Edit the unit file as needed for your environment.
We recommend using the default mount points:
Purpose
On the host
In the container
Disk-buffer and persist files
/var/lib/syslog-ng
/var/lib/syslog-ng
syslog-ng configuration file
/opt/axosyslog/etc
/etc/syslog-ng
Output log files
/opt/axosyslog/var/log
/var/log
(Optional) Create an override.conf file to set custom environment values. This can be useful if you don’t want to modify /etc/containers/systemd/axosyslog.container. Run:
systemctl edit axosyslog
Later you can edit this file by running the previous command again.
Create the /opt/axosyslog/etc/syslog-ng.conf configuration file based on the following template.
With the following sample configuration file AxoSyslog collects the local system logs and logs received from the network into the /var/log/messages file.
You can customize the configuration file according to your needs. For a few pointers, see Configuring AxoSyslog on server hosts and the rest of this guide.
Run the following commands to reload the systemd configuration and launch the axosyslog service. Though the systemctl commands are run as root, the container will run as the specified user if set appropriately in the unit file.
If there aren’t any errors, these commands don’t have any output.
Run the following command to verify that the service was properly started:
journalctl -b -u axosyslog | tail -100
The output should be similar to:
Feb 12 09:04:40 <your-hostname> systemd[1]: Starting AxoSyslog Container...
Feb 12 09:04:40 <your-hostname> podman[2783]: 2024-02-12 09:04:40.454665314 -0500 EST m=+0.167732500 system refresh
Feb 12 09:04:40 <your-hostname> axosyslog[2783]: Trying to pull ghcr.io/axoflow/axosyslog:latest...
Feb 12 09:04:40 <your-hostname> axosyslog[2783]: Pulling image //ghcr.io/axoflow/axosyslog:latest inside systemd: setting pull timeout to 5m0s
Feb 12 09:04:41 <your-hostname> axosyslog[2783]: Getting image source signatures
Feb 12 09:04:41 <your-hostname> axosyslog[2783]: Copying blob sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
Feb 12 09:04:41 <your-hostname> axosyslog[2783]: Copying blob sha256:619be1103602d98e1963557998c954c892b3872986c27365e9f651f5bc27cab8
Feb 12 09:04:41 <your-hostname> axosyslog[2783]: Copying blob sha256:b061f41886afb563aff2a5f731f3286ba54ea6f657ed3e282f5339a12a64c5ef
Feb 12 09:04:41 <your-hostname> axosyslog[2783]: Copying blob sha256:1b8d965a650c6a05227bd5c549930c9898071e8e7abb26886d4169a99762de0a
Feb 12 09:04:41 <your-hostname> axosyslog[2783]: Copying blob sha256:b5b0ce6ebef193c4f909379188cfb59443e8a1809816fbb476074908b170b4d1
Feb 12 09:04:50 <your-hostname> axosyslog[2783]: Copying config sha256:c379d94ef2c5ec348dfb3a93eed9a19aed667c396008db85edc354c8f4f8cb6a
Feb 12 09:04:50 <your-hostname> axosyslog[2783]: Writing manifest to image destination
Feb 12 09:04:50 <your-hostname> podman[2783]: 2024-02-12 09:04:50.422390687 -0500 EST m=+10.135457863 container create 477c9f011684f767aae138a0f88602ff30a8c95a46d616bb3b95318ec3a4b79f (image=ghcr.io/axoflow/axosyslog:latest, name=AxoSyslog, org.opencontainers.image.documentation=https://axoflow.com/docs/axosyslog/docs/, org.opencontainers.image.url=https://axoflow.io/, org.opencontainers.image.source=https://github.com/axoflow/axosyslog, org.opencontainers.image.authors=Axoflow, org.opencontainers.image.title=AxoSyslog, org.opencontainers.image.vendor=Axoflow, PODMAN_SYSTEMD_UNIT=axosyslog.service, org.opencontainers.image.description=A cloud-native distribution of syslog-ng by Axoflow, maintainer=axoflow.io, org.opencontainers.image.licenses=GPL-3.0-only)Feb 12 09:04:50 <your-hostname> podman[2783]: 2024-02-12 09:04:50.402626446 -0500 EST m=+10.115693622 image pull c379d94ef2c5ec348dfb3a93eed9a19aed667c396008db85edc354c8f4f8cb6a ghcr.io/axoflow/axosyslog:latest
Feb 12 09:04:50 <your-hostname> podman[2783]: 2024-02-12 09:04:50.489925509 -0500 EST m=+10.202992695 container init 477c9f011684f767aae138a0f88602ff30a8c95a46d616bb3b95318ec3a4b79f (image=ghcr.io/axoflow/axosyslog:latest, name=AxoSyslog, org.opencontainers.image.authors=Axoflow, org.opencontainers.image.licenses=GPL-3.0-only, org.opencontainers.image.vendor=Axoflow, maintainer=axoflow.io, PODMAN_SYSTEMD_UNIT=axosyslog.service, org.opencontainers.image.url=https://axoflow.io/, org.opencontainers.image.documentation=https://axoflow.com/docs/axosyslog/docs/, org.opencontainers.image.title=AxoSyslog, org.opencontainers.image.description=A cloud-native distribution of syslog-ng by Axoflow, org.opencontainers.image.source=https://github.com/axoflow/axosyslog)Feb 12 09:04:50 <your-hostname> systemd[1]: Started AxoSyslog Container.
Feb 12 09:04:50 <your-hostname> podman[2783]: 2024-02-12 09:04:50.500050669 -0500 EST m=+10.213117845 container start 477c9f011684f767aae138a0f88602ff30a8c95a46d616bb3b95318ec3a4b79f (image=ghcr.io/axoflow/axosyslog:latest, name=AxoSyslog, PODMAN_SYSTEMD_UNIT=axosyslog.service, org.opencontainers.image.source=https://github.com/axoflow/axosyslog, org.opencontainers.image.authors=Axoflow, org.opencontainers.image.description=A cloud-native distribution of syslog-ng by Axoflow, org.opencontainers.image.documentation=https://axoflow.com/docs/axosyslog/docs/, org.opencontainers.image.licenses=GPL-3.0-only, org.opencontainers.image.vendor=Axoflow, org.opencontainers.image.title=AxoSyslog, maintainer=axoflow.io, org.opencontainers.image.url=https://axoflow.io/)Feb 12 09:04:50 <your-hostname> axosyslog[2783]: 477c9f011684f767aae138a0f88602ff30a8c95a46d616bb3b95318ec3a4b79f
Feb 12 09:04:50 <your-hostname> AxoSyslog[2821]: [2024-02-12T14:04:50.806054] syslog-ng starting up;version='4.6.0'
Send a test message to the service (requires nc to be installed):
echo'<5> localhost test: this is a test message'| nc localhost 514
Check that the test message has arrived into the log file:
cat /opt/axosyslog/var/log/messages
The output should be similar to:
Feb 19 15:49:12 localhost test: this is a test message
Customize the configuration
To customize the configuration, edit the /opt/axosyslog/etc/syslog-ng.conf file on the host, then reload the service.
Managing the AxoSyslog systemd service
You can reload syslog-ng running in the container via systemctl. The following command reloads the syslog-ng.conf file, without stopping/starting syslog-ng itself.
sudo systemctl reload axosyslog
You can access syslog-ng-ctl from the host, for example by running:
If you use syslog-ng-ctl regularly, you can create the /opt/axosyslog/bin/syslog-ng-ctl file with the following content, make it executable, and add it to your path. That way running syslog-ng-ctl <command> will execute the command in the AxoSyslog container.
The traditional method of starting a service at boot (systemctl enable) is not supported for container services. To automatically start the AxoSyslog service, make sure that the following line is included in the unit file. (It is included in the sample template.)
[Install]WantedBy=default.target
2 - Install AxoSyslog on Debian/Ubuntu
You can install AxoSyslog 4.8 and newer on your Debian-based system from Axoflow’s APT repository. AxoSyslog is a drop in replacement for the syslog-ng Debian package, all the AxoSyslog binaries and configuration files are stored at the same place on your system.
The following x86-64 distributions are supported:
Distribution
sources.list component
Debian 12
debian-bookworm
Debian 11
debian-bullseye
Debian Unstable
debian-sid
Debian Testing
debian-testing
Ubuntu 24.10
ubuntu-oracular
Ubuntu 24.04
ubuntu-noble
Ubuntu 23.10
ubuntu-mantic
Ubuntu 23.04
ubuntu-lunar
Ubuntu 22.04
ubuntu-jammy
Ubuntu 20.04
ubuntu-focal
Which package to install?
AxoSyslog supports many features. Some of these, like specific sources and destinations require additional packages that you need only if you’re actually using the specific destination. Therefore, AxoSyslog has a number of modules that you can install as a separate package if you need the particular feature. For example, to use the gRPC-based destinations (like loki() or opentelemetry()), install the axosyslog-grpc-* package. For HTTP-based destinations like elasticsearch-http() or sumologic-http(), you need the axosyslog-http-* package.
Usually, you install the base package axosyslog, and the packages of specific modules that you want to use. We also provide debuginfo packages for every module, but you only need these in certain troubleshooting scenarios.
Steps
To install AxoSyslog from the APT repository, complete the following steps.
Run the following commands to add the APT repository of your distribution (for example, Ubuntu 24.04) to the APT sources list:
echo"deb [signed-by=/usr/share/keyrings/axoflow-code-signing-pub.gpg] https://pkg.axoflow.io/apt stable ubuntu-noble"| tee --append /etc/apt/sources.list.d/axoflow.list
apt update
Note
Nightly builds are also available:
echo"deb [signed-by=/usr/share/keyrings/axoflow-code-signing-pub.gpg] https://pkg.axoflow.io/apt nightly ubuntu-noble"| tee --append /etc/apt/sources.list.d/axoflow.list
Install the AxoSyslog package.
apt install axosyslog
3 - Install AxoSyslog on RHEL/Fedora/AlmaLinux
You can install AxoSyslog 4.8 and newer on your RPM-based system from Axoflow’s RPM repository. AxoSyslog is a drop in replacement for the syslog-ng RPM package, all the AxoSyslog binaries and configuration files are stored at the same place on your system.
The following x86-64 distributions are supported:
Red Hat Enterprise Linux (RHEL) 9 / AlmaLinux 9
Red Hat Enterprise Linux (RHEL) 8 / AlmaLinux 8
Fedora 41
Fedora 40
Fedora 39
(The packages for AlmaLinux probably work for Rocky Linux as well, but we haven’t tested it.)
Which package to install?
AxoSyslog supports many features. Some of these, like specific sources and destinations require additional packages that you need only if you’re actually using the specific destination. Therefore, AxoSyslog has a number of modules that you can install as a separate package if you need the particular feature. For example, to use the gRPC-based destinations (like loki() or opentelemetry()), install the axosyslog-grpc-* package. For HTTP-based destinations like elasticsearch-http() or sumologic-http(), you need the axosyslog-http-* package.
Usually, you install the base package axosyslog-<version-number>.<distro>.x86_64.rpm, and the packages of specific modules that you want to use. We also provide debuginfo packages for every module, but you only need these in certain troubleshooting scenarios.
Steps
To install AxoSyslog on RedHat Enterprise Linux 9 or AlmaLinux 9, complete the following steps. The instructions for AlmaLinux probably work for Rocky Linux 9 as well, but we haven’t tested it.
Run the following commands to enable the EPEL repositories for your distribution. This is needed to install some dependencies of AxoSyslog. (For RHEL 8 and compatible distributions, use these instructions.)
AxoSyslog 544 B/s |488 B 00:00
AxoSyslog 5.2 kB/s | 3.2 kB 00:00
Importing GPG key 0x5F25E107:
Userid : "Axoflow Code Signing Key <support@axoflow.com>"Fingerprint: 365A 4340 FA76 89B4 78ED 617C 3605 FFAD 5F25 E107
From : https://pkg.axoflow.io/axoflow-code-signing-pub.asc
AxoSyslog 68 kB/s |56 kB 00:00
Extra Packages for Enterprise Linux 9 - x86_64 8.2 MB/s |23 MB 00:02
Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - x86_64 1.1 kB/s | 2.5 kB 00:02
Dependencies resolved.
Nothing to do.
Complete!
Install AxoSyslog.
To install AxoSyslog with every available module, run:
sudo yum install axosyslog-*
To install only the base package, run:
sudo yum install axosyslog
Then install other packages for the modules you want to use as needed. For example, to use the gRPC-based destinations (like loki() or opentelemetry()), install the axosyslog-grpc-* package. For HTTP-based destinations like elasticsearch-http() or sumologic-http(), you need the axosyslog-http-* package.
(Optional) If you don’t want to run other log collectors on the host, you can delete the existing one (which is rsyslog by default):
sudo yum remove rsyslog.x86_64
Using AxoSyslog
After you’ve installed AxoSyslog, you can configure it just like syslog-ng, using the same configurations files (/etc/syslog-ng/syslog-ng.conf by default). For details, see the Quick-start guide.
Getting help
If you run into any issues while installing or configuring AxoSyslog, or you have any questions, you can find us on our Discord server.
The chart provides parameters that make it easy to deploy AxoSyslog for the following use cases:
As a collector, to collect local logs using the kubernetes() source, and forward them to another syslog server, to an opensearch() node, or to another AxoSyslog node.
to receive RFC3164 and RFC5424 formatted syslog messages from any sender, or syslog-ng-otlp messages from another AxoSyslog node, and then
store them locally, or forward them to remote destinations.
These two use cases are independent from each other and can be configured separately. For other use cases, for example, to use other sources and destinations, you can use the config.raw parameter of the collector or the server. For the list of configurable parameters and their default values, see Parameters of the AxoSyslog Helm chart.
Install
To install the axosyslog chart, complete the following steps.
Release "axosyslog-1713953907" has been upgraded. Happy Helming!
...
Tip: You can retrieve the non-default values of a deployment by running helm get values <name-of-your-axosyslog-deployment>
For the collector use case, configure the destination where the logs are forwarded. For example, the following values file sends the logs in JSON format to the localhost:514 address via TCP:
The generated log messages (like 2024-05-02T10:56:31.000000+00:00 localhost prg00000[1234]: seq: 0000000065, thread: 0000, runid: 1714647391, stamp: 2024-05-02T10:56:31 PADDPADDPADDPADD) should show up in the configured destinations, for example, in the file destination:
kubectl exec axosyslog-1714389625-syslog-0 -- less /var/log/syslog
How to use disk-buffers in containers and Kubernetes
When you are running AxoSyslog in a container or in Kubernetes, and you want to use disk-buffers, there are some additional things to configure.
Make sure to mount the disk-buffer files and the persist file (by default, both are stored in /var/lib/syslog-ng) in a way they are not lost when the pod or container is restarted.
In Kubernetes, add a persistent volume to your pod and store the disk buffer files (/var/lib/syslog-ng) there.
In a container, mount the disk-buffer directory from the host, or store it on a local volume.
Use a reliable disk-buffer only if your storage is fast enough. For example, a low-speed persistent volume in Kubernetes can cause a significant performance degradation for AxoSyslog.
Use the latest available version of AxoSyslog, as many related improvements and performance improvements (for example, disk-buffer related metrics) are only supported in recent versions.
If you are using syslog-ng without disk-buffering configured, syslog-ng stores everything in memory, which results in great performance. If you enable disk-buffering, the performance decreases. Make sure to size your observability pipeline appropriately.
Uninstall
Tip: List all installed releases using helm list.
To uninstall a chart release, run:
helm delete <name-of-the-release-to-delete>
4.1 - Parameters of the AxoSyslog Helm chart
The following table lists the configurable parameters of the AxoSyslog collector chart and their default values. For details on installing the chart, see Install AxoSyslog with Helm.
Collector parameters
When you deploy AxoSyslog as a collector (which is a DaemonSet), it collects and forwards local logs to a destination. You can use the following parameters to configure the collector. The parameters for specific destinations are shown in subsequent sections.
Parameter
Description
Default
collector.enabled
Deploy AxoSyslog as a collector to collect and forward local logs
true
collector.config.destinations
The configurations of destinations that can be configured using chart values: syslog, opensearch, and syslogNgOtlp. For destinations and options not available as chart values, you can use the collector.config.raw option.
""
collector.config.raw
A complete syslog-ng configuration. If this parameter is set, all other parameters in the collector.config section are ignored. You can use this to set parameters that are not available as chart values. For details on how to create a configuration for syslog-ng, see the AxoSyslog Core documentation.
""
collector.config.rewrites.set
A list of name-value pairs to set for the collected log messages. Uses the set rewrite rule.
{}
collector.config.sources.kubernetes.enabled
Collect pod logs using the kubernetes() source. If disabled, the chart doesn’t configure any source. For the list of available sources, see the Sources chapter
true
collector.config.sources.kubernetes.prefix
Set JSON prefix for logs collected from the Kubernetes cluster
""
collector.config.sources.kubernetes.keyDelimiter
Set JSON key delimiter for logs collected from the Kubernetes cluster
""
collector.stats.level
Specifies the level of statistics AxoSyslog collects about the processed messages. For details, see (level()).
2
The following example uses the collector.config.raw parameter to configure a custom destination:
A directory containing a set of trusted CA certificates in PEM format. The name of the files must be the 32-bit hash of the subject’s name. AxoSyslog verifies the certificate of the server using these CA certificates.
The CA certificate in PEM format to use when verifying the certificate of the server.
"/path/to/CAFile.pem"
collector.config.destinations.opensearch.tls.Cert
Name of a file containing an X.509 certificate or a certificate chain in PEM format. AxoSyslog authenticates with this certificate on the server, with the private key set in the collector.config.destinations.opensearch.tls.Key field. If the file contains a certificate chain, the file must begin with the certificate of the host, followed by the CA certificate that signed the certificate of the host, and any other signing CAs in order.
"/path/to/Cert.pem"
collector.config.destinations.opensearch.tls.Key
Name of a file containing an unencrypted private key in PEM format. AxoSyslog authenticates with this key and the certificate set in the collector.config.destinations.opensearch.tls.Cert field.
If true, AxoSyslog verifies the certificate of the server with the CA certificates set in collector.config.destinations.opensearch.tls.CAFile and collector.config.destinations.opensearch.tls.CADir.
The maximum number of unavailable pods during a rolling update
1
collector.nodeSelector
Node labels for pod assignment
{}
collector.resources
Resource requests and limits
{}
collector.tolerations
Tolerations for pod assignment
[]
collector.secretMounts
Mount additional secrets as volumes
[]
collector.securityContext
Security context for the pod
{}
Syslog server parameters
When you deploy AxoSyslog as a server (which is a StatefulSet), it receives incoming data from the network and routes it to a local or remote destination. collects and forwards local logs to a destination. You can use the following parameters to configure the syslog server. The parameters for specific destinations are shown in subsequent sections.
Parameter
Description
Default
syslog.enabled
Deploy AxoSyslog as a collector to collect and forward local logs
true
syslog.bufferStorage.enabled
Configures a storage using PersistentVolumes to use as disk-buffer.
false
syslog.bufferStorage.storageClass
The class of the storage to use, for example, standard.
standard
syslog.bufferStorage.size
The maximum size of the storage to use as disk-buffer, for example, 10Gi.
10Gi
syslog.logFileStorage.enabled
Configures a storage using PersistentVolumes to store the log files.
false
syslog.logFileStorage.storageClass
The class of the storage to use, for example, standard.
standard
syslog.logFileStorage.size
The maximum size of the storage to use as for log storage, for example, 10Gi.
500Gi
syslog.config.raw
A complete syslog-ng configuration. If this parameter is set, all other parameters in the syslog.config section are ignored. You can use this to set parameters that are not available as chart values. For details on how to create a configuration for syslog-ng, see the AxoSyslog Core documentation.
""
syslog.config.stats.level
Specifies the detail of statistics AxoSyslog collects about the processed messages. For details, see level().
2
syslog.config.rewrites.set
A list of name-value pairs to set for the collected log messages. Uses the set rewrite rule.
{}
syslog.config.sources
The configurations of the sources that can be configured using chart values: syslog and syslogNgOtlp.
syslog and syslogNgOtlp are enabled by default. See the individual sources for details. For sources not available as chart values, you can use the collector.config.raw option.
The file, syslog, opensearch destinations are enabled by default. For destinations not available as chart values, you can use the collector.config.raw option.
Syslog source
You can use the syslog source to receive RFC3164 or RFC5424 formatted syslog messages on the following ports:
1514: RFC3164-formatted traffic over TCP and UDP (NodePort 30514)
1601: RFC5424-formatted traffic over TCP (NodePort 30601)
6514: RFC5424-formatted traffic over TLS (NodePort 30614)
If needed, you can open additional ports using the service.extraPorts option.
Set to yes to request a certificate from the peers. In this case, you must also set the CA directory or the CA file.
no
syslog.config.sources.syslog.tls.CAFile
A file containing trusted CA certificates. For details, see TLS options.
""
syslog.config.sources.syslog.tls.CADir
The directory for the trusted CA files. For details, see TLS options.
""
syslog.config.sources.syslog.tls.Cert
The certificate file to show to the peer. For details, see TLS options.
""
syslog.config.sources.syslog.tls.Key
The private key file for the certificate. For details, see TLS options.
""
syslogNgOtlp source
Initializes a syslog-ng-otlp() to receive messages from another AxoSyslog node that sends telemetry data using the syslog-ng-otlp() destination driver.
Parameter
Description
Default
syslog.config.sources.syslogNgOtlp.enabled
Enable receiving syslog-ng-otlp() messages.
true
syslog.config.sources.syslogNgOtlp.port
The port where messages are received.
4317
File destination
To write the collected logs into files, configure the syslog.logFileStorage and the syslog.config.destinations.file options.
The template used to format the log messages. Can include macros.
""
syslog.config.destinations.file.extraOptionsRaw
Other options of the file() destination. If the directories used in syslog.destinations.file.path do not exist, set extraOptionsRaw: "create-dirs(yes)"
Name of the OpenSearch index that stores the messages.
"test-axoflow-index"
syslog.config.destinations.opensearch.user
The username to use for authentication on the OpenSearch server, if not authenticating with a certificate.
"admin"
syslog.config.destinations.opensearch.password
The password to use for authentication on the OpenSearch server.
"admin"
syslog.config.destinations.opensearch.template
A template to format the messages.
"$(format-json --scope rfc5424 --exclude DATE --key ISODATE @timestamp=${ISODATE})"
syslog.config.destinations.opensearch.tls.CAFile
The CA certificate in PEM format to use when verifying the certificate of the server.
""
syslog.config.destinations.opensearch.tls.CADir
A directory containing a set of trusted CA certificates in PEM format. The name of the files must be the 32-bit hash of the subject’s name. AxoSyslog verifies the certificate of the server using these CA certificates.
""
syslog.config.destinations.opensearch.tls.Cert
Name of a file containing an X.509 certificate or a certificate chain in PEM format. AxoSyslog authenticates with this certificate on the server, with the private key set in the syslog.config.destinations.opensearch.tls.Key field. If the file contains a certificate chain, the file must begin with the certificate of the host, followed by the CA certificate that signed the certificate of the host, and any other signing CAs in order.
""
syslog.config.destinations.opensearch.tls.Key
Name of a file containing an unencrypted private key in PEM format. AxoSyslog authenticates with this key and the certificate set in the syslog.config.destinations.opensearch.tls.Cert field.
If true, AxoSyslog verifies the certificate of the server with the CA certificates set in syslog.config.destinations.opensearch.tls.CAFile and syslog.config.destinations.opensearch.tls.CADir.
The transport protocol to use. Possible values: tcp, udp
tcp
For example:
syslog:enabled:truebufferStorage:enabled:truestorageClass:standardsize:10Giconfig:sources:syslog:enabled:truedestinations:syslog:enabled:truetransport:tcpaddress:192.168.77.133port:12345# convert incoming data to JSON#template: "$(format-json .*)\n"# use standard syslog logfile#template: "$ISODATE $HOST $MSGHDR$MSG\n"extraOptionsRaw:"time-reopen(10)"
syslogNgOtlp destination
Send data using the syslog-ng-otlp() destination driver to another AxoSyslog node.
You can also use it as a base image in your Dockerfile:
FROM ghcr.io/axoflow/axosyslog:latest
If you want to test a development version, you can use the nightly builds:
podman pull ghcr.io/axoflow/axosyslog:nightly
Note: These named packages are automatically updated when a new package is released. To install a specific version, run podman pull ghcr.io/axoflow/axosyslog:<version-number>, for example:
podman pull ghcr.io/axoflow/axosyslog:4.10.0
Customize the configuration
The AxoSyslog container image stores the configuration file at /etc/syslog-ng/syslog-ng.conf. By default, AxoSyslog collects the local system logs and logs received from the network into the /var/log/messages and /var/log/messages-kv.log files using this configuration file from the syslog-ng repository.
To customize the configuration, create your own configuration file and override the file in the container image with it, for example:
podman run --rm --volume <path-to-your/syslog-ng.conf>:/etc/syslog-ng/syslog-ng.conf ghcr.io/axoflow/axosyslog:latest
How to use disk-buffers in containers and Kubernetes
When you are running AxoSyslog in a container or in Kubernetes, and you want to use disk-buffers, there are some additional things to configure.
Make sure to mount the disk-buffer files and the persist file (by default, both are stored in /var/lib/syslog-ng) in a way they are not lost when the pod or container is restarted.
In Kubernetes, add a persistent volume to your pod and store the disk buffer files (/var/lib/syslog-ng) there.
In a container, mount the disk-buffer directory from the host, or store it on a local volume.
Use a reliable disk-buffer only if your storage is fast enough. For example, a low-speed persistent volume in Kubernetes can cause a significant performance degradation for AxoSyslog.
Use the latest available version of AxoSyslog, as many related improvements and performance improvements (for example, disk-buffer related metrics) are only supported in recent versions.
If you are using syslog-ng without disk-buffering configured, syslog-ng stores everything in memory, which results in great performance. If you enable disk-buffering, the performance decreases. Make sure to size your observability pipeline appropriately.
Expose port to receive incoming traffic
To receive incoming network in a container, you must expose the port from the container where you want to receive the traffic to the host that’s running the container. Typically, this is only needed if you are running AxoSyslog as a relay or a server/aggregator.
By default, the AxoSyslog container images expose the ports commonly used to receive syslog traffic:
514/udp, typically used for RFC3164 (BSD-syslog) formatted traffic.
601/tcp, typically used for RFC5424 (IETF-syslog) formatted traffic.
6514/tcp, typically used for RFC5424 (IETF-syslog) formatted traffic over TLS.
To expose a specific port, use the --expose option when starting the container. Make sure to include the IP address of the host to make the port externally accessible.
For example, if you are receiving OpenTelemetry messages using the opentelemetry() source, expose the 4317 port:
podman run --rm --expose 127.0.0.1:4317:4317/tcp --volume <path-to-your/syslog-ng.conf>:/etc/syslog-ng/syslog-ng.conf ghcr.io/axoflow/axosyslog:latest
6 - Install AxoSyslog with Docker
AxoSyslog provides cloud-ready images. These images differ from the upstream syslog-ng images, because:
They’re based on Alpine Linux, instead of Debian testing for reliability and smaller size (thus smaller attack surface).
They incorporate cloud-native features and settings, such as the Kubernetes source.
They incorporate container-level optimizations for better performance and improved security. For example, they use an alternative malloc library.
They support the ARM architecture.
The AxoSyslog images support the following architectures:
You can also use it as a base image in your Dockerfile:
FROM ghcr.io/axoflow/axosyslog:latest
If you want to test a development version, you can use the nightly builds:
docker pull ghcr.io/axoflow/axosyslog:nightly
Note: These named packages are automatically updated when a new package is released. To install a specific version, run docker pull ghcr.io/axoflow/axosyslog:<version-number>, for example:
docker pull ghcr.io/axoflow/axosyslog:4.10.0
Customize the configuration
The AxoSyslog container image stores the configuration file at /etc/syslog-ng/syslog-ng.conf. By default, AxoSyslog collects the local system logs and logs received from the network into the /var/log/messages and /var/log/messages-kv.log files using this configuration file from the syslog-ng repository.
To customize the configuration, create your own configuration file and override the file in the container image with it, for example:
docker run --rm --volume <path-to-your/syslog-ng.conf>:/etc/syslog-ng/syslog-ng.conf ghcr.io/axoflow/axosyslog:latest
How to use disk-buffers in containers and Kubernetes
When you are running AxoSyslog in a container or in Kubernetes, and you want to use disk-buffers, there are some additional things to configure.
Make sure to mount the disk-buffer files and the persist file (by default, both are stored in /var/lib/syslog-ng) in a way they are not lost when the pod or container is restarted.
In Kubernetes, add a persistent volume to your pod and store the disk buffer files (/var/lib/syslog-ng) there.
In a container, mount the disk-buffer directory from the host, or store it on a local volume.
Use a reliable disk-buffer only if your storage is fast enough. For example, a low-speed persistent volume in Kubernetes can cause a significant performance degradation for AxoSyslog.
Use the latest available version of AxoSyslog, as many related improvements and performance improvements (for example, disk-buffer related metrics) are only supported in recent versions.
If you are using syslog-ng without disk-buffering configured, syslog-ng stores everything in memory, which results in great performance. If you enable disk-buffering, the performance decreases. Make sure to size your observability pipeline appropriately.
Expose port to receive incoming traffic
To receive incoming network in a container, you must expose the port from the container where you want to receive the traffic to the host that’s running the container. Typically, this is only needed if you are running AxoSyslog as a relay or a server/aggregator.
By default, the AxoSyslog container images expose the ports commonly used to receive syslog traffic:
514/udp, typically used for RFC3164 (BSD-syslog) formatted traffic.
601/tcp, typically used for RFC5424 (IETF-syslog) formatted traffic.
6514/tcp, typically used for RFC5424 (IETF-syslog) formatted traffic over TLS.
To expose a specific port, use the --expose option when starting the container. Make sure to include the IP address of the host to make the port externally accessible.
For example, if you are receiving OpenTelemetry messages using the opentelemetry() source, expose the 4317 port:
docker run --rm --expose 127.0.0.1:4317:4317/tcp --volume <path-to-your/syslog-ng.conf>:/etc/syslog-ng/syslog-ng.conf ghcr.io/axoflow/axosyslog:latest