We recently purchased a new network application/appliance.

As part of my normal practice, I wanted to configure the
appliance to duplicate its logs to our centralized syslog server.
With standard syslogd, you add one line to your configuration
file (syslog.conf) and restart the daemon.

But this appliance uses syslog-ng, an enhanced and more
powerful syslog application.

The syslog-ng configuration file (syslog-ng.conf) includes
four main components: source, filter, destination, and log.

1. source (required) - This tells syslog-ng the source of
the log data. This could be a network port, streams,
a file (/proc/kmsg).

2. filter (optional) - If you want to throw all your log
data into one file, you don't need a filter.

3. destination (required) - Syslog-ng needs to know what
to do with the data it reads from "source". Destination
can be a file, a remote server IP, a pipe, usertty, etc.

4. log (required) - This is the line that makes it all
happen by bringing the above items together.

This line basically says:
"look at all the logs coming from $source, pull
this $filter and save it in $destination."

NOTE: You can include multiple source, filter and
destination on this line.

For example:
I want to configure syslog-ng to send all logs to a
local file and to my Centralized Log Server (IP 1.2.3.4)

-----------------
# Solaris Configuration:

# SOURCE
# This source entry allows locally generated logs to be captured

source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); };

# FILTER (optional)
# I'm not defining any filter since I want everything.

# DESTINATION
# I want to send the logs via standard syslog udp port to IP# 1.2.3.4)
# and to a file locally, /var/log/everything.log.

destination logserver { udp("1.2.3.4"); };
destination localfile { file("/var/log/everything.log"); };

# LOG

log { source(local); destination(logserver); destination(localfile); };

---------------

After you edit your configuration file, you can verify the syntax using this command:

$ syslog-ng -s

If you don't have any errors, restart your syslog-ng daemon.
You should now be logging everything to the file /var/log/everything.log as well as to the remote log server.

Post provided by Mary M. Chaddock

Below is documentation for using SourceLabs Self-Support Suite for Linux and Open Source Java to gather, organize, and search Syslog messages.

You can setup syslog to connect to the relay. In this release, we only support syslog over UDP. To set this up, you need to modify your syslogd config file. Often this is in /etc/syslog.conf

To get started, you can add

. @relayMachineName:4657

This will send all your syslog messages to a machine named relayMachineName over port 4657. Port 4657 is the default port the relay listens to for Syslog UDP messages. You can change this in the relay’s property file. This properties file is located in the ‘conf’ directory of your relay installation (e.g. /opt/sourcelabs/relay/conf).

To filter the syslog messages sent to the relay, please read the syslog documentation or man pages for more information.

Syslog-ng:

You can also setup syslog-ng to use the relay. For the current version of the relay, you will need to use UDP logging to the relay instead of TCP. To set this up, you need to modify your syslog-ng config file. Often this is in /etc/syslog-ng.conf

To get started, you can add
destination d_relay { udp("relayMachineName ", port(4657)); }; log { source(s_sys); destination(d_relay); };

Assuming that you are using a default syslog-ng configuration where source ‘s_sys’ represents all syslog messages (modify source as necessary for your configuration),this will send all your syslog messages to a machine named relayMachineName over port 4657. Port 4657 is the default port the relay listens to for Syslog UDP messages. You can change this in the relay’s property file. This properties file is located in the ‘conf’ directory of your relay installation (e.g. /opt/sourcelabs/relay/conf).

To filter the syslog messages sent to the relay, please read the syslog documentation or man pages for more information.

Find more information about SourceLabs Self-Support Suite for LInux and Open Source Java

Rsyslog is an enhanced multi-threaded syslogd supporting, among others, MySQL, syslog/tcp, RFC 3195, permitted sender lists, filtering on any message part, and fine grain output format control