Packetwatch Research

Syslog-ng in OpenBSD



Last modified: Oct. 20, 2008

Contents
1 - Summary
2 - Syslog-ng installation
3 - Service configuration
4 - Service check


1 - Summary

This guide will show you how to install syslog-ng in OpenBSD. This has been
tested in OpenBSD 4.3.


2 - Syslog-ng installation

Install the syslog-ng package from an OpenBSD FTP mirror server.
# sudo export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.3/packages/i386/
# sudo pkg_add syslog-ng-1.6.8.tgz


3 - Service configuration

Find where the syslog-ng daemon was installed to.
# pkg_info -L syslog-ng-1.6.8 | grep sbin
/usr/local/sbin/syslog-ng

Edit the /etc/rc network script so that syslog-ng will start when the system
starts up and not syslog. Comment out the following lines.

  syslogd_flags="${syslogd_flags} -a /var/named/dev/log"
  syslogd_flags="${syslogd_flags} -a /var/empty/dev/log"
  syslogd ${syslogd_flags}

Add the following right below where you commented out the previous line.

  syslog_ng_flags="-p /var/run/syslog-ng.pid"
  /usr/local/sbin/syslog-ng ${syslog_ng_flags}

# sudo vi /etc/rc

Configure /etc/rc.conf, so the syslog-ng service will start at boot time.
Modify to have the following.

  #syslogd_flags=
  syslog_ng_flags=

# sudo vi /etc/rc.conf

Find where the configuration file should be put.
# strings /usr/local/sbin/syslog-ng | grep syslog-ng.conf
  -f , --cfgfile=    Set config file name, default=/etc/syslog-ng/syslog-ng.conf
/etc/syslog-ng/syslog-ng.conf

You can now create your own syslog-ng.conf file if you like. You can use the
following for your source.

  source local { internal(); pipe("/dev/klog" log_prefix("kernel: ")); unix-dgram("/dev/log"); };

# pkg_info -L syslog-ng | grep syslog-ng.conf
/usr/local/man/man5/syslog-ng.conf.5
/usr/local/share/examples/syslog-ng/syslog-ng.conf.sample
# sudo cp /usr/local/share/examples/syslog-ng/syslog-ng.conf.sample /etc/syslog-ng/syslog-ng.conf
# sudo cp /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.example
# sudo vi /etc/syslog-ng/syslog-ng.conf
# sudo /usr/local/sbin/syslog-ng -s -f /etc/syslog-ng/syslog-ng.conf

Stop the syslog service and start the syslog-ng service.
# sudo kill -9 `cat /var/run/syslogd.pid`
# sudo rm -fP /var/run/syslog.pid
# sudo ps aux | grep syslog
_syslogd 18567  0.0  0.1   480   736 ??  I     12:58PM    0:00.01 syslogd -a /var/empty/dev/log
# sudo kill -9 18567
# sudo ps aux | grep syslog
# sudo /usr/local/sbin/syslog-ng -p /var/run/syslog-ng.pid
# sudo cat /var/run/syslog-ng.pid
31296


4 - Service check

Reboot your computer. Log in like normal and check to see that the syslog
service isn't running and the syslog-ng service is running. That's it, now you
have syslog-ng running in OpenBSD.
# sudo shutdown -r now
# sudo ls -1 /var/run/syslog*
/var/run/syslog-ng.pid
# sudo cat /var/run/syslog-ng.pid
9069
Last modified: Wed Dec 31 19:00:00 1969 EST
Packetwatch Research 2002-2008.