Support Logging setup

                    Syslog-ng Configuration

                    Syslog-ng Configuration

                    The Basic configuration will send your local system logs to Loggly, and offer a foundation to add file and application logs. If you are unable to use our automated configure-syslog script, this guide will help you setup manually with a quick copy & paste. It assumes you have sudo access, you’re on a common linux distribution with syslog-ng 3.2 or higher, it receives local system logs, and port 514 is open to outbound connections. If you have different requirements, please see the Advanced section.

                    Syslog-ng Configuration Guide

                    1. Update syslog-ng.conf

                    Open your syslog-ng.conf file, which is usually found in the /etc/syslog-ng/ directory.

                    sudo vim /etc/syslog-ng/syslog-ng.conf

                    Paste in this configuration:

                    ### Syslog-ng Logging Directives for ###
                    source s_loggly {
                    	system();	# Check which OS & collect system logs
                    	internal();	# Collect syslog-ng logs
                    template LogglyFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [TOKEN@41058 tag=\"TAG\" ] $MSG\n");
                    destination d_loggly {
                    	tcp("" port(514) template(LogglyFormat));
                    log { 
                    ### END Syslog-ng Logging Directives for ###

                    Replace the above variables:

                    • TOKEN: Replace with your customer token
                    • TAG: Replace with a tag that describes the syslog source.

                    2. Restart syslog-ng

                    $ /etc/init.d/syslog-ng restart

                    3. Verify

                    Use Logger to send a test event. Alternatively, use the automatic verification option in configure-syslog.

                    $ logger 'Hello World!'

                    Verify it shows up in Loggly by doing a search over the past hour (click to expand screenshot). If it doesn’t work, see the troubleshooting section below.
                    Syslog-ng Configuration

                    4. Send Application Data

                    Advanced Syslog-ng Configuration Options

                    Troubleshooting Syslog-ng

                    If you don’t see any data show up in the verification step, then check for these common problems.

                    • Make sure you restarted syslog-ng
                    • Check the syslog-ng logs in /var/log/messages
                    • Verify syslog-ng is sending data to Loggly by running “logger test” then searching for that event in Loggly
                    • Use a “syslog-ng -s” before reloading / restarting syslog-ng to minimize down time after editing the configuration
                    • Make sure port 514 is open for regular syslog or 6514 for TLS encrypted
                    • SELinux / Apparmor can cause mysterious troubles as both of these technologies limit what syslog-ng can read and write on a system. SELinux can even prevent you sending or receiving longs on other port than 514. Check the content of /var/log/audit if you think that your configuration is correct and you still get permission denied / unable to connect messages or just silent failures.
                    • You can start syslog-ng in verbose / debug mode in the foreground to see on the console what syslog-ng is doing. Use: syslog-ng Fevd
                    • It is not enough to define sources and destinations, they also need to be connected using a log statement.
                    • Search or post your own question in the community forum.
                    Thanks for the feedback! We'll use it to improve our support documentation.