How sources work
A source is where AxoSyslog receives log messages. Sources consist of one or more drivers, each defining where and how messages are received.
To define a source, add a source statement to the syslog-ng.conf
configuration file using the following syntax:
source <identifier> {
source-driver(params); source-driver(params); ...
};
Example: A simple source statement
The following source statement receives messages on the TCP port 1999
of the interface having the 10.1.2.3
IP address.
source s_demo_tcp {
network(ip(10.1.2.3) port(1999));
};
Example: A source statement using two source drivers
The following source statement receives messages on the 1999
TCP port and the 1999
UDP port of the interface having the 10.1.2.3
IP address.
source s_demo_two_drivers {
network(ip(10.1.2.3) port(1999));
network(ip(10.1.2.3) port(1999) transport("udp"));
};
Example: Setting default priority and facility
If the message received by the source does not have a proper syslog header, you can use the default-facility()
and default-priority()
options to set the facility and priority of the messages. Note that these values are applied only to messages that do not set these parameters in their header.
source headerless_messages { network(default-facility(syslog) default-priority(emerg)); };
Define a source only once. The same source can be used in several log paths. Duplicating sources causes AxoSyslog to open the source (TCP/IP port, file, and so on) more than once, which might cause problems. For example, include the /dev/log
file source only in one source statement, and use this statement in more than one log path if needed.
Sources and destinations are initialized only when they are used in a log statement. For example, AxoSyslog starts listening on a port or starts polling a file only if the source is used in a log statement. For details on creating log statements, see log: Filter and route log messages using log paths, flags, and filters.
To collect log messages on a specific platform, it is important to know how the native syslogd
communicates on that platform. The following table summarizes the operation methods of syslogd
on some of the tested platforms:
Communication methods used between the applications and syslogd
Platform | Method |
---|---|
Linux | A SOCK_DGRAM unix socket named /dev/log . Newer distributions that use systemd collect log messages into a journal file. |
BSD flavors | A SOCK_DGRAM unix socket named /var/run/log . |
Solaris (2.5 or below) | An SVR4 style STREAMS device named /dev/log . |
Solaris (2.6 or above) | In addition to the STREAMS device used in earlier versions, 2.6 uses a new multithreaded IPC method called door. By default the door used by syslogd is /etc/.syslog_door . |
HP-UX 11 or later | HP-UX uses a named pipe called /dev/log that is padded to 2048 bytes, for example, source s_hp-ux {pipe ("/dev/log" pad-size(2048)} . |
AIX 5.2 and 5.3 | A SOCK_STREAM or SOCK_DGRAM unix socket called /dev/log . |
Each possible communication mechanism has a corresponding source driver in syslog-ng
. For example, to open a unix socket with SOCK_DGRAM
style communication use the driver unix-dgram
. The same socket using the SOCK_STREAM
style — as used under Linux — is called unix-stream
.
Example: Source statement on a Linux based operating system
The following source statement collects the following log messages:
-
internal(): Messages generated by
syslog-ng
. -
network(transport(“udp”)): Messages arriving to the
514/UDP
port of any interface of the host. -
unix-dgram("/dev/log");: Messages arriving to the
/dev/log
socket.
source s_demo {
internal();
network(transport("udp"));
unix-dgram("/dev/log");
};
Sources list
The following table lists the source drivers available in syslog-ng
.
Source drivers available in syslog-ng
Name | Description |
---|---|
file() | Opens the specified file and reads messages. |
internal() | Messages generated internally in syslog-ng . |
kubernetes() | Collects container logs managed by the Kubelet. |
mbox() | Read email messages from local mbox files, and convert them to multiline log messages. |
network() | Receives messages from remote hosts using the BSD-syslog protocol over IPv4 and IPv6. Supports the TCP, UDP, and TLS network protocols. |
nodejs() | Receives JSON messages from nodejs applications. |
osquery() | Run osquery queries, and convert their results into log messages. |
pacct() | Reads messages from the process accounting logs on Linux. |
pipe() | Opens the specified named pipe and reads messages. |
program() | Opens the specified application and reads messages from its standard output. |
python() and python-fetcher() | Receive or fetch messages using a custom source written in Python. |
snmptrap() | Read and parse the SNMP traps of the Net-SNMP’s snmptrapd application. |
sun-stream(), sun-streams() | Opens the specified STREAMS device on Solaris systems and reads incoming messages. |
syslog() | Listens for incoming messages using the new IETF-standard syslog protocol. |
system() | Automatically detects which platform AxoSyslog is running on, and collects the native log messages of that platform. |
systemd-journal() | Collects messages directly from the journal of platforms that use systemd. |
systemd-syslog() | Collects messages from the journal using a socket on platforms that use systemd. |
unix-dgram() | Opens the specified unix socket in SOCK_DGRAM mode and listens for incoming messages. |
unix-stream() | Opens the specified unix socket in SOCK_STREAM mode and listens for incoming messages. |
stdin() | Collects messages from the standard input stream. |
wildcard-file() | Reads messages from multiple files and directories. |