Recently I have posted a Dockerfile to run syslog-ng in an Alma Linux container. I got some encouraging feedback, so this week I experimented with syslog-ng Premium Edition (PE) in a RHEL UBI (Universal Base Image) container. While this is not officially supported by One Identity, we are really interested in your feedback.
Before you begin
If you do not have syslog-ng PE yet, you can get it at https://www.syslog-ng.com/register/115582/ . You also need RHEL with a valid subscription to build the container image. You need Podman and Buildah installed, and also git, unless you want to download files one by one.
The files
You can download the Dockerfile and the related files from GitHub from my personal repo at https://github.com/czanik/syslog-ng-pe-ubi.
The Dockerfile contains all information needed to build the container image. Let’s check some of the most important lines from the file.
FROM registry.access.redhat.com/ubi9/ubi-init
This line means that we use the RHEL Universal Base Image as a base image. It has a couple of variants: “init” means that this image has systemd with service management included. It results in a slightly larger image size, but it also means that unlike the method described in the syslog-ng PE documentation, multiple services can run in the same container. In this case, syslog-ng starts automatically, but optionally you can also enable the syslog-ng Windows Event Collector (WEC) and the syslog-ng Prometheus exporter.
ENV SNGRPM="syslog-ng-premium-edition-8.0.0-1+20250116+1752.rhel9.x86_64.rpm"
Setting this environment variable ensures that you only have to set the syslog-ng PE installer filename only once.
The next lines update software in the container, install syslog-ng PE and clean the package management system. (Note that even if we remove the syslog-ng PE installer, it persists in one of the lower layers, enlarging the final container image. I still need to find a workaround for this problem.)
Next, files related to the syslog-ng Prometheus exporter are added. Only the syslog-ng service is enabled in the Dockerfile, and you can easily enable other services later. However, you can also add syslog-ng-wec and sngexporter here, so you do not have to enable these services manually for the container.
Default ports related to syslog-ng PE are collected in the Dockerfile. Note that these are not automagically forwarded from the outside network to the containers. These are just reminders that these ports could be opened by the application(s) running in the container.
The bundled syslog-ng.conf does not collect local logs but opens a couple of network sources.
Building the container
Once you set the name of the installer in the Dockerfile, and optionally also included other services to be enabled, you are ready to build the container. You can name it what you want or skip naming altogether. The following command builds a new container within a few minutes (depending on the network speed):
docker build -t ubipe9 .
Note that while I still use the command name “docker” in my examples, I actually use Podman and Buildah with a compatibility link.
Running the container
There are many options to run the container. You will most likely map some directories from the host or open some ports to collect logs from remote hosts. Here I show only a very basic command line. It starts syslog-ng in the background, and maps the license file into the container from the host:
docker run -d --name=sng -v /data/license.txt:/opt/syslog-ng/etc/license.txt:Z ubipe9
The license file is needed to run syslog-ng PE as a server. Without it, syslog-ng PE can save logs only from local log sources or run in relay mode (forward logs without saving them).
Enabling and disabling services
You have seen how to enable services in the Dockerfile. You can also enable (or disable) WEC or the Prometheus exporter from the command line. The container will keep the changed state as long as you do not rm it. Here is a sample session:
[root@localhost syslog-ng-pe-ubi]# docker run -d --name=sng -v /data/license.txt:/opt/syslog-ng/etc/license.txt:Z ubipe9 e09706c27aa4a10e83959030604473c9f3e2a0d45c8f011256d2a4ae03ba732e [root@localhost syslog-ng-pe-ubi]# docker exec -ti sng systemctl enable sngexporter Created symlink /etc/systemd/system/multi-user.target.wants/sngexporter.service → /usr/lib/systemd/system/sngexporter.service. [root@localhost syslog-ng-pe-ubi]# docker stop sng sng [root@localhost syslog-ng-pe-ubi]# docker start sng sng [root@localhost syslog-ng-pe-ubi]# docker exec -ti sng /bin/bash [root@e09706c27aa4 /]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.5 0.3 22072 11648 ? Ss 09:07 0:00 /sbin/init root 10 0.0 0.2 35748 9244 ? Ss 09:07 0:00 /usr/lib/systemd/systemd-journald root 16 3.1 0.8 375848 32272 ? Ssl 09:07 0:00 /opt/syslog-ng/libexec/syslog-ng -F --enable-core root 21 0.6 0.5 25152 18944 ? Ss 09:07 0:00 python3 /usr/local/bin/sng_exporter.py --socket-path=/opt/syslog-ng/var/syslog-ng.ctl root 25 0.0 0.0 4840 3712 pts/0 Ss 09:07 0:00 /bin/bash root 36 0.0 0.0 7552 3200 pts/0 R+ 09:07 0:00 ps aux
What is next?
This blog is aimed at helping you to get started with syslog-ng PE in a RHEL UBI container. This is still experimental and not officially supported, but your feedback is very welcome, both the problem and success reports.
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.