7.2.2.2.2. Procedure – Create drivers

1. Click New on the Drivers subwindow on the Sources tab in System logging component.

   The following window appears.

   

   Figure 7.7. Adding a new source driver for syslog-ng

2. Select a driver type.

   The rest of the options are based on this selection.

   1. For unix_dgram, unix_stream, sun_stream and file driver types, set the filename.

      Note
      None of these driver types are ordinary text files. This file is a binary file while the others are socket endpoints. Nevertheless, they are identified by filenames.

   2. If you have a custom system component, for example, a daemon, that sends its log messages to a special socket and you want syslog-ng to collect this component's log messages, set up a driver for it. Many of the Linux daemons and other software components prefer /dev/log but it is not a central requirement. Some software applications can even be instructed with the help of the configuration file where to log.

   3. For TCP and UDP source drivers, specify an IP address and a port number.

      The machine running syslog-ng waits for log messages from other servers on this IP address/port pair. In other words, here you do not specify from where, that is, what machines the log entries arrive from, but rather on what IP address/port pair syslog-ng collects these log entries.

      The default port for both TCP and UDP is 514.

      For TCP drivers some additional parameters can be supplied.

      

      Figure 7.8. Configuring TCP source drivers

      Since TCP is a connection-oriented protocol, a virtual session is always established between the communicating parties. This session buildup takes time and bandwidth (three-way handshake), therefore to save some of these resources, if a session is built between syslog-ng and the host sending log entries, it is kept alive with the help of keep alive messages. However, if the number of active TCP sessions is high, it can have negative effect on the performance of the host running syslog-ng. On the other hand, if the number of sessions is kept low, using the Connection limit setting, some log messages may be lost if the connection limit has already been reached.

      The Program override parameter enables replacing the ${PROGRAM} part of the message with the provided parameter string. The Flags parameter specifies the log parsing options of the source.

      Another small optimization setting is the Do not close during reload checkbox: it instructs the system not to close open TCP sessions while syslog-ng configuration is reloaded.

      These two settings are available for the unix_stream driver type as well.

      Additional parameter configuration options are as follows:

      • Use ancryption: If this option is enabled, a TLS-encrypted channel is used.

      • Certificate: It specifies the certificate used to authenticate the syslog-ng client on the destination server.

      • CA group: It specifies the CA group to verify peer certificates.

      • Peer verify: This option defines the verification method of the peer.