Install syslog-ng in Ubuntu 16.04 LTS

Featured Image
Hasan-Uz-Zaman Ashik

Written by Hasan-Uz-Zaman

January 1, 2021


Table of Contents

Setup Syslog-ng in the server
Configure Syslog-ng to accept logs from sources
Configure remote nodes to send logs to the Ubuntu server
Configure destinations to store logs
Develop web tool/ install database client tool/ data analysis tool to visualize logs


When it comes to managing and troubleshooting computer networks, one of the most important tools available is syslog. Syslog is a protocol that allows network devices to send event messages to a centralized server, which can then be used to monitor, analyze, and troubleshoot network issues. In this blog post, we will explore what Syslog is, how it works, and why we need it.


What is syslog?

Syslog is a standardized protocol used for sending log messages across a network. It was originally developed in the 1980s by Eric Allman for the Sendmail project and has since become a standard part of most network operating systems. It is supported by a wide range of devices, including routers, switches, firewalls, servers, and workstations.

Syslog allows network devices and applications to send log messages to a centralized logging server or service. These messages can include information about system events, errors, warnings, and other important events that occur on the network. The messages are typically stored in log files, which can be used to analyze network performance, troubleshoot issues, and identify security threats.

Syslog messages are sent using the User Datagram Protocol (UDP), which is a lightweight protocol that does not require a connection to be established before data is sent. This makes syslog a very efficient protocol that can be used to send large volumes of data quickly and easily.

Syslog is a client/server protocol. The client, also known as the sender, sends log messages to the Syslog server, which is also known as the receiver. The receiver stores the log messages in a log file or a database, where they can be analyzed and used for various purposes.

Syslog messages contain information about events that occur on a network device or an application. These events can be anything from error messages and security alerts to status updates and system events. Syslog messages are generally categorized by severity, with different levels indicating different types of events. The severity levels are usually defined as follows:


  • Emergency: System is unusable
  • Alert: Action must be taken immediately
  • Critical: Critical conditions
  • Error: Error conditions
  • Warning: Warning conditions
  • Notice: Normal but significant condition
  • Informational: Informational messages
  • Debug: Debugging messages

How does Syslog work?


Syslog operates over UDP or TCP, using port 514 by default. When a device or application generates a log message, it sends the message to the Syslog server using the Syslog protocol. The message contains various pieces of information, such as the facility, severity level, and a timestamp.

The facility is used to identify the type of device or application that generated the message. For example, a router might use the facility “local0,” while a firewall might use the facility “local1.” The severity level indicates the severity of the event, as discussed earlier. The timestamp records the time the event occurred.

Once the message is received by the Syslog server, it is stored in a log file or database, depending on the configuration. The log file or database can then be accessed by administrators or automated tools to analyze the logs and troubleshoot issues.

Why do we need syslog?

There are many reasons why network administrators need to use syslog. Here are a few of the most important:

Troubleshooting network issues – When network issues occur, it is often difficult to determine the cause of the problem. Syslog messages can provide valuable information that can be used to troubleshoot the issue and identify the root cause.

Monitoring network performance – Syslog messages can be used to monitor network performance and identify potential bottlenecks or other issues that may be affecting network performance.

Centralized logging

In a large-scale IT environment, it is not feasible to manage logs from individual systems and applications. Syslog enables centralized logging, where all the logs from various devices and applications are stored in a central location. This makes it easier to monitor, analyze, and troubleshoot issues across the entire infrastructure. Moreover, centralized logging enables efficient compliance management, as it allows auditors to access logs from a single source.

Real-time monitoring

Syslog enables real-time monitoring of the system and application logs, which helps in identifying issues and taking corrective actions promptly. System administrators and security professionals can set up alerts and notifications to detect critical events such as system crashes, network outages, security breaches, and application errors. Real-time monitoring also helps in identifying patterns and trends in the logs, which can be used for performance tuning, capacity planning, and resource optimization.

Forensic analysis

Syslog is critical for forensic analysis, which involves investigating and analyzing logs to identify the root cause of an incident or breach. Syslog records detailed information about system and application activities, including user logins, network traffic, file access, system events, and error messages. Forensic analysts can use this information to reconstruct the sequence of events that led to the incident, identify the point of entry, and determine the extent of the damage. Moreover, syslog enables forensic analysts to correlate logs from different sources, which can reveal hidden patterns and relationships.


Versions used in this article:

Syslog-ng: 3.30

PostgreSQL: 9.5

Server: ubuntu 16.04

We will install syslog-ng 3.30 version using release key instead of using source code.

Step 1: Download and add release key

Before that let’s see what version of syslog-ng is available by using:


syslog-ng install ubuntu server

Here we can see that 3.5.6 is available. But we want to install more latest version of syslog-ng. To do that we need to add a release key that has desired version.

If you cannot find it we can manually add it in /etc/apt/sources.list


manually add sources list in ubuntu server

Step 2: Update available packages and versions

Now we can see syslog-ng 3.30 version is available.

listing available syslog-ng packages

Step 3: Install syslog-ng

Note: You may prompt you to install packages without verification.

install syslog-ng
complete installation of syslog-ng

Lets go to config file.


verify installed syslog-ng version

Congratulations! We have installed syslog-ng successfully. In another article we will try to install it using source code.

You May Also Like…



Network Engineer

Zaman is an aspiring Technical Writer and passionate about software-defined networking (SDN), Network Automation, Ansible, Log data management (Syslog-ng), Python tools, Web Application development (django) etc.

Let's start talking!


Submit a Comment

Your email address will not be published. Required fields are marked *