Syslog-ng (Windows)

Last Updated: Nov 16, 2013 02:04PM PST

Sending logs from the syslog-ng Windows Agent directly

Using the syslog-ng Agent for Windows with Loggly is also easy.  To add a new server, enter “logs-01.loggly.com” as server, set server port to “514” and change to the “messages tab” for further settings. There, set protocol to “Legacy BSD” and copy & paste the template from the “Source Setup” page to the “Template” field. Use only the part between the quotation marks. It should look like this, but with a different Loggly “customer token”:

<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [abcd1234-aaaa-bbbb-1234-1234abcd1234@41058] $MSG\n

Once ready, click “OK”, restart the Agent and your logs will appear in Loggly. A logout / login will definitely generate some logs, that’s what I use for testing.

Sending logs from the syslog-ng Windows Agent through a central server

Using the above setup is easy, but has some shortcomings. Logs are sent directly off-site. If there is a longer networking outage then there is no central log collection at all. Also, using the legacy BSD syslog protocol instead of IETF has the disadvantage that structural data is lost. Both of these problems can be resolved by using a local central log collector, where logs are sent using the IETF protocol. Loggly Gen2 can turn JSON based messages into easy to search name value pairs and syslog-ng can turn SDATA from IETF log messages into JSON.

On the syslog-ng Windows Agent side, setup is even easier than the previous one. Just add a new server in the configuration interface and point it to port 601 of your local central syslog-ng server.

On the syslog-ng side, the following configuration will collect IETF logs and forward it to Loggly in JSON format. Obviously you need to replace the “customer token” with your own. If in doubt, you can check it once you logged in to the Loggly web interface. It can be found under “Source Setup”, and listed under “Customer Tokens”.

source s_windows {
	syslog();
};
template LogglyFormat {
template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID}
${MSGID} [abcd1234-aaaa-bbbb-1234-1234abcd1234@41058] $(format_json
--scope sdata --scope selected_macros)\n");};
destination d_loggly {
tcp("logs-01.loggly.com" port(514) template(LogglyFormat));
};
log { source(s_windows);
destination(d_loggly); };

“s_windows” adds an IETF syslog source, “LogglyFormat” is a slightly modified Loggly template, which replaces the message part with JSON data, “d_loggly” is the Loggly destination, and at the end the log statement glues all of these together.

logglyassistly@zoho.com
https://cdn.desk.com/
false
@loggly
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete