Installing the SyslogNG software

Patching the package ebuild

If you are using the Hacking Networked Solutions patch-set for Gentoo Linux then the installation files for the app-admin/syslog-ng package will have been modified automatically to perform some of the configuration actions mentioned in this guide such as creating users and groups. To this end the ebuild for the app-admin/syslog-ng package will have been modified as shown below.

src_configure() {
--disable-dependency-tracking \
--sysconfdir=/etc/syslog-ng \
--with-pidfile-dir=/var/run \
--with-pidfile-dir=/var/run/syslog-ng \
$(use_enable caps linux-caps) \


pkg_preinst() {
enewgroup syslog 514
enewuser syslog 514 -1 -1 "syslog,tty"
gpasswd -a root syslog
keepdir /var/run/syslog-ng
fperms 0770 /var/run/syslog-ng
fowners syslog:syslog /var/run/syslog-ng

pkg_postinst() {

Installing the package

Before we install any packages we should ensure that the correct use-flags are specified so that all required functionality is made available and unnecessary functionality is not included. The app-admin/syslog-ng package has only two use-flags of interest to us during the installation, and only then if we are installing a log server to receive log messages from other hosts over the network or we intend to log to a database server. The tcpd use-flag adds support for TCP wrappers which can be used to control remote access to the log service while the sql use-flag adds support for sending log messages to a variety of SQL databases. If you intend to use the functionality provided by either of these use-flags you should add a package specific entry to /etc/portage/package.use before performing the installation.

lisa emerge -pv syslog-ng
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild      ] dev-libs/eventlog-0.2.10
[ebuild      ] dev-libs/libgamin-0.1.10-r2  USE="python -debug"
[ebuild      ] app-admin/gamin-0.1.10
[ebuild      ] dev-libs/glib-2.22.5  USE="fam -debug -doc -hardened -xattr"
[ebuild      ] app-admin/gam-server-0.1.10  USE="-debug"
[ebuild      ] app-admin/syslog-ng-3.1.1  USE="caps ipv6 pcre sql ssl tcpd -hardened -spoof-source -static"
It is entirely up to you whether you choose to enable the use of TCP wrappers or not. This guide will, however, assume that you have enabled this use-flag, and give instructions for adding entries to the /etc/hosts.allow file as required, when installing a log server and disabled this use-flag when installing a local log daemon.

Once you are confident that the correct use-flags are set for the app-admin/syslog-ng, package and any dependencies it may require, you can proceed with the installation by issuing the emerge command shown below.

lisa emerge syslog-ng

Creating a group and user

As we may wish to provide access to the log files to users other than root or run automated log analysis software, it would be a good idea to configure the logger to create files using an appropriate user and group with permissions suited to this end.

If you are using the patched version of the app-admin/syslog-ng package described above then the syslog group and user will have already been created for you. If you are using the vanilla app-admin/syslog-ng package you will need to create the syslog group and user yourself.

The commands below will create a new user called syslog and a new group, also called syslog, with a group-id and a user-id of 514. The new user will not have any home directory or shell access.

lisa groupadd -g 514 logs
lisa useradd -g 514 -u 514 -d /dev/null -s /bin/false syslog
If you already have a user with the uid 514 or a group with the gid 514, the groupadd and useradd commands will return an error. If this is the case you will have to substitute a different value here.

As we are going to configure the syslog-ng daemon to create files and directories which can only be written to by the syslog user and read from by any member of the syslog group it is probably a good idea to give the root user read access to the logs by making them a member of the syslog group. This can be achieved with the following command.

lisa gpasswd -a root syslog

Configuring the daemon

If you are using the patched version of the app-admin/syslog-ng package described above then the init script will have already been modified for you to use the new configuration file format which we will be describing below. If you are using the vanilla app-admin/syslog-ng package you will need to make the following modifications to the /etc/init.d/syslog-ng script.

checkconfig() {
# Ensure that /proc/kmsg is owned by syslog user
[[ $(stat -c %U /proc/kmsg) == ${SYSLOG_NG_USER} ]] || chown ${SYSLOG_NG_USER} /proc/kmsg
[ $? -eq 0 ] || eend $? "Unable to change ownership of /proc/kmsg"

start() {
checkconfig || return 1
ebegin "Starting syslog-ng"
start-stop-daemon --start --pidfile /var/run/ --exec /usr/sbin/syslog-ng ${SYSLOG_NG_OPTS}
start-stop-daemon --start --pidfile /var/run/syslog-ng/ --exec /usr/sbin/syslog-ng -- -u ${SYSLOG_NG_USER} -g ${SYSLOG_NG_GROUP} ${SYSLOG_NG_OPTS}
eend $? "Failed to start syslog-ng"

You can now modify the /etc/conf.d/syslog-ng configuration file which will be read by the init script during startup. The following code will cause the syslog-ng daemon to switch to the syslog user and the syslog group.

# User and group settings


# Put any additional options for syslog-ng here.
# See syslog-ng(8) for more information.

Unless you are running a kernel of at least version 2.6.20 the above configuration will render the syslog-ng daemon unable to read from the /proc/kmsg file and, therefore, unable to log messages generated by the kernel. Users of such kernels will have to run syslog-ng as the root user and change the options in the example configuration accordingly.

The installation of the syslog-ng daemon is now complete. In the next section we shall cover the configuration of log sources, filters, destinations, and the mappings between them which make it all work.