Explore documentation
  1. Welcome to Logs ๐Ÿ‘‹
  2. Quick start guide
  3. Better Stack sources
    1. Programming languages
    2. Cloud platforms
    3. Web servers
    4. Operating systems
    5. Databases
    6. Containers & Clusters
    7. HTTP REST API
  4. Integrations
    1. Slack
  5. Log Forwarding
    1. Vector (Recommended)
    2. Fluent Bit
    3. Logstash
    4. Fluentd
    5. Syslog
      1. Syslog-ng
      2. RSyslog
  6. API
    1. Get started with Logs API
    2. Sources API
    3. Query API
  7. Using Logs
    1. AWS S3-compatible archive
    2. String + JSON format
    3. Live Tail Query Language
    4. Querying data in Better Stack
    5. GeoIP map visualization

Send logs to Better Stack with syslog-ng

Start logging in 5 minutes

Send your system logs to Better Stack using syslog-ng.

1. Setup

Set up syslog-ng using the provided script:

TCP (recommended) UDP 
wget -qO- https://logs.betterstack.com/syslog-ng/$SOURCE_TOKEN | sh
wget -qO- https://logs.betterstack.com/syslog-ng/udp/$SOURCE_TOKEN | sh
info

Curious about what the script does?

  • Detects whether syslog-ng is installed on your system.
  • Creates configuration for your Better Stack source.
  • Downloads Let's Encrypt root certificates, but it doesn't install them globally.

2. Restart

Restart the syslog-ng service to reload configuration:

Restart the service
systemctl restart syslog-ng

You should see your logs in Better Stack -> Live tail.

Need help?

Please let us know at hello@betterstack.com.
We're happy to help! ๐Ÿ™

Manual syslog-ng setup

Our Syslog server listens for TCP connections on in.logs.betterstack.com:6514, allowing only encrypted traffic. It also listens on in.logs.betterstack.com:6517 for unencrypted UDP connections.

To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include [logtail@11993 source_token="$SOURCE_TOKEN"].

1. Download certificates

Download CA certificates (Let's Encrypt) to enable TLS:

Set up certificates
mkdir -p /etc/syslog-ng/ca.d
cd /etc/syslog-ng/ca.d

# TrustID X3 Root from IdenTrust
wget https://letsencrypt.org/certs/trustid-x3-root.pem
ln -s trustid-x3-root.pem $(openssl x509 -in trustid-x3-root.pem -hash -noout).0

# ISRG Root X1
wget https://letsencrypt.org/certs/isrgrootx1.pem
ln -s isrgrootx1.pem $(openssl x509 -in isrgrootx1.pem -hash -noout).0

2. Configure syslog-ng

Do you want to log over TCP or UDP?

Log using TCP

Configure syslog-ng to log over TCP:

Syslog config
destination d_logtail {
 syslog(
   "in.logs.betterstack.com"
   transport("tls")
   port(6514)
   tls(
     peer-verify(required-trusted)
     ca-dir("/etc/syslog-ng/ca.d")
     trusted-dn("CN=*.logs.betterstack.com")
     sni(yes)
   )
 );
};

rewrite add_logtail_credentials {
 set("$SOURCE_TOKEN" value(".SDATA.logtail@11993.source_token"));
};

log {
 source(s_src);
 rewrite(add_logtail_credentials);
 destination(d_logtail);
};

Log using UDP

Configure syslog-ng to log over UDP:

Syslog config
destination d_logtail {
 syslog(
   "in.logs.betterstack.com"
   transport("udp")
   port(6517)
 );
};

rewrite add_logtail_credentials {
 set("$SOURCE_TOKEN" value(".SDATA.logtail@11993.source_token"));
};

log {
 source(s_src);
 rewrite(add_logtail_credentials);
 destination(d_logtail);
};

3. Restart

Restart the syslog-ng service:

Restart the service
systemctl restart syslog-ng

4. Start logging ๐ŸŽ‰

Test the logger:

Send test log
logger "Hello from Better Stack!"

You should see your logs in Better Stack -> Live tail.

Need help?

Please let us know at hello@betterstack.com.
We're happy to help! ๐Ÿ™

Previous article

Send logs to Better Stack using Fluentd

Next article

Send logs to Better Stack with RSyslog