Your request was heard. In the past couple of months, I published a
tutorial series in blog and video format, which brings you from basic
logging concepts to using syslog-ng to collect, parse, enrich log
messages and store them to Elasticsearch. Of course, these 5-10 minute
videos are not enough to learn anything in depth, but they introduce you
to all major syslog-ng functionalities.
Even if you are a seasoned syslog-ng user, there is a good chance that
you will learn something new from this introductory tutorial series: the
“if” statement, in-line configuration elements, the inlist() filter or
the JSON template function, just to name a few.
If you would rather pick only a few topics from the tutorial series,
here is a table of contents, with short summaries, pointers to the blog
and video versions and the related parts from the documentation.
Unfortunately, the documentation for the latest version is not available
yet, pointers are included to the web version of the syslog-ng version
Of course, once you read/watched my syslog-ng tutorials, reading the
blogs and relevant parts of the documentation is still highly
The introduction gives you an overview of the tutorial series and
defines what syslog-ng is.
In this part, we cover some of the basic concepts behind syslog-ng. We
talk about why central log collection is important, and then discuss the
four major roles of syslog-ng: log collection, processing, filtering and
finally storage. We conclude this part with a short introduction to
various message formats.
In this part we cover the various syslog-ng editions (open source,
commercial and appliance), and where to get them from. The focus of this
tutorial series is the Open Source Edition (OSE), but to avoid
confusion, I also briefly introduce the other two.
In this part we learn about syslog-ng source definitions and how to
check the syslog-ng version and its enabled features. The tutorial shows
you the source syntax and lists some of the more popular source drivers.
The documentation lists all the sources and all their parameters.
In this part we learn about syslog-ng destinations and the log path. At
the end of the session, we will also perform a quick syntax check. As
usual, the tutorial shows you the destination and log path syntax and
lists some of the more popular destination drivers. The documentation
lists all the destinations and all their parameters. The part about the
log path also includes many concepts that we only talk about in later
parts of the tutorial.
In this part we learn about enriching log messages. Enriching in this
case means that you can create additional name-value pairs based on
message content. There are several ways how you can enrich log messages
In this part we learn about how to send log messages to Elasticsearch.
Note that while I keep referring to the driver as “Elasticsearch
destination”, you can use it with several other software utilizing the
Elasticsearch API, such as Opensearch, Zinc, Humio and probably more.
This part shows you not only how to send log messages to Elasticsearch,
but also combines many of the previously learned syslog-ng features into
a single configuration.