Syslog-ng to LZ over HTTP/HTTPS

This section details how to set up LogZilla and Syslog-ng so that syslog-ng log messages are sent to LogZilla (over HTTP/HTTPS) for processing.

LogZilla Setup

Authorization Token

An authorization token must be used to direct LogZilla to allow incoming events from the syslog-ng source. If an auth token currently exists (viewable via logzilla authtoken list) it can be used, or if one is not available then a new one should be generated, as detailed in the section titled Authentication (Auth Tokens) on page 9.1 Using The LogZilla API.

Syslog-ng configuration

To send syslog logs directly to LogZilla an http destination must be configured:

destination d_http {
    http(
        url("https://lzserver.mydomain.com:lz_https_port/incoming")
        method("POST")
        user-agent("syslog-ng User Agent")
        headers(
            "Content-Type: application/x-ndjson",
            "X-LZ-Access-Key: b2d8c210f54ed85511f1867cb6cc4faa8ae85bff42c3dd26"
        )
        body-suffix("\n")
        body('$(format-json
            --pair TS=${S_UNIXTIME}.${S_USEC}
            --pair PRI=int($PRI)
            --scope rfc5424,sdata
        )')
        batch-lines(100)
        batch-bytes(512Kb)
        batch-timeout(100)
    );
};

The X-LZ-Access-Key is the auth token generated as mentioned above. Note: if this token value needs to be changed after initial configuration, the LogZilla httpreceiver docker container must be restarted. This can be done by restarting LogZilla altogether (logzilla restart) or can be selectively accomplished via restarting just the httpreceiver container without restarting LogZilla, by doing:

logzilla restart -c httpreceiver

At this point LogZilla will receive events from syslog-ng, and such events will be visible in the LogZilla user interface.