The official syslog-ng container image is based on Debian Stable. However, we’ve been getting requests for an RPM-based image for many years. So, I made an initial version available based on Alma Linux and now I need your feedback about it!
This image uses the “init” variant of Alma Linux 9 containers as a base image. What does this mean? Well, it uses systemd service management inside, making it possible to run multiple services from a single container. While only syslog-ng is included right now, I also plan to add the syslog-ng Prometheus exporter to the image.
Note that while the example command lines show Docker, I also tested it using Podman.
Why not RHEL UBI?
I want everyone to be able to rebuild the image from scratch (Dockerfile). When using RHEL UBI as a base image, you have to run RHEL to build the container image based on RHEL UBI, as certain repositories cannot be enabled without a Red Hat subscription. While many syslog-ng users use RHEL to run syslog-ng, even more of them use one of the RHEL-compatible operating systems, like Alma Linux, CentOS, or Rocky Linux. Using Alma Linux as a base image ensures that you do not need an RHEL subscription to rebuild the image locally.
Needless to say: if you use RHEL, you can easily modify the Dockerfile to use RHEL UBI as a base image.
Why version 9?
Yes, I know that RHEL 8 and its compatibles are still more popular than version 9. However, version 8 includes ancient software versions both in the base OS and in EPEL. With RHEL 9 as a base, a lot more syslog-ng features can be enabled.
Which syslog-ng features are included?
All features that can be compiled on RHEL 9, except for Java support. It’s missing because that would significantly enlarge an already huge container. If you really need it, just add syslog-ng-java to the package list in the Dockerfile and build the image yourself.
I also plan to add the syslog-ng Prometheus exporter to the image. It is small, just a few lines of Python script.
You can list the enabled modules with the following command:
czplaptop:~ # docker run -it --rm --name syslog-ng czanik/syslog-ng:alma9_481 /usr/sbin/syslog-ng -V
syslog-ng 4 (4.8.1.7.g6113797)
Config version: 4.2
Installer-Version: 4.8.1.7.g6113797
Revision:
Compile-Date: Oct 3 2024 00:00:00
Module-Directory: /usr/lib64/syslog-ng
Module-Path: /usr/lib64/syslog-ng
Include-Path: /usr/share/syslog-ng/include
Available-Modules: add-contextual-data,afamqp,affile,afmongodb,afprog,afsmtp,afsocket,afstomp,afuser,appmodel,azure-auth-header,basicfuncs,cef,cloud_auth,confgen,correlation,cryptofuncs,csvparser,disk-buffer,ebpf,examples,geoip2-plugin,graphite,hook-commands,http,json-plugin,kafka,kvformat,linux-kmsg-format,loki,map-value-pairs,metrics-probe,mod-python,otel,pacctformat,pseudofile,rate-limit-filter,redis,regexp-parser,riemann,sdjournal,secure-logging,stardate,syslogformat,system-source,tags-parser,tfgetent,timestamp,xml
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: off
Enable-Linux-Caps: on
Enable-Systemd: on
czplaptop:~ #
Configuration
This container includes the exact same configuration as the official syslog-ng container image. You can check it at https://github.com/syslog-ng/syslog-ng/blob/master/docker/syslog-ng.conf The Dockerfile opens four ports to collect log messages:
-
514 UDP and TCP for RFC3164 log messages
-
601 TCP for RFC5424 log messages
-
4317 TCP for OpenTelemetry (not used in the default configuration)
-
6514 TCP TLS for encrypted RFC5414 log messages (does not work out of the box)
All logs are saved into two files: /var/log/messages and /var/log/messages-kv, the latter of which also stores all name-value pairs received.
Of course, not many people run syslog-ng using the default configuration. You can map your own custom syslog-ng.conf to /etc/syslog-ng/syslog-ng.conf to use your own configuration.
Testing your configuration
If you have a test syslog-ng configuration in the /tmp directory, you can test it by mounting it as a volume into the container and run syslog-ng. If you are lucky, there is no output at all:
czplaptop:~ # docker run -it --rm -v /tmp/syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf -p 514:514/udp -p 601:601 --name syslog-ng czanik/syslog-ng:alma9_481 /usr/sbin/syslog-ng --no-caps -s
czplaptop:~ #
Note the --no-caps option. It silences an error message. Without it, the output of the above command would be:
czplaptop:~ # docker run -it --rm -v /tmp/syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf -p 514:514/udp -p 601:601 --name syslog-ng czanik/syslog-ng:alma9_481 /usr/sbin/syslog-ng -s
syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
Adding a startup parameter permanently
As you could see from the previous paragraphs, syslog-ng needs the --no-caps parameter to run in a container. Normally, when you start the syslog-ng container, syslog-ng is started by init. You cannot pass parameters from the command line. This can be solved by adding parameters to the /etc/sysconfig/syslog-ng file. By default, it already has the --no-caps parameter:
SYSLOGNG_OPTS="--no-caps"
If you want more parameters, like extra log messages from syslog-ng, you can create a file with this content and add the extra parameters to it. Note that not all syslog-ng parameters make sense, when you have proper init in a container. For example, verbose logging does not work: you have to call syslog-ng directly for that, like in the syntax check case. However, you can use a different configuration file, among others.
Once you saved the file, you have to map it into the container:
docker run -v /tmp/syslog-ng:/etc/sysconfig/syslog-ng czanik/syslog-ng
SELinux
If you use volume mapping to store your logs outside the container, you will run into trouble on SELinux-enabled systems. Many organizations simply disable SELinux, as it can greatly complicate life. However, you do not have to do so. Tested with Podman on Alma Linux 8, appending “:Z” to the volume name resolves SELinux problems:
docker run -d -v /data/log/:/var/log:Z -p 514:514 czanik/syslog-ng
A call for testing and feedback
This is just the first version of the Alma Linux-based syslog-ng container. I plan to add Prometheus exporter support soon. And I need your feedback! Does it work for you? Do you miss something? Is there anything that you would do differently about it?
You can reach the Docker image on Docker Hub at https://hub.docker.com/repository/docker/czanik/syslog-ng/general
You can find the Dockerfile at https://github.com/czanik/syslog-ng-ubi
Pull Requests are also welcome! You can share your feedback on GitHub, the syslog-ng mailing list, or also on LinkedIn / Twitter / Mastodon.
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.