Skip to content

Receiving Syslog Events

LogZilla’s Syslog-ng Configuration

LogZilla supports customization of its syslog-ng configuration. Although it is available, it is not recommended due to its complexity and the complications it may introduce to the LogZilla installation.

To use a custom syslog-ng configuration, the /etc/logzilla/syslog-ng/config.yaml file needs to be modified as appropriate for the desired configuration. Be aware that LogZilla may make changes to this file on its own when certain logzilla config options are changed.

Typically, customization is desired to create new syslog-ng sources, destinations, filters, or rewrite rules. To accomplish this:

  1. Create a xxx.conf file (where xxx is the desired name) in the /etc/logzilla/syslog-ng/conf.d directory. (More than one of these files can be created, as desired, and they can all take effect.)
  2. Add configuration directives appropriate for source, destination, filter, or rewrite rule to the new xxx.conf file. These should follow standard syslog-ng syntax (more information can be found at syslog-ng Open Source Edition 3.22 - Administration Guide).
  3. Important: Custom log entries should not be created or configured. It is required that the log section be modified only by LogZilla, or LogZilla may cease receiving events.

If log customization is desired, such as adding new filters or rewrites, then see below for detailed instructions.

For the basic cases, like adding new destinations or sources, adding a file in conf.d is enough. All sources and destinations defined in these files will be implicitly added to the main config. If this is all you need, then restart syslog-ng as described below.

For some advanced cases, like when you want to add some extra filters, then /etc/logzilla/syslog-ng/config.yaml should be modified. This is a YAML text file.

If extra syslog-ng configuration directives are needed, they should be added to the extra_log_rules entry in this file. Additional log rules placed there will be used by LogZilla.

Custom Configuration Example

In this example, a special source reading from an MQTT broker will be added. In addition, these log messages will be filtered such that the only log messages handled are those from host 1.2.3.4.

First, create the file /etc/logzilla/syslog-ng/conf.d/mqtt.conf with the following content:

source s_mqtt {
    mqtt(
        address("tcp://my-mqtt-server:4444")
        topic("test/abc")
    );
};

filter f_host_1234 {
    host("1.2.3.4");
};

As we want to also add some extra filters, we need to modify the yaml configuration file /etc/logzilla/syslog-ng/config.yaml.

Find the extra_log_rules setting (it’s an empty string by default) and update it:

extra_log_rules: "filter(f_host_1234);"

Restarting syslog-ng after changes

After any changes are made to the syslog-ng configuration, LogZilla’s syslog-ng module must be restarted. This can be accomplished via logzilla restart -c syslog. If proper operation is not observed or for more information, the syslog-ng operation logs can