The syslog-ng application is included in all major Linux distributions, and you can usually install syslog-ng from the official repositories. If the core functionality of syslog-ng meets your needs, use the package in your distribution repository (yum install syslog-ng), and you can stop reading here. However, if you want to use the features of newer syslog-ng versions (for example, sending log messages to Elasticsearch or Apache Kafka), you have to either compile syslog-ng from source, or install it from unofficial repositories. This post explains you how to do that.

Why is syslog-ng in my distro so old?

Most Linux distributions have a number of limitations. Of course these are not limitations in the traditional sense, rather ways of quality control.

  • Distribution releases are done on a schedule: after a release candidate is out, software in the distribution cannot be upgraded. This ensures that a known state of the distribution can be tested and polished, and external applications are installed on a stable base. But it also means that distributions include an older version of syslog-ng, which lags behind a few minor or major versions.
  • The use of bundled libraries is often prohibited. Some functionality of syslog-ng is only available in bundled libraries, either because it needs a modified version, or needs a version which is not yet available in distributions.
  • Distributions may lack certain dependencies (tools, sources) necessary to enable certain features in syslog-ng. This makes compiling Java-based destinations nearly impossible as most tools and dependencies are missing or have a different version than required by syslog-ng.

All of this means that syslog-ng in Linux distributions is locked to a given version with a limited feature set for anywhere from half a year to up to a decade, depending on the release cycle. Thus, the syslog-ng version included in old Linux versions can also be a decade old.

If you need a feature or fix not available for some reason in the distribution package, you can either compile syslog-ng for yourself or use one of the unofficial syslog-ng RPM repositories. Using the repositories is usually easier 🙂

Where to find new rpm packages of syslog-ng?

We, the developers of syslog-ng maintain several unofficial repositories for different distributions. The natural question is: why are these called “unofficial”? The short answer is: these packages are not officially supported by Balabit or a Linux distribution. If you need tested binaries, commercial support with guaranteed response times and other goodies, you either need a commercial Linux distribution, which includes syslog-ng (see possible problems above), or the commercial syslog-ng Premium Edition developed by Balabit. We support the unofficial repositories on a best effort level, which is sometimes quicker than commercial support, but most often is not.

For deb-based distributions, we also maintain unofficial repositories, see https://syslog-ng.org/3rd-party-binaries/

Which package to install?

You can use many log sources and destinations in syslog-ng. The majority of these require additional dependencies to be installed. If all of the features would be included in a single package, installing syslog-ng would also install dozens of smaller and larger dependencies, including such behemoths as Java. This is why the syslog-ng package includes only the core functionality, and features requiring additional dependencies are available as sub-packages. The most popular sub-package is syslog-ng-java, which installs the Java-based big data destination drivers, like Elasticsearch, Kafka, and HDFS, but there are many others as well. Depending on your distribution: “yum search syslog-ng” or a similar command will list you all the possibilities.

Installing syslog-ng on RHEL and CentOS 7

1. Depending on whether you have RHEL or CentOS 7, do the following:

  • On RHEL: Enable the so-called “optional” repository , which contains a number of packages that are required to start syslog-ng:
    subscription-manager repos --enable rhel-7-server-optional-rpms
  • On CentOS: The content of this repo is included CentOS, so you do not have to enable it there separately:

2. The Extra Packages for Enterprise Linux (EPEL) repository contains many useful packages, which are not included in RHEL. A few dependencies of syslog-ng are available this repo. You can enable it by downloading and installing an RPM package:

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh epel-release-latest-7.noarch.rpm

3. Add the repo containing the latest unofficial build of syslog-ng. By the time of writing it is syslog-ng 3.9 and it is available on the Copr build service. Download the repo file to /etc/yum.repos.d/, so you can install and enable syslog-ng:

cd /etc/yum.repos.d/
wget https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng39/repo/epel-7/czanik-syslog-ng39-epel-7.repo
yum install syslog-ng
systemctl enable syslog-ng
systemctl start syslog-ng

Add any further sub-packages you need.

4. It is not strictly required, but you can avoid some confusion, if you also delete rsyslog at the same time:

yum erase rsyslog

Installing syslog-ng on Fedora

Installation on Fedora is a lot simpler.

1. Download the repo file according to your distribution version from https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng39/ and save it to the /etc/yum.repos.d/ directory. For example, on Fedora 24:

cd /etc/yum.repos.d/
wget https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng39/repo/fedora-24/czanik-syslog-ng39-fedora-24.repo

2. Next install and enable syslog-ng:

dnf install syslog-ng
systemctl enable syslog-ng
systemctl start syslog-ng

Add any further sub-packages you need.

3. It is not strictly required, but you can avoid some confusion, if you also delete rsyslog at the same time:

dnf erase rsyslog

Install syslog-ng on openSUSE or SLES

1. First you need to add the repository containing syslog-ng and its dependencies. Open https://build.opensuse.org/project/show/home:czanik:syslog-ng39 and you will find repository URLs on the right hand side behind the links named after distributions. For example on SLES 12 you can use the following command to add the repository:

zypper ar https://build.opensuse.org/project/repository_state/home:czanik:syslog-ng39/SLE_12 syslog-ng39

2. Next you can install syslog-ng:

zypper in syslog-ng

Add any further sub-packages you need.

Are you stuck?

If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or you can even chat with us. For a long list of possibilities, check our contact page at https://syslog-ng.org/contact-us/. On Twitter I am available as @PCzanik.