Start by making sure Syslog-ng is installed and checking the version. Do this by running:

syslog-ng -V

The expected output is something like the following:

syslog-ng 3 (3.14.1)
Config version: 3.14
Installer-Version: 3.14.1
Revision:
Module-Directory: /usr/lib64/syslog-ng
Module-Path: /usr/lib64/syslog-ng
Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,graphite,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,sdjournal,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,tfgetent,xml
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

The version appears in the first line.
If Syslog-ng is not installed, please refer to the official installation guide.
If the version is older than 3.2, please update your agent.

Download the Loom certificate

This step is not required if you don't intend to encrypt the traffic, or if using the on-premises version.
Create a directory for the certificate and download it:

mkdir -pv /opt/syslog-ng/keys/ca.d
cd /opt/syslog-ng/keys/ca.d/
curl -O https://static.loomsystems.com/loom.cer

Configure the agent

Edit the configuration file, located under /etc/syslog-ng/syslog-ng.conf.
Add destination and log clauses, and optionally add source  as well:

source s_loom {
    system(); # system logs
    internal(); # syslog-ng logs
};

template loomTemplate { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [LOOM@12345 loomApplication=\"<app-name>\"] $MSG\n");
    template_escape(no);
};

destination d_loom {
    tcp("<data-domain>.loomsystems.com"
        port(6514)
        tls(peer-verify(required-untrusted) ca_dir('/opt/syslog-ng/keys/ca.d/'))
        template(loomTemplate)
    );
};

log {
    source(s_loom);
    destination(d_loom);
};

Replace <app-name> with a descriptive name of this server. Add additional key-values which will help mapping and structuring these events in Sophie.
Replace <data-domain>  with your data domain, e.g. example-data.loomsystems.com.
If you do not want to encrypt the traffic, change the port from 6514  to 514 , and remove the tls  line.

Restart the agent

To make the changes take effect, restart the agent by running:

rcsyslog start
# or, alternatively:
systemctl start syslog

Shipping files

When shipping files, add a source  clauses and a custom template that includes the filename:

source s_myapp {
  wildcard-file(
    base-dir("/var/log/myapp/")
    filename-pattern("*log")
    flags(no-parse)
  );
};
destination d_myapp_loom {
    tcp("<data-domain>.loomsystems.com"
        port(6514)
        tls(peer-verify(required-untrusted) ca_dir('/opt/syslog-ng/keys/ca.d/'))
        template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [LOOM@12345 loomApplication=\"<app-name>\" filename=\"${FILE_NAME}\"] $MSG\n")
        persist-name("myapp")
    );
};

Make sure to add the destination to your log  clause, e.g.:

log { 
    source(s_myapp);
    destination(d_myapp_loom);
};
Did this answer your question?