Syslog-ng
Syslog-ng is a free and open-source implementation of the Syslog protocol, an enhanced log daemon, supporting a wide range of input and output methods: Syslog, unstructured text, queueing, SQL & NoSQL
Installation of Syslog-ng
To install Syslog-ng on your system, please refer to the official git repo given below
Configuration of Syslog-ng
Apica Ascent supports data ingestion from Syslog-ng. The following instructions describe the steps for configuring log forwarding from Syslog-ng to Apica Ascent by modifying the Syslog-ng configuration file.
Syslog-ng supports both TCP and UDP protocols, Apica Ascent only supports ingestion of logs over TCP protocol to ensure packets are not lost or dropped. TCP relies on acknowledgments from the receiver to make sure the packet is delivered.
Apica Ascent hosts the syslog protocol at port 514. The ports are configurable and can be changed if needed. Additional port for TLS is available at 7514
INPUT
The below configuration typically sends all system and internal logs, such as sshd, systemd, NetworkManager
The below configuration accepts system logs from /dev/log (from applications or forwarded by systemd) and writes everything to a single file.
OUTPUT
Apica Ascent supports multiple way to ingest data via standard interfaces. With syslog-ng you can use the built-in syslog, http output destinations to push data to Apica Ascent. We however recommend using Apica Ascent's python destination for syslog-ng driver as it provides most capabilities and control over pushing you data at scale.
Python syslog-ng destination for Apica Ascent
The syslog-ng python destination driver for Apica Ascent is avalable as a python package and can be installed via pip. To enable the python destination support, first install the python destination support for syslog-ng. Below is an example of how to do this on an ubuntu system.
You can refer to the syslog-ng website for other operating systems. You can now proceed to install the Apica Ascent driver next. This assumes you have python3 installed. More details on the Apica Ascent driver can be found at https://pypi.org/project/logiqaidstsyslogng/
or
Checking Python2/3 linkage for syslog-ng
Note you may need to use pip3 vs pip to install depending on what the syslog-ng python linkage is. A quick way to test your python linkage is to create a dummy syslog-ng config file with a python destination. See below
Run syslog-ng with the above dummy config, and you should see the version of python that it loads
Creating a logiq.conf for the driver
A logiq.conf is required that provides details of the LOGIA.AI instance and how to connect to it. Please note down the path where you save the config as we will need it to configure the destination in syslog-ng.conf. We recommend you store it in /etc/syslog-ng/logiq.conf along with rest of the syslog-ng configruation files.
Creating a syslog-ng destination for Apica Ascent
You are now ready to update your syslog-ng conf to add a Apica Ascent python destination
Apica Ascent only works with RFC3339/ISO8601 time stamps so the python destination must add the ISODATE key which will be sent as timestamp.
The scope for value-pairs also needs to contain rfc5424 so we can pull out all the standard syslog fields such as host, application, pid, sdata etc.
The python destination provides some useful options as described below
batch-timeout
e.g. 500 (milliseconds)
NA
Refer to syslog-ng documentation. This allows for batching logs
batch-lines
e.g. 400
NA
Refer to syslog-ng documentation. This limits the max batch size allowed before python plugin calls a flush
class
NA
Specifies the Apica Ascent python driver class to load
The Apica Ascent driver provides various options as described below
config
e.g. /etc/syslog-ng/logiq.conf
None
Location of logiq.conf file
workers-batch
e.g. 8/16
1
Number of workers, more workers allow more parallelism when pushing to a loadbalanced LOGIQ.AI endpoint
worker-batch-lines
e.g. 25
25
How many maximum log events are batched per worker
loglevel
e.g. INFO/WARN/ERROR/DEBUG
INFO
Debug level. Logs are sent to /var/log/logiqaidstsyslogns
debug
true/false
false
Prints additional debug including log event to the log file
namespace-key
e.g. HOST
Not set
Which key from log event maps to namespace
application-key
e.g. PROGRAM
Not set
Which key from log event maps to application
cluster-key
e.g. HOST
Not set
Which key from log event maps to cluster/group identifier
Organizing data in Apica Ascent
Data in the Apica Ascent gets organized as flows. A flow consists of a Namespace, an application name and one or more subflows or ProcId's. This allows mapping most legacy and cloud native environments in Apica with minimal configuration
Please set namespace, application and cluster_id mappings in syslogn-ng.conf. If this is not configured, default mappings will be used.
Additional output methods
Additional methods to push data via syslog-ng are documented below but are not recommended for production and scale use.
OUTPUT (non-TLS)
The below configuration describes how logs are sent to Apica Ascent over non-TLS protocol using syslog() driver
OUTPUT (TLS)
The below configuration forwards logs over TLS to Apica Ascent over non-TLS protocol using syslog() driver
Example (non-TLS)
The below configuration shows the full configuration of how Syslog-ng forwards logs over non-TLS protocol using syslog() driver
OUTPUT http/https
NOTE: The payload in ${MSG} and other fields that come from syslog-ng variable need to be escaped properly, otherwise they will be rejeced with a 400 error.
Below example shows how to construct a body
With http/https publish, the following are mandatory
Ingest token
namespace
@timestamp
application_name
cluster_id
hostname
In addition to the fields above, arbitrary json attributes can be provided. Nested JSON will automatically get flattened.
Example config below. Please modify relevant fields such as cluster_id, namespace, application_name before sending data
For more information please refer Syslog-ng documentation
Last updated