Explore documentation

Start logging in 5 minutes

Send your system logs to Better Stack using syslog-ng.

1. Setup

Set up syslog-ng using the provided script:

2. Restart

Restart the syslog-ng service to reload configuration:

You should see your logs in Better Stack → Live tail.

Need help?

Please let us know at hello@betterstack.com.
We're happy to help! 🙏

Manual syslog-ng setup

Our Syslog server listens for TCP connections on port 6514, allowing only encrypted traffic. It also listens on port 6517 for unencrypted UDP connections. Please use the Ingesting host from your source settings as the hostname.

To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include [logtail@11993 source_token="$SOURCE_TOKEN"].

1. Download certificates

Download CA certificates (Let's Encrypt) to enable TLS:

2. Configure syslog-ng

Do you want to log over TCP or UDP?

• Log over encrypted TCP
• Log over unencrypted UDP

Log using TCP

Configure syslog-ng to log over TCP:

destination d_logtail {
 syslog(
   "$INGESTING_HOST_VEC"
   transport("tls")
   port(6514)
   tls(
     peer-verify(required-trusted)
     ca-dir("/etc/syslog-ng/ca.d")
     trusted-dn("CN=*.betterstackdata.com")
     sni(yes)
   )
 );
};

rewrite add_logtail_credentials {
 set("$SOURCE_TOKEN" value(".SDATA.logtail@11993.source_token"));
};

log {
 source(s_src);
 rewrite(add_logtail_credentials);
 destination(d_logtail);
};

Log using UDP

Configure syslog-ng to log over UDP:

destination d_logtail {
 syslog(
   "$INGESTING_HOST_VEC"
   transport("udp")
   port(6517)
 );
};

rewrite add_logtail_credentials {
 set("$SOURCE_TOKEN" value(".SDATA.logtail@11993.source_token"));
};

log {
 source(s_src);
 rewrite(add_logtail_credentials);
 destination(d_logtail);
};

3. Restart

Restart the syslog-ng service:

4. Start logging 🎉

Test the logger:

You should see your logs in Better Stack → Live tail.

Need help?

Please let us know at hello@betterstack.com.
We're happy to help! 🙏