3.1. The syslog-ng configuration file

The syslog-ng application is configured by editing the syslog-ng.conf file. Use any regular text editor application to modify the file. The precompiled syslog-ng packages include sample configuration files as well.

Every syslog-ng configuration file must begin with a line containing the version information of syslog-ng. For syslog-ng version 3.0, this line looks like:

@version:3.0

If the configuration file does not contain the version information, syslog-ng assumes that the file is for syslog-ng version 2.x. In this case it interprets the configuration and sends warnings about the parts of the configuration that should be updated. Version 3.0 of syslog-ng will correctly operate with configuration files of version 2.x, but the default values of certain parameters are different in 3.0.

All identifiers, option names and attributes, and any other strings used in the syslog-ng configuration file are case sensitive. Objects must be defined before they are referenced in another statement.

Example 3.1. A simple configuration file

	Example 3.1. A simple configuration file
The following is a very simple configuration file for syslog-ng: it collects the internal messages of syslog-ng and the messages from `/dev/log` into the `/var/log/messages_syslog-ng.log` file. @version:3.0 source s_local { unix-stream("/dev/log"); internal(); }; destination d_file_normal {file("/var/log/messages_syslog-ng.log"); }; log { source(s_local); destination(d_file); };

The following is a very simple configuration file for syslog-ng: it collects the internal messages of syslog-ng and the messages from /dev/log into the /var/log/messages_syslog-ng.log file.

@version:3.0
                
source s_local { unix-stream("/dev/log"); internal(); };

destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };

log { source(s_local); destination(d_file); };

	Tip
Before activating a new configuration, check that your configuration file is syntactically correct using the syslog-ng --syntax command. To activate the configuration, reload the configuration of syslog-ng using the /etc/init.d/syslog-ng reload command.

Tip

Before activating a new configuration, check that your configuration file is syntactically correct using the syslog-ng --syntax command.

To activate the configuration, reload the configuration of syslog-ng using the /etc/init.d/syslog-ng reload command.

The syslog-ng.conf and license.txt files are located under the /opt/syslog-ng/etc/ directory.

	Note
	Earlier versions of syslog-ng PE stored the configuration and license files under different directories, depending on the platform; typically under `/etc/syslog-ng/`.

On Microsoft Windows platforms the syslog-ng agent stores its configuration in the system registry, and can be configured from a graphical interface. See Chapter 5, Collecting logs from Windows hosts for details.

3.1.1. Including configuration files

The syslog-ng application supports including external files in its configuration file, so parts of its configuration can be managed separately. To include the contents of a file in the syslog-ng configuration, use the following syntax

include "filename";

This imports the entire file into the configuration of syslog-ng, at the location of the include statement. If you specify a directory, syslog-ng will try to include every file in alphabetic order. When including configuration files, consider the following points:

If an object is defined twice (e.g., the original syslog-ng configuration file and the file imported into this configuration file both define the same option, source, or other object), then the object that is defined later in the configuration file will be effective. For example, if you set a global option at the beginning of the configuration file, and later include a file that defines the same option with a different value, then the option defined in the imported file will be used.
Files can be embedded into each other: the included files can contain include statements as well, up to a maximum depth of 15 levels.
Include statements can only be used at top level of the configuration file. For example, the following is correct:
```
@version:3.0
include "example.conf";
```
But the following is not:
```
source s_example {
    include "example.conf"
     };
```

	Warning
	The syslog-ng application will not start if it cannot find a file that is to be included in its configuration. Always double-check the filenames, paths, and access rights when including configuration files, and use the --syntax-only command-line option to check your configuration.

3.1.2. Logging configuration changes

Every time syslog-ng is started, or its configuration is reloaded, it automatically logs the SHA-1 fingerprint of its configuration file using the internal message source. That way any modification of the configuration of your syslog-ng clients is visible in the central logs. Note that the log message does not contain the exact change, nor can the configuration file be retrieved from the fingerprint. Only the fact of the configuration change can be detected.

The fingerprint can be examined with the logchksign command-line application, which detects that the fingerprint was indeed generated by a syslog-ng application. Just paste the hashes from the log message after the logchksign command like in the following example: bin/logchksign "cfg-fingerprint='832ef664ff79df8afc66cd955c0c8aaa3c343f31', cfg-nonce-ndx='0', cfg-signature='785223cfa19ad52b855550be141b00306347b0a9' "

Prev	Up	Next
Chapter 3. Configuring syslog-ng	Home \| Contents	3.2. Defining global objects

The syslog-ng 3.0 Administrator Guide

Document version: Tenth
Release date: January 8, 2010
Latest version available at the BalaBit Documentation Page