Receiving Syslog Events
LogZilla’s Syslog-ng Configuration
LogZilla supports customization of its syslog-ng configuration. Although it is available, it is not recommended due to its complexity and the complications it may introduce to the LogZilla installation.
To use a custom syslog-ng configuration, the
/etc/logzilla/syslog-ng/config.yaml
file needs to be modified as
appropriate for the desired configuration. Be aware that LogZilla may
make changes to this file on its own when certain logzilla config
options are changed.
Typically, customization is desired to create new syslog-ng sources, destinations, filters, or rewrite rules. To accomplish this:
- Create a
xxx.conf
file (wherexxx
is the desired name) in the/etc/logzilla/syslog-ng/conf.d
directory. (More than one of these files can be created, as desired, and they can all take effect.) - Add configuration directives appropriate for source,
destination, filter, or rewrite rule to the new
xxx.conf
file. These should follow standard syslog-ng syntax (more information can be found at syslog-ng Open Source Edition 3.22 - Administration Guide). - Important: Custom
log
entries should not be created or configured. It is required that thelog
section be modified only by LogZilla, or LogZilla may cease receiving events.
If log
customization is desired, such as adding new filters or
rewrites, then see below for detailed instructions.
For the basic cases, like adding new destinations or sources, adding a
file in conf.d
is enough. All sources and destinations defined in
these files will be implicitly added to the main config. If this is all
you need, then restart syslog-ng as described below.
For some advanced cases, like when you want to add some extra filters,
then /etc/logzilla/syslog-ng/config.yaml
should be modified. This is a
YAML text file.
If extra syslog-ng configuration directives are needed, they should be
added to the extra_log_rules
entry in this file. Additional log
rules placed there will be used by LogZilla.
Custom Configuration Example
In this example, a special source reading from an MQTT broker will be
added. In addition, these log messages will be filtered such that the
only log messages handled are those from host 1.2.3.4
.
First, create the file /etc/logzilla/syslog-ng/conf.d/mqtt.conf
with
the following content:
source s_mqtt {
mqtt(
address("tcp://my-mqtt-server:4444")
topic("test/abc")
);
};
filter f_host_1234 {
host("1.2.3.4");
};
As we want to also add some extra filters, we need to modify the yaml
configuration file /etc/logzilla/syslog-ng/config.yaml
.
Find the extra_log_rules
setting (it’s an empty string by default) and
update it:
extra_log_rules: "filter(f_host_1234);"
Restarting syslog-ng after changes
After any changes are made to the syslog-ng configuration, LogZilla’s
syslog-ng module must be restarted. This can be accomplished via
logzilla restart -c syslog
. If proper operation is not observed or for
more information, the syslog-ng operation logs can