Syslog-ng to LZ over HTTP/HTTPS
This section details how to set up LogZilla and Syslog-ng so that syslog-ng log messages are sent to LogZilla (over HTTP/HTTPS) for processing.
LogZilla Setup
Authorization Token
An authorization token must be used to direct LogZilla to
allow incoming events from the syslog-ng source. If an
auth token currently exists
(viewable via logzilla authtoken list) it can be used,
or if one is not available then a new one should be generated,
as detailed in the section titled Authentication (Auth Tokens)
on page
9.1 Using The LogZilla API.
Syslog-ng configuration
To send syslog logs directly to LogZilla an http destination must be configured:
destination d_http {
http(
url("https://lzserver.mydomain.com:lz_https_port/incoming")
method("POST")
user-agent("syslog-ng User Agent")
headers(
"Content-Type: application/json",
"X-LZ-Access-Key: b2d8c210f54ed85511f1867cb6cc4faa8ae85bff42c3dd26"
)
body-prefix("{\"events\": [\n")
delimiter(",\n")
body('$(format-json
ts=double(${R_UNIXTIME}.${R_USEC})
priority=int($PRI)
host=$HOST
program=$PROGRAM
message=$MESSAGE
--key extra_fields.*
extra_fields.HOST_FROM=$HOST_FROM
extra_fields.SOURCEIP=$SOURCEIP
extra_fields.SOURCE=$SOURCE
--scope sdata
--key PID --rekey PID --add-prefix json.
--key MSGID --rekey MSGID --add-prefix json.
--rekey .SDATA.* --add-prefix json
--key .JSON.* --rekey .JSON.* --replace-prefix .JSON.=json.
)')
body-suffix("\n]}")
batch-lines(5000)
batch-bytes(512Kb)
batch-timeout(100)
);
};
The X-LZ-Access-Key is the auth token generated as mentioned above.
Note: if this token value needs to be changed after initial configuration,
the LogZilla httpreceiver docker container must be restarted. This
can be done by restarting LogZilla altogether (logzilla restart) or can
be selectively accomplished via restarting just the httpreceiver container
without restarting LogZilla, by doing:
At this point LogZilla will receive events from syslog-ng, and such events will be visible in the LogZilla user interface.