.

Procedure 2.1. The route of a log message in syslog-ng

The route of a log message

Figure 2.1. The route of a log message


  1. A device or application sends a log message to a source on the syslog-ng client. For example, an Apache web server running on Linux enters a message into the /var/log/apache file.

  2. The syslog-ng client running on the web server reads the message from its /var/log/apache source.

  3. The syslog-ng client processes the first log statement that includes the /var/log/apache source.

  4. The syslog-ng client compares the message to the filters of the log statement (if any). If the message complies with all filter rules, syslog-ng sends the message to the destinations set in the log statement, for example, to the remote syslog-ng server.

    [Note] Note

    The syslog-ng client sends a message to all matching destinations by default. As a result, a message may be sent to a destination more than once, if the destination is used in multiple log statements. To prevent such situations, use the final flag in the destination statements. See Table 9.12, “Log statement flags” for details.

  5. The syslog-ng client processes the next log statement that includes the /var/log/apache source, repeating Steps 3-4.

  6. The message sent by the syslog-ng client arrives to a source set in the syslog-ng server.

  7. The syslog-ng server reads the message from its source and processes the first log statement that includes that source.

  8. The syslog-ng server compares the message to the filters of the log statement (if any). If the message complies with all filter rules, syslog-ng sends the message to the destinations set in the log statement.

  9. The syslog-ng server processes the next log statement, repeating Steps 7-9.

[Note] Note

The syslog-ng application can stop reading messages from its sources if the destinations cannot process the sent messages. This feature is called flow-control and is detailed in Section 8.3, “Managing incoming and outgoing messages with flow-control”.

© 2007 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com

Prev  Up  Next
2.1. The philosophy of syslog-ng  Home | Contents  2.3. Modes of operation