Secure sending using syslog-ng
This article describes how to manually configure syslog-ng to send events to Devo using an encrypted and authenticated channel. This is the recommended procedure when you want to forward events over the internet, directly to the Devo Cloud.
Download and save the certificates
The security certificates need to be saved to the local machine in order to reference them in the syslog-ng configuration file later.
Go to Administration → Credentials → X.509 Certificates in the Devo web application.
- Download the Certificate and Private key to /etc/syslog-ng/key.d/.Â
- Download the Chain CAÂ to /etc/syslog-ng/ca.d/.Limit the permissions to the Certificate and Private key files in /etc/syslog-ng/key.d/ using this command:
cd /etc/syslog-ng/key.d/; chmod 600 domain.crt domain.key -rw------- 1 root root 1529 Oct 24 13:18 domain.crt -rw------- 1 root root 1675 Oct 24 13:18 domain.key
Edit the syslog-ng.conf file
In this step we define the Devo Cloud endpoint as a new destination in the syslog-ng configuration.
Open the /etc/syslog-ng/syslog-ng.conf file and configure the new Devo Cloud destination as shown below:
destination d_ssl_devo_unix {
tcp("collector-x.devo.io" port(443)
template("<$PRI>$DATE $HOST box.unix.$PROGRAM: $MESSAGE\n")
tls(
ca_dir("/etc/syslog-ng/chain.crt")
key_file("/etc/syslog-ng/domain.key")
cert_file("/etc/syslog-ng/domain.crt")
peer_verify(required-untrusted)) persist-name("xxUniqueNameInThisConfigForThisDestinationxx")
);
};
In the destination, you will notice that the template assigns box.unix as the first two tag levels for all system log events.
Preventing event loss
To prevent event lost, we recommend you add the following:options {
  mark-freq (30);
};
Restart syslog-ng
Once you have edited the syslog-ng.conf file, restart syslog-ng to activate the new configuration:
/etc/init.d/syslog-ng restart
With the configuration activated, syslog-ng will begin to forward the events to your Devo Cloud.
Test the connection
You can make sure that the events are being forwarded to the Relay by using the logger command to write test messages to the system log.Â
In the Devo web application, go to Data search. Open the box.unix
 data table to confirm that these logger events were forwarded and received correctly.
If the system has SELinux enabled in enforcing mode (run the getenforce command to check the status), it may be necessary to add exceptions to the SELinux policy. See SELinux policy for more information.
File examples
This is an example of syslog-ng.conf configured to securely send operating system logs and internal syslog-ng logs to the Devo Cloud while applying box.unix as the first two tag levels:
/etc/syslog-ng/syslog-ng.conf
This is an example of syslog-ng.conf configured to securely send four different Apache logs to the Devo Cloud: