A syslog-ng container that listens for network device configuration change events and forwards them to the agent.
Overview
This container:
- Receives syslog messages via TCP (port 6601) and UDP (port 5514)
- Filters for device configuration change events from various vendors
- Aggregates messages per host (30s window)
- Forwards matching events as JSON to a configurable agent
Supported Devices
Config change detection filters are included for:
| Vendor | Filter Pattern |
|---|---|
| Alcatel OmniSwitch | write memory |
| Arista EOS | Startup config saved |
| Aruba CX | Copying configs from: running-config to: startup-config |
| Aruba MC | COMMAND:<write memory> |
| Avaya ERS | bsnConfigurationSavedToNvram |
| F5 BIG-IP | status=[Command OK] cmd_data=save |
| Checkpoint MGMT | Processing : save configuration |
| Cisco IOS/IOS-XE | Configured / CONFIG-5-CONFIG_SAVE |
| Cisco Nexus | Configured from |
| Cisco XR | Configuration committed |
| HP Comware 5 | Configuration is saved successfully |
| HP Comware 7 | SHELL_CMD_CONFIRM: Confirm option of command save |
| Juniper Junos | commit complete |
| Palo Alto PAN-OS | Commit job succeeded |
| Fortinet | action="Edit" |
| A10 | configuration successfully saved |
Configuration
Environment Variables
| Variable | Description | Default |
|---|---|---|
HOSTNAME | Required. Target host/container for forwarding | – |
PUID | User ID for syslog-ng process | 911 |
PGID | Group ID for syslog-ng process | 911 |
Ports
| Port | Protocol | Description |
|---|---|---|
| 6601 | TCP | Syslog input (RFC 5424) |
| 5514 | UDP | Syslog input (RFC 5424) |
Output
Filtered messages are forwarded to $HOSTNAME:5001 via TCP as JSON:
{"date":"2024-01-15T10:30:00+00:00","host":"switch01","message":"commit complete",...}Usage
Docker Compose
services:
syslog-ng:
environment:
- HOSTNAME: agent # name of your agent container
ports:
- "6601:6601/tcp"
- "5514:5514/udp"
volumes:
- syslog:/var/lib/syslog-ng
volumes:
syslog:Log Files
All incoming messages are logged locally for debugging:
| File | Content |
|---|---|
/var/log/messages | Raw syslog messages |
/var/log/messages-kv.log | Messages with all parsed key-value pairs |