Recently we enabled nightly syslog-ng builds and container builds for arm64. It means that from now on, you can run the latest syslog-ng on 64bit ARM platforms.
Before you begin
For this test, I used a Raspberry Pi 3 running the latest Raspberry Pi OS. As I use Podman everywhere else (I am an openSUSE / Fedora guy), I also installed it here for container management.
Running syslog-ng nightly in a container
Support for arm64 was added after the last syslog-ng release, which means that by the time of writing this blog, there is no arm64 syslog-ng package available for the latest release, only for the nightly builds. Make sure that you use the “nightly” tag, otherwise Podman will download an x86 image (well, at least until the next release), and complain about wrong architecture only at the end.
This first command will download the container image from the Docker hub and print some syslog-ng version information. Note that the registry host name is also included, as the Podman package does not come with a pre-configured registry.
root@raspberrypi:~# podman run -ti docker.io/balabit/syslog-ng:nightly -V
Trying to pull docker.io/balabit/syslog-ng:nightly...
Getting image source signatures
Copying blob 52daf8b0f06f done
[...]
Starting syslog-ng with params: -V
syslog-ng 4 (4.8.1.224.g600b1e8)
Config version: 4.2
Installer-Version: 4.8.1.224.g600b1e8
Revision: 4.8.1.224.g600b1e8-snapshot+20250313T232005
Compile-Date: Mar 13 2025 23:20:05
Module-Directory: /usr/lib/syslog-ng/4.8
Module-Path: /usr/lib/syslog-ng/4.8
Include-Path: /usr/share/syslog-ng/include
Available-Modules: otel,map-value-pairs,afamqp,bigquery,tags-parser,kafka,rate-limit-filter,loki,afsmtp,json-plugin,affile,redis,sdjournal,clickhouse,afsnmp,secure-logging,afstomp,afmongodb,afsocket,mqtt,disk-buffer,mod-python,graphite,kvformat,afsql,timestamp,examples,metrics-probe,geoip2-plugin,linux-kmsg-format,riemann,cryptofuncs,http,cloud_auth,correlation,pacctformat,pseudofile,afuser,tfgetent,confgen,hook-commands,add-contextual-data,basicfuncs,regexp-parser,afprog,stardate,csvparser,azure-auth-header,syslogformat,appmodel,system-source,cef,xml
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Stackdump: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on
The following command starts syslog-ng with the default configuration running in the foreground and printing debug messages on the terminal. Creating a proper syslog-ng configuration and setting up storage is not in the scope of this blog, but using this setup you can still verify that syslog-ng works as expected:
root@raspberrypi:~# podman run -it -p 514:514/udp -p 601:601 --name syslog-ng docker.io/balabit/syslog-ng:nightly -edv
At the end of many lines of debug messages you should see sever lines indicating that syslog-ng is ready to receive network connections. For example:
[2025-03-14T12:33:15.414977] Accepting connections; addr='AF_INET(0.0.0.0:601)'
Port 601 is expecting RFC5424 formatted log messages with octet counting over a TCP connection. You can send a test message using this command from another terminal:
logger -n 127.0.0.1 -P 601 -T --octet-count this is a test
On the terminal, where you run syslog-ng, you should see something similar in the debug logs:
[2025-03-14T12:38:08.805320] Syslog connection accepted; fd='19', client='AF_INET(10.88.0.1:59612)', local='AF_INET(0.0.0.0:601)' [2025-03-14T12:38:08.806800] Incoming log entry; input='<13>1 2025-03-14T13:38:08.805035+01:00 raspberrypi root - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="319500"] this is a test', msg='0x7f93510000', rcptid='0' [2025-03-14T12:38:08.806800] json-parser(): no marker at the beginning of the message, skipping JSON parsing ; input='this is a test', marker='@cee:' [2025-03-14T12:38:08.806800] json-parser(): no marker at the beginning of the message, skipping JSON parsing ; input='this is a test', marker='@cim:' [2025-03-14T12:38:08.831167] Initializing destination file writer; template='/var/log/messages', filename='/var/log/messages', symlink_as='(null)' [2025-03-14T12:38:08.851750] Initializing destination file writer; template='/var/log/messages-kv.log', filename='/var/log/messages-kv.log', symlink_as='(null)' [2025-03-14T12:38:08.852912] Syslog connection closed; fd='19', client='AF_INET(10.88.0.1:59612)', local='AF_INET(0.0.0.0:601)' [2025-03-14T12:38:08.854588] Outgoing message; message='2025-03-14T13:38:08.805+01:00 host .SDATA.timeQuality.isSynced=1 .SDATA.timeQuality.syncAccuracy=319500 .SDATA.timeQuality.tzKnown=1 HOST=host HOST_FROM=host MESSAGE="this is a test" MSGFORMAT=rfc5424 PROGRAM=root SOURCE=s_network TRANSPORT=rfc6587\x0a' [2025-03-14T12:38:08.854588] Outgoing message; message='Mar 14 13:38:08 host root: this is a test\x0a'
What is next?
As I mentioned earlier, in this blog we only made sure that syslog-ng can start on arm64 in a container and that it can collect log messages over the network. Depending on your environment you will also need to change the configuration and provide some disk space for collected log messages. If you give the nightly arm64 syslog-ng images a try, let us know about your experience!
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.