syslog-ng documentation

Your main source of knowledge

The syslog-ng product family has an extensive documentation, covering everything from how to install a product to the most complex configuration and settings descriptions. If you cannot find an answer to your question, try the mailing list - our community is always eager to help.

syslog-ng Open Source Edition


7.14. osquery: Sending log messages to osquery's syslog table

The osquery() driver sends log messages to osquery's syslog table.

The syslog table contains logs forwarded over a named pipe from syslog-ng. When an osquery process that supports the syslog table starts up, it creates (and properly sets permissions for) a named pipe for syslog-ng to write to.

Example 7.30. Using the osquery() destination driver

Run osqueryi:

osqueryi --enable_syslog

To store the database on disk:

osqueryi --enable_syslog

To set up a custom named pipe:

osqueryi --enable_syslog

Example configuration:

@version: 3.12
@include "scl.conf"

source s_net {

destination d_osquery {
  # custom pipe path:

  # backup outgoing logs:
  #osquery(file("/var/log/osquery_inserts.log" template(t_osquery)));

  # defaults

log {