Curious about what the script does?
- Detects whether
syslog-ng
is installed on your system. - Creates configuration for your Better Stack source.
- Downloads Let's Encrypt root certificates, but it doesn't install them globally.
Send your system logs to Better Stack using syslog-ng.
Set up syslog-ng
using the provided script:
wget -qO- https://telemetry.betterstack.com/syslog-ng/$SOURCE_TOKEN | sh
wget -qO- https://telemetry.betterstack.com/syslog-ng/udp/$SOURCE_TOKEN | sh
Curious about what the script does?
syslog-ng
is installed on your system.Restart the syslog-ng service to reload configuration:
systemctl restart syslog-ng
You should see your logs in Better Stack → Live tail.
Please let us know at hello@betterstack.com.
We're happy to help! 🙏
Our Syslog server listens for TCP connections on port 6514
, allowing only encrypted traffic. It also listens on port 6517
for unencrypted UDP connections.
Please use the Ingesting host from your source settings as the hostname.
To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include [logtail@11993 source_token="$SOURCE_TOKEN"]
.
Download CA certificates (Let's Encrypt) to enable TLS:
mkdir -p /etc/syslog-ng/ca.d
cd /etc/syslog-ng/ca.d
# TrustID X3 Root from IdenTrust
wget https://letsencrypt.org/certs/trustid-x3-root.pem
ln -s trustid-x3-root.pem $(openssl x509 -in trustid-x3-root.pem -hash -noout).0
# ISRG Root X1
wget https://letsencrypt.org/certs/isrgrootx1.pem
ln -s isrgrootx1.pem $(openssl x509 -in isrgrootx1.pem -hash -noout).0
The certificate links are taken from the Let's Encrypt website.
Read more about the setup in the syslog-ng documentation.
Do you want to log over TCP or UDP?
Configure syslog-ng
to log over TCP:
destination d_logtail {
syslog(
"$INGESTING_HOST_VEC"
transport("tls")
port(6514)
tls(
peer-verify(required-trusted)
ca-dir("/etc/syslog-ng/ca.d")
trusted-dn("CN=*.betterstackdata.com")
sni(yes)
)
);
};
rewrite add_logtail_credentials {
set("$SOURCE_TOKEN" value(".SDATA.logtail@11993.source_token"));
};
log {
source(s_src);
rewrite(add_logtail_credentials);
destination(d_logtail);
};
Configure syslog-ng
to log over UDP:
destination d_logtail {
syslog(
"$INGESTING_HOST_VEC"
transport("udp")
port(6517)
);
};
rewrite add_logtail_credentials {
set("$SOURCE_TOKEN" value(".SDATA.logtail@11993.source_token"));
};
log {
source(s_src);
rewrite(add_logtail_credentials);
destination(d_logtail);
};
Restart the syslog-ng
service:
systemctl restart syslog-ng
Test the logger:
logger "Hello from Better Stack!"
You should see your logs in Better Stack → Live tail.
Please let us know at hello@betterstack.com.
We're happy to help! 🙏