The syslog-ng log processor is popular and available on most popular Linux distributions, including Ubuntu and CentOS. syslog-ng provides a long list of plugins – most importantly the Elasticsearch destination plugin, which is supported by Humio.
We recommend the following minimal configuration for forwarding all logs to Humio.
@version: 3.25
@include "scl.conf"
source s_service {
file("/path/to/service.log");
};
destination d_elastic_humio {
elasticsearch-http(
type("humio") # not used by humio, but required by plugin
index("syslog-humio") # not used by humio, but required by plugin
url("http://$YOUR_HUMIO_URL/api/v1/ingest/elastic-bulk")
workers(2)
batch-lines(200)
user("syslog-ng") # not used by humio, can be whatever you want
password("$INGEST_TOKEN")
);
};
log {
source(s_service);
destination(d_elastic_humio);
flags(flow-control);
};
Remember to replace $YOUR_HUMIO_URL
with the URL for your Humio Cloud Account if you’re using Humio Cloud – otherwise the URL for your self-hosted installation, and $INGEST_TOKEN
with an ingest token for your repository.
It’s important that type
and index
be set to a non-empty value. If they’re either not set or left as empty strings, logs will not ship properly.
Finally restart syslog-ng:
$ systemctl restart syslog-ng.service
Your logs should start populating into your repository as soon as syslog-ng comes back up.
If things aren’t working as expected, it can be helpful to enable syslog-ng internal logging to see what’s going on. To do that, add this to your syslog-ng config:
source s_internal {
internal();
};
destination d_internal {
file("/var/log/syslog-ng.log");
};
log {
source(s_internal);
destination(d_internal);
};
The resulting logs should provide more information about what’s going wrong.