What do you need help with?

Local Log Collector using Syslog-NG

Juan Romero

29-Apr-2025

Local Log Collector using Syslog-NG

Local syslog collector to be deployed in customer premises (VM), collect remote syslog and forward to the VPC using SSL.

Deploy a “vanilla” Debian 12 VM

VM Details:

VIRTUAL MACHINES:

Tool	Number Of	CPU	Memory	Disk Space (OS)	OS
Syslog-ng	1	4	8GB	160GB	Debian 12

Install syslog-ng and related packages

Update OS and install latest patches

apt-get update && apt-get upgrade

Install syslog-ng

apt-get install syslog-ng

Digital Certificates

Upload “rootCA.crt” to “/usr/local/share/ca-certificates”

Update list of trusted root CA:

update-ca-certificates

Upload “syslog_client.pem” and “syslog_client.key” to “/etc/syslog-ng”

Create Configuration Files

Syslog receiver for network devices (one config file per technology vendor):

Create file “/etc/syslog-ng/conf.d/vendor1.conf”:

source vendor1_udp {

network(

ip(0.0.0.0)

port(udp_port)

transport("udp")

);

};

destination SIEM_Stack_Collector_For_Vendor1 {

network(

"firehose.yourdomain.com"

port(tcp_port)

transport("tls")

tls(

key-file("/etc/syslog-ng/syslog_client.key")

cert-file("/etc/syslog-ng/syslog_client.pem")

ca-file(“/etc/syslog-ng/rootCA.crt”)

peer-verify(no)

)

);

};

log {

source(vendor1_udp);

destination(SIEM_Stack_Collector_For_Vendor1);

};

Replace the following fields:

vendor1
udp_port
yourdomain.com
tcp_port

Every network device vendor will require a different UDP port (Syslog-NG input) and a different TCP Port (Syslog-NG output/destination using TLS)

Restart syslog-ng:

service syslog-ng restart

Was this article helpfu?

Yes

No

Thank you for voting

Comments

Thank you for your valuable feedback.

What do you need help with?

Local Log Collector using Syslog-NG

Deploy a “vanilla” Debian 12 VM

Install syslog-ng and related packages

Digital Certificates

Create Configuration Files

Comments

Select company