Installing Syslog-ng logging system on Ubuntu 24.04 LTS

byAftab Ali
0

Introduction

Syslog-ng is a logging server that collects logs from the network and locally. It has features like core logging capabilities. It is widely used in IT environments for centralized log management, troubleshooting, and compliance reporting. It has wide protocol support (syslog, JSON, and more), basic filtering, parsing, and storage, etc. It's free, open-source, and also has an available commercial edition.

Prerequisites

  • Up and runnig ubuntu 24.04 LTS machine.
  • Dual-core processor (2 GHz or higher) , 2 GB memory, 30 GB disk space. 
  • 1 GBPS network card   ( This will be minium requirment )  

In this blog, We are going to install the syslog-ng logging server on ubuntu 24.04 LTS 

Step 1: Run System Update & Upgrade 

First we need to update the ubuntu default repository by executing the given command line.

sudo apt-get update && sudo apt-get upgrade -y


Step 2: Installing Syslog-ng 

By default syslog-ng package avaiable in ubuntu 24.04 LTS, We just need to execute the given command to install the syslog-ng package.

sudo apt-get install syslog-ng -y


Step 3: Start the Syslog-ng service 

We need to start the syslog-ng service after the installation porcess complete by default we will get service in stop state, Execute the given command to start.

sudo systemctl start syslog-ng.service


After the executing the command syslog-ng service should be up and running.

Step 4: Enable Remote Log Collection

We need to create a configuration file for the syslog-ng server that makes the syslog-ng receiver logging server.

sudo nano /etc/syslog-ng/conf.d/network.conf


and paste the following configuration. 

# Enable TLS
source s_net {
    tcp(ip("0.0.0.0") port(514)
        #tls( key-file("/home/aftab70/private-key.pem")
        #     cert-file("/home/aftab70/public-cert.pem")
        #     peer-verify(optional-untrusted))
    );
};


# Log destinations
destination d_logs {
    file("/var/log/logs.txt");
};

# Log paths
log {
    source(s_net);
    destination(d_logs);
};



Optional: If you want a secure syslog-ng server with a cert and key, then you need to generate the cert and key by executing the given command.

To create a cert.d directory.

sudo mkdir /etc/syslog-ng/cert.d/


To generate the key.

sudo openssl genrsa -out /etc/syslog-ng/cert.d/syslog-ng.key 2048

To generate the cert.

sudo openssl req -new -x509 -key /etc/syslog-ng/cert.d/syslog-ng.key -out /etc/syslog-ng/cert.d/syslog-ng.cert -days 365 -subj "/CN=<TYPEYOURDNSNAME>"


Verify and save the file and exit from the nano text editor.


Step 5: Reload Syslog-ng service 

We need to reload the syslog-ng service to get it running with the newly added configuration.

sudo systemctl reload syslog-ng.service


Step 6: Verify Syslog-ng Port with IP

We need to use the netstat command line utility that helps us know syslog-ng serving host local and public IP using the 514 port number.

sudo netstat -plntu | grep 514


Step 7: Check Syslog-NG Logs

Sometimes we need to check the logs to know what kind of log is generated by the syslog-ng service that also helps us to troubleshoot any issue with the configuration of the syslog-ng server. Execute the given command for the same. 

journalctl -u syslog-ng



Step 8: Configure Syslog-NG client with Apache logs 

For this turorial we are going to use Apache web server to send the log using syslog-NG client machien to syslog-NG logging server.

To install the Apache web server.

sudo apt-get install apache2 -y




To get Apache service status.

sudo systemctl status apache2.service




To generate the some sample logs usig curl utility.

curl -I http://localhost



By default, Apache web server logs generate the logs using the given path that we need to use with the syslog-ng client configuration in order to send the logs to the syslog-ng central logging server.

Aceess log of apache web server path.

/var/log/apache2/access.log

Error logs of apache web server.

/var/log/apache2/error.log

Other virtual access logs of apache web server.

/var/log/apache2/other_vhosts_access.log


Step 9: Install syslog-NG on the Client Side  

We need to use the same installation process for syslog-NG, and then we need to use the log forwarder configuration that will collect and send to the syslog-NG central logging server to manage the logs.

To install the syslog-NG server on a client Ubuntu machine.

sudo apt-get install syslog-ng -y



To configure syslog-NG with Apache's logs on the same machine, we need to use the following configuration.

To create a configuration file.

sudo nano /etc/syslog-ng/conf.d/apache.conf


Paste the following configuration, and if needed, you can modify it as per your need.


source s_apache {
 file("/var/log/apache2/access.log");
 file("/var/log/apache2/error.log");
 };

destination d_remote {
    tcp("remote_syslog_server_ip" port(514));
};

log {
    source(s_apache);
    destination(d_remote);
};




Before saving the configuration file, we need to replace the "remote_syslog_server_ip" and save and exit from the text editor.

Now all good to here, we need to restart the syslog-NG client-side service now by executing the given command.
 
sudo systemctl restart syslog-ng.service



Step 10: Validate the Apache Logs in the Syslog-NG server.


We need to SSH into our syslog-NG server and tail the log path where we will get the Apache logs in the certrailed syslog-NG server to manage.

To view the apache's logs.

tail -f /var/log/logs.txt


Conclusion 

We have successfully installed and set up the syslog-ng logging server on Ubuntu 24.04 LTS. In case you have any queries, let us know by leaving a comment on this blog. We are happy to serve you better as our reader. Thanks again for checking out our blog.

Tags:
Aftab Ali

My expertise is in ethical hacking, penetration testing, network security, monitoring and more.

Post a Comment

Previous Post Next Post