« back to schedule

Syslog-ng, getting started, parsing messages, storing in Elasticsearch

Maximum numbers of participants: 20. Registration will be done on site.

The syslog-ng application is an enhanced logging daemon with a focus on portability and high-performance central log collection. It is used mainly by IT security professionals, but also in Ops and DevOps environments and by embedded developers. The syslog-ng workshop helps you take the first steps with syslog-ng, and shows how you can quickly get more information out of your logs and have greater insight into what happens on your network. Ideal for beginners, but covers advanced possibilities for seasoned syslog-ng users as well.

You will learn:

  • The basic concepts of configuring and running syslog-ng,
  • an introduction to message parsing,
  • how to store your log messages in Elasticsearch, and
  • how to display your messages in Kibana.

For most participants I recommend using the provided CentOS-based VM (see prerequisites below). It is running:

  • syslog-ng 3.21 (or newer: https://syslog-ng.com/3rd-party-binaries)
  • Elasticsearch & Kibana 7.1

You can install these yourself on your laptop or in a VM, but note, that there will not be enough time to troubleshot individual test environments.

Workshop schedule:

  • Theory: Introductory presentation - the concepts of syslog-ng. Explains the different building blocks (sources, parsers, filters, destinations, etc.), and how to connect them together using log statements.
  • Practice: Try these concepts in practice. Creating a simple configuration, checking syntax, running in the foreground with different debugging options, and running in the background as a service.
  • Theory: Message parsing is a main feature of syslog-ng from the security professional point of view. Most of the log messages on Linux / UNIX arrive in a free form text format, which are easy to read by humans, but very difficult to act on. Using message parsing you can extract actionable information from log messages and create alerts or simply storing data in an easy to search format.
  • Pratice: Extend the configuration with a few filters and parsers to make it more complex. To see the results of parsing, we use templates on the output side to include name-value pairs. Practice: Store the results to Elasticsearch and display them in Kibana.
  • Theory: a quick overview of other useful syslog-ng features not discussed in the workshop, how to get help and support, where to find more information, and so on.
  • Q&A session (if there is some time left): touch a few additional topics, based on questions from the audience.


  • Hardware: a laptop.
  • Software: an OS with a browser, a ssh client and VirtualBox.
  • Skills: Linux CLI and terminal text editing.


Peter Czanik (Balabit)


Peter is an engineer working as evangelist at Balabit (a One Identity business), the company that developed syslog-ng. He assists distributions to maintain the syslog-ng package, follows bug trackers, helps users and talks regularly at conferences (SCALE, All Things Open, FOSDEM, LOADays, and others). In his limited free time he is interested in non-x86 architectures, and works on one of his PPC or ARM machines.

« back to schedule