Document toolboxDocument toolbox

Secure sending using syslog-ng

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
3 min read
[ 1 Download and save the certificates ] [ 2 Edit the syslog-ng.conf file ] [ 3 Restart syslog-ng ] [ 4 Test the connection ] [ 5 File examples ]

This article describes how to manually configure syslog-ng to send events to Devo using an encrypted and authenticated channel. This is the recommended procedure when you want to forward events over the internet, directly to the Devo Cloud.

Download and save the certificates

The security certificates need to be saved to the local machine in order to reference them in the syslog-ng configuration file later.

  1. Go to Administration → Credentials → X.509 Certificates in the Devo web application.
    - Download the Certificate and Private key to /etc/syslog-ng/key.d/. 
    - Download the Chain CA to /etc/syslog-ng/ca.d/.

  2. Limit the permissions to the Certificate and Private key files in /etc/syslog-ng/key.d/ using this command:

    cd /etc/syslog-ng/key.d/; chmod 600 domain.crt domain.key -rw------- 1 root root 1529 Oct 24 13:18 domain.crt -rw------- 1 root root 1675 Oct 24 13:18 domain.key

Edit the syslog-ng.conf file

In this step we define the Devo Cloud endpoint as a new destination in the syslog-ng configuration.

Open the /etc/syslog-ng/syslog-ng.conf file and configure the new Devo Cloud destination as shown below:

destination d_ssl_devo_unix { tcp("collector-x.devo.io" port(443) template("<$PRI>$DATE $HOST box.unix.$PROGRAM: $MESSAGE\n") tls( ca_dir("/etc/syslog-ng/chain.crt") key_file("/etc/syslog-ng/domain.key") cert_file("/etc/syslog-ng/domain.crt") peer_verify(required-untrusted)) persist-name("xxUniqueNameInThisConfigForThisDestinationxx") ); };

In the destination, you will notice that the template assigns box.unix as the first two tag levels for all system log events.

Preventing event loss

To prevent event lost, we recommend you add the following:
options {
    mark-freq (30);
};

Restart syslog-ng

Once you have edited the syslog-ng.conf file, restart syslog-ng to activate the new configuration:

/etc/init.d/syslog-ng restart

With the configuration activated, syslog-ng will begin to forward the events to your Devo Cloud.

Test the connection

You can make sure that the events are being forwarded to the Relay by using the logger command to write test messages to the system log. 

In the Devo web application, go to Data search. Open the box.unix data table to confirm that these logger events were forwarded and received correctly.

If the system has SELinux enabled in enforcing mode (run the getenforce command to check the status), it may be necessary to add exceptions to the SELinux policy. See SELinux policy for more information.

File examples

This is an example of syslog-ng.conf configured to securely send operating system logs and internal syslog-ng logs to the Devo Cloud while applying box.unix as the first two tag levels:

/etc/syslog-ng/syslog-ng.conf

This is an example of syslog-ng.conf configured to securely send four different Apache logs to the Devo Cloud:

File /etc/rsyslog.d/45-apache.conf monitoring example



Related articles