Sending logs to Logtail with syslog-ng

You can send your system logs directly to our servers over an encrypted TCP connection. Our Syslog server is listening for TCP connections on in.logtail.com:6514 and it allows only encrypted traffic. We also listen on in.logtail.com:6517 for unencrypted UDP connections.

To authenticate the incoming logs, we utilize Syslog's structured data mechanism. Every Syslog message you send to our server must include [[email protected] source_token="YOUR_LOGTAIL_SOURCE_TOKEN"].

Setup

We created a simple script that will configure syslog-ng for you:

# To configure syslog-ng to run over secured TCP
wget -qO- https://logtail.com/syslog-ng/YOUR_SOURCE_TOKEN | sh

# To configure syslog-ng to run over UDP
wget -qO- https://logtail.com/syslog-ng/udp/YOUR_SOURCE_TOKEN | sh
Copied!

The script will detect whether syslog-ng is installed on your system and if it is is in place, it will create the correct configuration for your Logtail source. The script will download Let's Encrypt root certificates, but it won't install them globally.

After the script finishes successfully, you might need to restart the syslog-ng service so that the new configuration is loaded:

systemctl restart syslog-ng
Copied!
info

We suggest you go through the setup script before you run it and make sure it doesn't do anything malicious. You should never run scripts copied from the internet in your terminal.

Manual syslog-ng setup

1.Download CA certificates (Let's Encrypt) to enable TLS:

mkdir -p /etc/syslog-ng/ca.d
cd /etc/syslog-ng/ca.d

# TrustID X3 Root from IdenTrust
wget https://letsencrypt.org/certs/trustid-x3-root.pem
ln -s trustid-x3-root.pem $(openssl x509 -in trustid-x3-root.pem -hash -noout).0

# ISRG Root X1
wget https://letsencrypt.org/certs/isrgrootx1.pem
ln -s isrgrootx1.pem $(openssl x509 -in isrgrootx1.pem -hash -noout).0
Copied!

2a.To configure syslog-ng to log over TCP, create a config file with the following content:

destination d_logtail {
 syslog(
   "in.logtail.com"
   transport("tls")
   port(6514)
   tls(
     peer-verify(required-trusted)
     ca-dir("/etc/syslog-ng/ca.d")
     trusted-dn("CN=*.logtail.com")
     sni(yes)
   )
 );
};

rewrite add_logtail_credentials {
 set("YOUR_LOGTAIL_SOURCE_TOKEN" value("[email protected]_token"));
};

log {
 source(s_src);
 rewrite(add_logtail_credentials);
 destination(d_logtail);
};
Copied!

2b.To configure syslog-ng to log over UDP, create a config file with the following content:

destination d_logtail {
 syslog(
   "in.logtail.com"
   transport("udp")
   port(6517)
 );
};

rewrite add_logtail_credentials {
 set("YOUR_LOGTAIL_SOURCE_TOKEN" value("[email protected]_token"));
};

log {
 source(s_src);
 rewrite(add_logtail_credentials);
 destination(d_logtail);
};
Copied!

3.Restart the syslog-ng service:

systemctl restart syslog-ng
Copied!

4.To test your configuration, you can send a sample log:

logger "Hello from Logtail!"
Copied!

Make sure to replace <YOUR_LOGTAIL_SOURCE_TOKEN> with your own source token from Logtail.com.