7.2.2.2.2. Procedure – Create drivers

1. Click New on the Drivers subwindow on the Sources tab in System logging component.

   The following window appears.

   

   Figure 7.7. Adding a new source driver for syslog-ng

2. Select a driver type.

   The rest of the options are based on this selection.

   1. For unix_dgram, unix_stream, sun_stream and file driver types, set the filename.

      Note
      None of these driver types are ordinary text files. File is a binary file while the others are socket endpoints, actually. Nevertheless, they are identified by filenames.

   2. If you have a custom system component, for example, a daemon, that sends its log messages to a special socket and you want syslog-ng to collect this component's log messages, set up a driver for it. Many of the Linux daemons and other software components prefer /dev/log but it is not a central requirement. Some software can even be told through its configuration file where to log.

   3. For TCP and UDP source drivers, specify an IP address and a port number.

      The machine running syslog-ng waits for log messages from other servers on this IP address/port pair. In other words, here you do not specify where, that is, what machines, log entries arrive from, but on what IP address/port pair syslog-ng collects these log entries.

      The default port for both TCP and UDP is 514.

      For TCP drivers some additional parameters can be supplied.

      

      Figure 7.8. Configuring tcp source drivers

      Since TCP is a connection–oriented protocol, a virtual session is always established between the communicating parties. This session buildup takes time and bandwidth (three-way handshake), so to save on these resources, if a session is built between syslog-ng and the host sending log entries, it is kept alive with the help of keep alive messages. However, if the number of active TCP sessions is high, it can have negative effect on the performance of the host running syslog-ng. On the other hand, if the number of sessions is kept low, using the Connection limit setting, some log messages may be lost if the connection limit has already been reached.

      Another small optimization setting is the Do not close during reload checkbox: it instructs the system not to close open TCP sessions while syslog-ng configuration is reloaded.

      These two settings are available for the unix_stream driver type as well.