Skip to primary navigation
Skip to content
Skip to footer
syslog-ng documentation
Enter your search term...
Toggle search (`Shift + Ctrl + F`, ESC to close)
Toggle dark mode
Settings
Toggle menu
Toggle Menu
syslog-ng Open Source Edition Administration Guides
Introduction to syslog-ng
What syslog-ng OSE is
What syslog-ng OSE is not
Why is syslog-ng OSE needed?
Who uses syslog-ng OSE?
Supported platforms
The concepts of syslog-ng
The philosophy of syslog-ng
Logging with syslog-ng
Modes of operation
Global objects
Timezones and daylight saving
Product licensing
High availability support
The structure of a log message
BSD-syslog or legacy-syslog messages
IETF-syslog messages
Enterprise-wide message model (EWMM)
Message representation in syslog-ng OSE
Structuring macros, metadata, and other value-pairs
Specifying data types in value-pairs
Things to consider when forwarding messages between syslog-ng OSE hosts
Commercial version of syslog-ng
Installing syslog-ng
Compiling syslog-ng OSE from source
Compiling options of syslog-ng OSE
Uninstalling syslog-ng OSE
Configuring MSSQL Server
Quick-start guide
Configuring syslog-ng OSE on client hosts
Configuring syslog-ng OSE on server hosts
Configuring syslog-ng OSE relays
Configuring syslog-ng OSE on relay hosts
How relaying log messages works
Managing and checking syslog-ng OSE service on Linux
The configuration file
Location of the syslog-ng OSE configuration file
The configuration syntax in detail
Notes about the configuration syntax
Defining configuration objects inline
Using channels in configuration objects
Global and environmental variables
Modules in syslog-ng
Loading modules
Listing configuration options
Visualize the configuration
Managing complex configurations
Including configuration files
Reusing configuration blocks
Generating configuration blocks from a script
Python code in external files
Logging from your Python code
Sources
default-network-drivers
default-network-drivers() source options
internal
internal() source options
file
Notes on reading kernel messages
file() source options
Arr logs
wildcard-file
wildcard-file() source options
Jellyfin
kubernetes
kubernetes() source options
linux_audit
linux-audit() source options
mqtt
Prerequisites to using the mqtt() source
Limitations to using the mqtt() source
Options of the mqtt() source
network
network() source options
Proxy Protocol support
The working mechanism behind the Proxy Protocol
Proxy Protocol configuration and output examples
nodejs
nodejs() source options
MacOS sources
darwin-oslog() source options
darwin-oslog-stream() source options
mbox
mbox() source options
osquery
osquery() source options
OpenTelemetry
opentelemetry() source options
Pi-hole FTL
pipe
pipe() source options
pacct
pacct() options
program
program() source options
python
Server-style Python sources
Python LogMessage API
python() and python-fetcher() source options
Fetcher-style Python sources
qBittorrent
snmptrap
snmptrap() source options
sun-streams
sun-streams() source options
syslog
syslog() source options
syslog-ng-otlp
syslog-ng-otlp() source options
system
system() source options
systemd-journal
systemd-journal() source options
systemd-syslog
systemd-syslog() source options
tcp / udp (OBSOLETE)
Change an old source driver to the network() driver
unix-stream, unix-dgram
UNIX credentials and other metadata
unix-stream() and unix-dgram() source options
stdin
stdin() source options
Destinations
amqp
amqp() destination options
collectd
collectd() destination options
Discord
Discord destination options
elasticsearch-http
Batch mode and load balancing with ElasticSearch
elasticsearch-http() destination options
file
file() destination options
Google BigQuery
bigquery() destination options
Google PubSub
pubsub() destination options
graphite
graphite() destination options
Graylog
graylog2() destination options
HDFS
Prerequisites
How syslog-ng OSE interacts with HDFS
Storing messages with MapR-FS
Kerberos authentication with syslog-ng OSE hdfs() destination
HDFS destination options
http
HTTP destination options
http-nonjava
Batch mode and load balancing with HTTP
HTTP-nonjava destination options
The Azure auth header plugin
The Python HTTP header plugin
kafka-c
Shifting from Java implementation to C implementation
Before you begin
Flow control in syslog-ng OSE and the Kafka client
Options of the kafka() destination’s C implementation
Loggly
loggly() destination options
Logmatic
logmatic() destination options
Loki
loki() destination options
mongodb
How syslog-ng OSE connects the MongoDB server
mongodb() destination options
mqtt
Prerequisites to using the mqtt() destination
Limitations to using the mqtt() destination
Options of the mqtt() destination
Possible error messages
network
network() destination options
OpenObserve
openobserve-log() destination options
opensearch
Batch mode and load balancing with OpenSearch
OpenSearch() destination options
OpenTelemetry
opentelemetry() destination options
osquery
osquery() destination options
Pipe
pipe() destination options
program
program() destination options
pseudofile
pseudofile() destination options
Python
python() destination options
redis
Batch mode and load balancing with Redis
redis() destination options
riemann
riemann() destination options
s3
Amazon s3 options
slack
Slack destination options
smtp
smtp() destination options
snmp
Converting Cisco messages
snmp() destination options
Splunk
splunk-hec-event: Send log messages to Splunk HEC
sql
Using the sql() driver with an Oracle database
Using the sql() driver with a Microsoft SQL database
The way syslog-ng OSE interacts with the database
MySQL-specific interaction methods
MSSQL-specific interaction methods
sql() destination options
stdout
stdout() options
Stomp
stomp() destination options
sumologic
sumologic-http()
sumologic-syslog()
sumologic-http() destination options
sumologic-syslog() destination options
syslog
syslog() destination options
syslog-ng
syslog-ng() destination options
syslog-ng-otlp
syslog-ng-otlp() destination options
tcp / udp (OBSOLETE)
Change an old destination driver to the network() driver
Telegram
telegram() destination options
unix-stream, unix-dgram
unix-stream() and unix-dgram() destination options
usertty
Custom destinations
Client-side failover
Log - Filter and route log messages
Log paths
Embedded log statements
Using embedded log statements
if-else-elif - Conditional expressions
Junctions and channels
Log path flags
Managing incoming and outgoing messages
Flow-control and multiple destinations
Configuring flow-control
Using disk-based and memory buffering
Enabling reliable disk-based buffering
Enabling normal disk-based buffering
How to get information about disk-buffer files
Information about disk-buffer files
Getting the status information of disk-buffer files
Getting the list of disk-buffer files
Printing the content of disk-buffer files
Orphan disk-buffer files
How to process messages from an orphan disk-buffer file
Enabling memory buffering
About disk queue files
Filters
Using filters
Combining filters with boolean operators
Comparing macro values in filters
Using wildcards in filters
Tagging messages
Filter functions
facility()
filter()
host()
in-list()
level() or priority()
match()
message()
netmask()
netmask6()
program()
rate-limit()
source()
tags()
Dropping messages
Global options of syslog-ng OSE
Global options
TLS-encrypted message transfer
Encrypting log messages with TLS
Configuring TLS on the syslog-ng OSE clients
Configuring TLS on the syslog-ng OSE server
Mutual authentication using TLS
Configuring syslog-ng OSE clients with mutual authentication
Configuring syslog-ng OSE servers with mutual authentication
Password-protected keys
TLS options
Template and rewrite
Customize message format using macros and templates
Formatting messages, filenames, directories, and tablenames
Templates and macros
Date-related macros
Hard versus soft macros
Macros of syslog-ng OSE
Example use case
Using template functions
Template functions of syslog-ng OSE
Modifying the on-the-wire message format
Modifying messages using rewrite rules
Replacing message parts
Setting message fields to specific values
Setting severity
Setting facility
Setting priority
Setting match variables
Unsetting message fields
Renaming message fields
Creating custom SDATA fields
Setting multiple message fields to specific values
map-value pairs
Conditional rewrites
Adding and deleting tags
Rewrite the timezone of a message
Anonymizing credit card numbers
Regular expressions
Options of regular expressions
The type() options of regular expressions
The flags() options of regular expressions
Optimizing regular expressions
Parse and segment structured messages
Parsing syslog messages
Options of syslog-parser() parsers
CSV parser
Options of CSV parsers
Parsing key=value pairs
Options of key=value parsers
JSON parser
Options of JSON parsers
XML parser
Limitations of the XML parsers
Options of the XML parsers
Parsing dates and timestamps
Options of date-parser() parsers
Python parser
Parsing tags
Apache access log parser
Options of apache-accesslog-parser() parsers
Linux audit parser
Options of linux-audit-parser() parsers
Cisco parser
Parsing EWWM messages
iptables parser
Netskope parser
panos-parser()
Message format parsed by panos-parser()
PAN-OS parser options
Sudo parser
PostgreSQL parser
PostgreSQL csvlog parser options
MariaDB parser
metrics-probe()
metrics-probe options
Websense parser
Windows XML Event Log (EVTX) parser
Fortigate parser
Fortigate parser options
Check Point Log Exporter parser
Regular expression parser
Options of Regular expression parsers
db-parser
Classifying log messages
The structure of the pattern database
How pattern matching works
Artificial ignorance
Using pattern databases
Using parser results in filters and templates
Downloading sample pattern databases
Correlating log messages using pattern databases
Triggering actions for identified messages
Conditional actions
External actions
Actions and message correlation
Creating pattern databases
Using pattern parsers
Pattern parsers of syslog-ng OSE
What’s new in the syslog-ng OSE pattern database format V5
The syslog-ng OSE pattern database format
patterndb
ruleset
patterns
rules
rule
patterns
urls
values
examples
example
actions
action
create-context
tags
OpenTelemetry parser
Correlating log messages
Correlating messages using the grouping-by() parser
Referencing earlier messages of the context
Options of grouping-by parsers
Enriching log messages with external data
Adding metadata from an external file
Using filters as selector
Shell-style globbing in the selector
Options of add-contextual-data()
Looking up GeoIP2 data from IP addresses
Referring to parts of the message as a macro
Using the GeoIP2 parser
Transferring your logs to Elasticsearch using GeoIP2
Options of geoip2 parsers
Statistics of syslog-ng
Metrics and counters of syslog-ng OSE
Log statistics from the internal() source
Multithreading and scaling
Multithreading concepts of syslog-ng OSE
Configuring multithreading
Optimizing multithreaded performance
Troubleshooting syslog-ng
Possible causes of losing log messages
Creating syslog-ng OSE core files
Collecting debugging info
Running a failure script
Stopping syslog-ng
Reporting bugs and finding help
Recover data from orphaned diskbuffer files
Unusual storage directory
Unusual port number
Error messages
Using execmem prevented by SELinux
Best practices and examples
General recommendations
Handling large message load
Using name resolution in syslog-ng
Resolving hostnames locally
Collecting logs from chroot
Configuring log rotation
Load balancing logs between multiple destinations
Load balancing with round robin
Configuration generator
The syslog-ng OSE manual pages
The dqtool tool manual page
The loggen manual page
The pdbtool manual page
The secure-logging manual page
The slogencrypt manual page
The slogkey manual page
The slogverify manual page
The syslog-ng OSE control tool manual page
The syslog-debun manual page
The syslog-ng OSE manual page
The syslog-ng.conf manual page
About us
CC by-nc-nd License
Documentation license
Glossary
Contributor License Agreement
Creating pattern databases
Previous
Actions and message correlation
Next
Using pattern parsers