syslog-ng — CySA+ Tools — Thiago Teixeira

syslog-ng

One Identity / Balabit

Open-source Unix log collector and forwarder supporting RFC 3164/5424 over UDP/TCP/TLS/RELP.

Logging & SIEM Free & Open Source Agent / Service Learning Linux

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

syslog-ng (One Identity / Balabit) is one of the two dominant Unix syslog daemons. It collects local Unix logs, filters, parses, and forwards them to central log servers or SIEMs over UDP/TCP/TLS, both in the legacy RFC 3164 (BSD) and the structured RFC 5424 formats.

Concepts CySA+ candidates often see:

Facility and severity levels.
Templates for output formatting.
TLS transport for log integrity over the network.
Reliable Log Transfer Protocol (RELP) for guaranteed delivery.
Patterndb for high-performance message classification.

Use cases

Centralised Linux log forwarding to a SIEM
Compliance-grade log retention pipelines
Buffering and rate-limiting in front of an indexer

Example

# /etc/syslog-ng/syslog-ng.conf
destination d_siem {
    syslog("siem.internal" transport("tls") port(6514));
};
log { source(s_src); destination(d_siem); };