Skip to content

Syslog-ng

Syslog-ng is a for of Rsyslog and provides a more modern approach, with more verbose documentation.

Install & Setup Instructions:

# This is example is for Amazon Linux / Wazuh found on AWS Marketplace
sudo amazon-linux-extras install epel -y
sudo yum install syslog-ng
cd /etc/syslog-ng/
# Follow interactactive setup
sudo openssl req -newkey rsa:2048 -nodes -keyout key.pem -out request.csr
sudo openssl x509 -req -days 365 -in request.csr -signkey key.pem -out server-cert.pem
>>> Upload server-cert.pem to SaaS you want to forward syslog form Once syslog-ng has been started . 
sudo touch /var/log/syslog-ng.log
sudo vim syslog-ng.conf

# Keep default config and add the following. 
# TLS Config
source s_network_tls {
    network(
        transport("tls")
        port(514)  # Specify the port to listen on for TLS connections
        tls(
            key-file("/etc/syslog-ng/key.pem")
            cert-file("/etc/syslog-ng/server-cert.pem")
            peer-verify(optional-untrusted) 
        )
    );
};

destination d_tls_logs {
    file("/var/log/syslog-ng.log"); # Path to save the logs received over TLS
};

log { source(s_network_tls); destination(d_tls_logs); };

sudo vim /var/ossec/etc/ossec.conf

<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog-ng.log</location>
</localfile>

sudo systemctl daemon-reload
sudo systemctl enable syslog-ng
sudo systemctl start syslog-ng
sudo systemctl restart wazuh manager

References:

https://www.syslog-ng.com/technical-documents/list/syslog-ng-open-source-edition/3.38