Packetwatch.net

Compile Syslog-ng in Red Hat Enterprise Linux



Last modified: Feb. 14, 2009

Contents
1 - Summary
2 - Dependencies
3 - Syslog-ng installation
4 - Service configuration
5 - Service check


1 - Summary

This guide will show how to compile and install syslog-ng from source in Red
Hat Enterprise Linux. Syslog-ng is a system logging application. This has been
tested in Red Hat Enterprise Linux 4 and 5.


2 - Dependencies

You will need the following packages installed to compile syslog-ng from
source.
  gcc
  flex
  bison
  glib2-devel
# rpm -qa | grep gcc-*
# rpm -qa | grep flex-*
# rpm -qa | grep bison-*
# rpm -qa | grep glib2-devel-*

Libnet is another dependency that is needed. Libnet packages for Red Hat
Enterprise Linux packages can be downloaded from http://apt.sw.be/.
# cd ~
# wget http://apt.sw.be/redhat/$rel/$lang/$arch/dag/RPMS/libnet-*.rpm
# sudo rpm -ivh libnet-*.rpm

Eventlog is the last dependency that is needed. It can be downloaded at
http://www.balabit.com/. This will be downloaded, compiled and installed
from source.
# cd ~
# wget http://www.balabit.com/downloads/files/syslog-ng/sources/stable/src/eventlog-*.tar.gz
# tar -zxvf eventlog-*.tar.gz
# cd eventlog-*
# ./configure
# make
# sudo make install
# sudo make clean


3 - Syslog-ng installation

Syslog-ng can be dowloaded at http://www.balabit.com/. This will be
downloaded, compiled and installed from source.
# cd ~
# wget http://www.balabit.com/downloads/files/syslog-ng/sources/stable/src/syslog-ng-*.tar.gz
# tar -zxvf syslog-ng-*.tar.gz
# cd syslog-ng-*
# export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/lib/pkgconfig
# ./configure
# make
# sudo make install
# sudo make clean


4 - Service configuration

Find where the syslog-ng daemon was installed to.
# sudo /sbin/ldconfig
# sudo whereis syslog-ng
syslog-ng: /usr/local/sbin/syslog-ng

Copy the init.d script to the correct location and change the file permissions
on the file to be executable. Edit it to have the following.

  binary="/usr/local/sbin/syslog-ng"

# cd ~
# cd syslog-ng-*/contrib/rhel-packaging
# sudo cp syslog-ng.init /etc/rc.d/init.d/syslog-ng
# sudo chmod +x /etc/rc.d/init.d/syslog-ng
# sudo vi /etc/rc.d/init.d/syslog-ng

Enable the syslog-ng service so that it will start when the system starts
and disable syslog so it won't start when the system starts up.
# sudo /sbin/chkconfig --list | grep syslog
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
# sudo /sbin/chkconfig syslog off
# sudo /sbin/chkconfig --add syslog-ng
# sudo /sbin/chkconfig --list | grep syslog
syslog          0:off   1:off   2:off   3:off   4:off   5:off   6:off
syslog-ng       0:off   1:off   2:on    3:on    4:on    5:on    6:off

Find where the configuration file should be put.
# grep syslog-ng.conf /etc/rc.d/init.d/syslog-ng 
# strings /usr/local/sbin/syslog-ng | grep syslog-ng.conf
  -f , --cfgfile=    Set config file name, default=/usr/local/etc/syslog-ng.conf
/usr/local/etc/syslog-ng.conf

You can now create your own syslog-ng.conf file. You can use the following for
your source.

  source local { internal(); file("/proc/kmsg" log_prefix("kernel: "));  unix-stream("/dev/log"); };

# sudo cp syslog-ng.conf /usr/local/etc/syslog-ng.conf
# sudo cp /usr/local/etc/syslog-ng.conf /usr/local/etc/syslog-ng.conf.example
# sudo vi /usr/local/etc/syslog-ng.conf
# sudo /usr/local/sbin/syslog-ng -s -f /usr/local/etc/syslog-ng.conf

Copy the sample logrotate file and edit if necessary.
# sudo cp syslog-ng.logrotate /etc/logrotate.d/syslog-ng

You will need to configure SELinux appropriately. SELinux status can be
found by running sestatus.
# sudo sestatus | grep status:
SELinux status:                 enabled

Stop the syslog service and start the syslog-ng service.
# sudo /sbin/service syslog stop
Shutting down kernel logger: [  OK  ]
Shutting down system logger: [  OK  ]
# sudo ps aux | grep syslog
# sudo /sbin/service syslog-ng start
Starting syslog-ng: [  OK  ]
# sudo cat /var/run/syslog-ng.pid
11426


5 - Service check

Reboot your computer. Log in like normal and check to see that the syslog
service isn't running and the syslog-ng service is running. That's it, now
you have syslog-ng running in Red Hat Enterprise Linux.
# sudo /sbin/shutdown -r now
# sudo /sbin/service syslog status
syslogd is stopped
klogd is stopped
# sudo /sbin/service syslog-ng status
syslog-ng (pid 4224) is running...


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.