Send logs to Better Stack with syslog-ng

Start logging in 5 minutes

Send your system logs to Better Stack using syslog-ng.

1. Setup

Set up syslog-ng using the provided script:

TCP (recommended) UDP
wget -qO- https://logs.betterstack.com/syslog-ng/$SOURCE_TOKEN | sh
wget -qO- https://logs.betterstack.com/syslog-ng/udp/$SOURCE_TOKEN | sh

Curious about what the script does?

  • Detects whether syslog-ng is installed on your system.
  • Creates configuration for your Better Stack source.
  • Downloads Let's Encrypt root certificates, but it doesn't install them globally.

2. Restart

Restart the syslog-ng service to reload configuration:

Restart the service
systemctl restart syslog-ng

You should see your logs in Better Stack β†’ Live tail .

Need help?

Please let us know at hello@betterstack.com.
We're happy to help! πŸ™

Manual syslog-ng setup

Our Syslog server listens for TCP connections on in.logs.betterstack.com:6514, allowing only encrypted traffic. It also listens on in.logs.betterstack.com:6517 for unencrypted UDP connections.

To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include [logtail@11993 source_token="$SOURCE_TOKEN"].

1. Download certificates

Download CA certificates (Let's Encrypt) to enable TLS:

Set up certificates
mkdir -p /etc/syslog-ng/ca.d
cd /etc/syslog-ng/ca.d

# TrustID X3 Root from IdenTrust
wget https://letsencrypt.org/certs/trustid-x3-root.pem
ln -s trustid-x3-root.pem $(openssl x509 -in trustid-x3-root.pem -hash -noout).0

# ISRG Root X1
wget https://letsencrypt.org/certs/isrgrootx1.pem
ln -s isrgrootx1.pem $(openssl x509 -in isrgrootx1.pem -hash -noout).0

2. Configure syslog-ng

Do you want to log over TCP or UDP?

Log using TCP

Configure syslog-ng to log over TCP:

Syslog config
destination d_logtail {
 syslog(
   "in.logs.betterstack.com"
   transport("tls")
   port(6514)
   tls(
     peer-verify(required-trusted)
     ca-dir("/etc/syslog-ng/ca.d")
     trusted-dn("CN=*.logs.betterstack.com")
     sni(yes)
   )
 );
};

rewrite add_logtail_credentials {
 set("$SOURCE_TOKEN" value(".SDATA.logtail@11993.source_token"));
};

log {
 source(s_src);
 rewrite(add_logtail_credentials);
 destination(d_logtail);
};

Log using UDP

Configure syslog-ng to log over UDP:

Syslog config
destination d_logtail {
 syslog(
   "in.logs.betterstack.com"
   transport("udp")
   port(6517)
 );
};

rewrite add_logtail_credentials {
 set("$SOURCE_TOKEN" value(".SDATA.logtail@11993.source_token"));
};

log {
 source(s_src);
 rewrite(add_logtail_credentials);
 destination(d_logtail);
};

3. Restart

Restart the syslog-ng service:

Restart the service
systemctl restart syslog-ng

4. Start logging πŸŽ‰

Test the logger:

Send test log
logger "Hello from Better Stack!"

You should see your logs in Better Stack β†’ Live tail .

Need help?

Please let us know at hello@betterstack.com.
We're happy to help! πŸ™