The syslog-ng Administrator Guide

Document version: 1.1.4
Release date: July 23, 2008
Latest version available at the BalaBit Documentation Page

9.1. Source drivers

The following drivers may be used in source statements, as described in Section 3.3, “Sources and source drivers”. The option log_msg_size() is available in each source: it specifies the maximum length of incoming log messages in bytes. If not specified, the value of the global option is used (see Section 9.6, “Options”).

9.1.1. Options common for every source

Some parameters affecting message parsing are common for all sources:

Name Type Default Description
flags() set of [no-parse,kernel] empty set Specifies log parsing flags. no-parse completely disables syslog message parsing and processes the complete line as the message part of a syslog message. Other information (timestamp, host, etc.) is added automatically. This flag is useful for parsing files not complying to the syslog format. kernel makes the source default to the LOG_KERN | LOG_CRIT priority if not specified otherwise.
follow_freq() number -1 Indicates that the source should be checked periodically instead of being polled. This is useful for files which always indicate readability, even though no new lines were appended. If this value is higher than zero, syslog-ng will not attempt to use poll() on the file, but checks whether the file changed every time the follow_freq() interval (in seconds) has elapsed.
keep_timestamp() yes or no yes Specifies whether syslog-ng should accept the timestamp received from the peer. If disabled, the time of reception will be used instead.
log_fetch_limit() number The value specified by the global log_fetch_limit() option, which defaults to 10. The maximum number of messages fetched from a source during a single poll loop. The destination queues might fill up before flow-control could stop reading if log_fetch_limit() is too high.
log_iw_size() number 100 The size of the initial window, this value is used during flow control.
log_msg_size() number The value specified by the global log_msg_size() option, which defaults to 8192. Specifies the maximum length of incoming log messages. Uses the value of the global option if not specified.
log_prefix() string   A string added to the beginning of every log message. It can be used to add an arbitrary string to any log source, though it is most commonly used for adding kernel: to the kernel messages on Linux.
optional() yes or no   Instruct syslog-ng to ignore the error if a specific source cannot be initialized. No other attempts to initialize the source will be made until the configuration is reloaded. This option currently applies to the pipe(), unix-dgram, and unix-stream drivers.
pad_size() number 0 Specifies input padding. Some operating systems (such as HP-UX) pad all 0 messages to block boundary. This option can be used to specify the block size. (HP-UX uses 2048 bytes). Syslog-ng will pad reads from the associated device to the number of bytes set in pad_size(). Mostly used on HP-UX where /dev/log is a named pipe and every write is padded to 2048 bytes.
time_zone() timezone in the form +/-HH:MM   The default timezone for messages read from the source. Applies only if no timezone is specified within the message itself.

Table 9.1. Common options for source drivers


9.1.2. file()

The kernel usually sends log messages to a special file (/dev/kmsg on BSDs, /proc/kmsg on Linux). The file() driver reads log messages from such files. The syslog-ng application can periodically check the file for new log messages if the follow_freq() option is set.

The syslog-ng application notices if a file is renamed or replaced with a new file, so it can correctly follow the file even if logrotation is used. When syslog-ng is restarted, it records the position of the last sent log message, and continues to send messages from this position after the restart.

The file driver has a single required parameter specifying the file to open, and has only the common source specific options as specified in Table 9.1, “Common options for source drivers”. 

Declaration:
file(filename);
[Example] Example 9.1. Using the file() driver 
source s_file { file("/proc/kmsg" log_prefix("kernel: ")); };
[Note] Note

On Linux, the klogd daemon can be used in addition to syslog-ng to read kernel messages and forward them to syslog-ng. klogd used to preprocess kernel messages to resolve symbols etc., but as this is deprecated by ksymoops there is really no point in running both klogd and syslog-ng in parallel. Also note that running two processes reading /proc/kmsg at the same time might result in dead-locks.

[Example] Example 9.2. Tailing files

The following source checks the access.log file every second for new messages.

source s_tail { file("/var/log/apache/access.log" 
follow_freq(1) flags(no-parse)); };

9.1.3. internal()

All internally generated messages "come" from this special source. To collect warnings, errors and notices from syslog-ng itself, include this source in one of your source statements. 

internal()

The syslog-ng application will issue a warning upon startup if this driver is not referenced.

[Example] Example 9.3. Using the internal() driver 
source s_local { internal(); };

9.1.3.1. Log statistics

Periodically, syslog-ng sends a message containing statistics about the received messages, and about any lost messages since the last such message. It includes a processed entry for every source and destination, listing the number of messages received or sent, and a dropped entry including the IP address of the server for every destination where syslog-ng has lost messages. The center(received) entry shows the total number of messages received from every configured sources.

The following is a sample log statistics message for a configuration that has a single source (s_local) and a network and a local file destination (d_network and d_local, respectively). All incoming messages are sent to both destinations.

Log statistics;
dropped='tcp(AF_INET(192.168.10.1:514))=6439',
processed='center(received)=234413',
processed='destination(d_tcp)=234413',
processed='destination(d_local)=234413',
processed='source(s_local)=234413'

9.1.4. pipe()

The pipe driver opens a named pipe with the specified name and listens for messages. It is used as the native message delivery protocol on HP-UX.

The pipe driver has a single required parameter, specifying the filename of the pipe to open. It has only the common source specific options as specified in Table 9.1, “Common options for source drivers”.

Pipe is very similar to the file() driver, but there are a few differences, for example pipe() opens its argument in read-write mode, therefore it is not recommended to be used on special files like /proc/kmsg.

[Warning] Warning

It is not recommended to use pipe() on anything else than real pipes. 

Declaration:
pipe(filename);
[Note] Note

You have to create this pipe using mkfifo(1).

[Example] Example 9.4. Using the pipe() driver 
source s_pipe { pipe("/dev/log" pad_size(2048)); };

9.1.5. sun-streams() driver

Solaris uses its STREAMS framework to send messages to the syslogd process.

Newer versions of Solaris (2.5.1 and above), use a new IPC in addition to STREAMS, called door to confirm the delivery of a message. The syslog-ng application supports this new IPC mechanism via the door() option (see below).

[Note] Note

The sun-streams() driver must be enabled when the syslog-ng application is compiled (see ./configure --help).

The sun-streams() driver has a single required argument specifying the STREAMS device to open, and the door() option.

[Example] Example 9.5. Using the sun-streams() driver 
source s_stream { sun-streams("/dev/log" door("/etc/.syslog_door"); };
Name Type Default Description
door() string none Specifies the filename of a door to open, needed on Solaris above 2.5.1.

Table 9.2. Options for sun-streams


9.1.6. tcp(), tcp6(), udp() and udp6()

These drivers enable to receive messages from the network. As the name of the drivers implies, both UDP and TCP can be used to transport messages. The tcp6() and udp6() use the IPv6 network protocol.

UDP is a simple datagram oriented protocol, which provides "best effort service" to transfer messages between hosts. It may lose messages, and no attempt is made at the protocol level to retransmit such lost messages. The syslog protocol traditionally uses UDP.

TCP provides connection-oriented service, which basically means a flow-controlled message pipeline. In this pipeline each message is acknowledged, and retransmission is done for lost packets. Generally it is safer to use TCP, because lost connections can be detected, and no messages get lost, assuming that the TCP connection does not break. When a TCP connection is broken the 'in-transit' messages that were sent by syslog-ng but not yet received on the other side are lost. (Basically these messages are still sitting in the socket buffer of the sending host and syslog-ng has no information about the fate of these messages).

The tcp() and udp() drivers do not require any positional parameters. By default they bind to 0.0.0.0:514, which means that syslog-ng will listen on all available interfaces, port 514. To limit accepted connections to only one interface, use the localip() parameter as described below.

[Note] Note

The tcp port 514 is reserved for use with rshell, so select a different port if syslog-ng and rshell is used at the same time.

If you specify a multicast bind address to udp() and udp6(), syslog-ng will automatically join the necessary multicast group. TCP does not support multicasting.

The syslog-ng Premium Edition application supports TLS (Transport Layer Security, also known as SSL) for the tcp() and tcp6() drivers. See the TLS-specific options below and Section 3.9, “Encrypting log messages with TLS” for details.

Declaration:
  tcp([options]);
  udp([options]);

The following options are valid for tcp(), tcp6(), udp(), and udp6()

Name Type Default Description
ip() or localip() string 0.0.0.0 The IP address to bind to. Note that this is not the address where messages are accepted from.
ip_tos number 0 Specifies the Type-of-Service value of outgoing packets.
ip_ttl number 0 Specifies the Time-To-Live value of outgoing packets.
keep-alive() yes or no yes Available for tcp() only; specifies whether connections should be closed upon the receipt of a SIGHUP signal. Note that this applies to the source side of the syslog-ng connections, destination connections are always reopened after receiving a HUP signal.
max-connections() number 10 Specifies the maximum number of simultaneous connections.
port() or localport() number 514 The port number to bind to.
so_broadcast yes or no no This option controls the SO_BROADCAST socket option required to make syslog-ng send messages to a broadcast address. See the socket(7) manual page for details.
so_rcvbuf number 0 Specifies the size of the socket receive buffer in bytes.
so_sndbuf number 0 Specifies the size of the socket send buffer in bytes.
tcp-keep-alive() yes or no no Available for tcp() only; specifies whether TCP keep alive messages using the SO_KEEPALIVE socket option should be enabled.
tls tls options n/a This option sets various TLS specific options like key/certificate files and trusted CA locations and can only be used with the tcp/tcp6 transport protocols. See Section 9.7, “TLS options” for more information.

Table 9.3. Options for tcp(), tcp6(), udp(), and udp6()


[Example] Example 9.6. Using the udp() and tcp() drivers 
# TCP source with the maximum number of simultaneous connections limited.
source s_tcp { tcp(ip(127.0.0.1) port(1999) max-connections(10)); };

# TCP source with TLS enabled
source s_tcp { tcp(ip(127.0.0.1) port(1999) 
                   tls(peer-verify('required-trusted' 
                       key_file('/etc/syslog-ng/syslog-ng.key') 
                   cert_file('/etc/syslog-ng/syslog-ng.crt')))); 
};

# UDP source with defaults.
source s_udp { udp(); };

9.1.7. unix-stream() and unix-dgram()

These two drivers behave similarly: they open the given AF_UNIX socket and start listening on it for messages. unix-stream() is primarily used on Linux and uses SOCK_STREAM semantics (connection oriented, no messages are lost); while unix-dgram() is used on BSDs and uses SOCK_DGRAM semantics: this may result in lost local messages if the system is overloaded.

To avoid denial of service attacks when using connection-oriented protocols, the number of simultaneously accepted connections should be limited. This can be achieved using the max-connections() parameter. The default value of this parameter is quite strict, you might have to increase it on a busy system.

Both unix-stream and unix-dgram have a single required positional argument, specifying the filename of the socket to create, and several optional parameters.

[Note] Note

syslogd on Linux originally used SOCK_STREAM sockets, but some distributions switched to SOCK_DGRAM around 1999 to fix a possible DoS problem. On Linux you can choose to use whichever driver you like as syslog clients automatically detect the socket type being used.

The difference between the unix-stream and unix-dgram drivers is similar to the difference between the TCP and UDP network protocols. Use the following guidelines to select which driver to use in a particular situation:

Choose unix-stream if you would choose TCP (stream) instead of UDP (datagram). The unix-stream driver offers the following features:

  • Increased reliability

  • Ordered delivery of messages

  • Client-side notification of failures

Choose unix-dgram if you would choose TCP (stream) over UDP (datagram). The unix-dgram driver offers the following features:

  • Decreased possibility of Dos by opening too many connections (a local vulnerability)

  • Less overhead

However, the client does not notice if a message is lost when using the unix-dgram driver.

Declaration: 
unix-stream(filename [options]);
unix-dgram(filename [options]);

The following options can be specified for these divers:

Name Type Default Description
group() string root Set the gid of the socket.
keep-alive() yes or no yes Selects whether to keep connections open when syslog-ng is restarted; cannot be used with unix-dgram().
max-connections() number 256 Limits the number of simultaneously open connections. Cannot be used with unix-dgram().
owner() string root Set the uid of the socket.
perm() number 0666 Set the permission mask. For octal numbers prefix the number with '0', e.g.: use 0755 for rwxr-xr-x.
so_broadcast yes or no no This option controls the SO_BROADCAST socket option required to make syslog-ng send messages to a broadcast address. See the socket(7) manual page for details.
so_keepalive yes or no 0 Enables keep-alive messages, keeping the socket open.
so_rcvbuf number 0 Specifies the size of the socket receive buffer in bytes.
so_sndbuf number 0 Specifies the size of the socket send buffer in bytes.

Table 9.4. Options for unix-stream() and unix-dgram()


[Example] Example 9.7. Using the unix-stream() and unix-dgram() drivers 
# source declaration on Linux
source s_stream { unix-stream("/dev/log" max-connections(10)); };
                    
# source declaration on BSD
source s_dgram { unix-dgram("/var/run/log"); };

© 2007-2008 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com

Prev  Up  Next
Chapter 9. Reference  Home | Contents  9.2. Destination drivers