# Send logs to Better Stack with syslog-ng

## Start logging in 5 minutes

Send your system logs to Better Stack using syslog-ng.

### 1. Setup
  
Set up `syslog-ng` using the provided script:

[code-tabs]
```bash
[label TCP (recommended)]
wget -qO- https://telemetry.betterstack.com/syslog-ng/$SOURCE_TOKEN | sh
```
```bash
[label UDP]
wget -qO- https://telemetry.betterstack.com/syslog-ng/udp/$SOURCE_TOKEN | sh
```
[/code-tabs]

[info]
**Curious about what the script does?**

<ul style="margin-left: calc(var(--spacing) * -7);">
<li>Detects whether <code class="prettyprint">syslog-ng</code> is installed on your system.</li>
<li>Creates configuration for your Better Stack source.</li>
<li>Downloads Let's Encrypt root certificates, but it doesn't install them globally.</li>
</ul>
[/info]

### 2. Restart

Restart the syslog-ng service to reload configuration:

```bash
[label Restart the service]
systemctl restart syslog-ng
```

You should see your logs in [Better Stack → Live tail](https://telemetry.betterstack.com/team/0/tail ";_blank").

## Need help?

Please let us know at hello@betterstack.com.  
We're happy to help! 🙏


## Manual syslog-ng setup

Our Syslog server listens for TCP connections on port `6514`, allowing only encrypted traffic. It also listens on port `6517` for unencrypted UDP connections.
Please use the **Ingesting host** from your source settings as the hostname.

To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include `[logtail@11993 source_token="$SOURCE_TOKEN"]`.

### 1. Download certificates

Download CA certificates (Let's Encrypt) to enable TLS:

```shell
[label Set up certificates]
mkdir -p /etc/syslog-ng/ca.d
cd /etc/syslog-ng/ca.d

# TrustID X3 Root from IdenTrust
wget https://letsencrypt.org/certs/trustid-x3-root.pem
ln -s trustid-x3-root.pem $(openssl x509 -in trustid-x3-root.pem -hash -noout).0

# ISRG Root X1
wget https://letsencrypt.org/certs/isrgrootx1.pem
ln -s isrgrootx1.pem $(openssl x509 -in isrgrootx1.pem -hash -noout).0
```

[info]
The certificate links are taken from the [Let's Encrypt website](https://letsencrypt.org/certificates/).  
Read more about the setup in the [syslog-ng documentation](https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.30/administration-guide/63#TOPIC-1595094).
[/info]


### 2. Configure syslog-ng 

Do you want to log over TCP or UDP?

- [Log over encrypted TCP](#log-using-tcp)
- [Log over unencrypted UDP](#log-using-udp) 

#### Log using TCP

Configure `syslog-ng` to log over TCP:

```text
[label Syslog config]
destination d_logtail {
 syslog(
   "$INGESTING_HOST_VEC"
   transport("tls")
   port(6514)
   tls(
     peer-verify(required-trusted)
     ca-dir("/etc/syslog-ng/ca.d")
     trusted-dn("CN=*.betterstackdata.com")
     sni(yes)
   )
 );
};

rewrite add_logtail_credentials {
 set("$SOURCE_TOKEN" value(".SDATA.logtail@11993.source_token"));
};

log {
 source(s_src);
 rewrite(add_logtail_credentials);
 destination(d_logtail);
};
```

#### Log using UDP

Configure `syslog-ng` to log over UDP:

```text
[label Syslog config]
destination d_logtail {
 syslog(
   "$INGESTING_HOST_VEC"
   transport("udp")
   port(6517)
 );
};

rewrite add_logtail_credentials {
 set("$SOURCE_TOKEN" value(".SDATA.logtail@11993.source_token"));
};

log {
 source(s_src);
 rewrite(add_logtail_credentials);
 destination(d_logtail);
};
```

### 3. Restart

Restart the `syslog-ng` service:

```bash
[label Restart the service]
systemctl restart syslog-ng
```

### 4. Start logging 🎉

Test the logger:

```bash
[label Send test log]
logger "Hello from Better Stack!"
```

You should see your logs in [Better Stack → Live tail](https://telemetry.betterstack.com/team/0/tail ";_blank").

### Need help?

Please let us know at hello@betterstack.com.  
We're happy to help! 🙏