Starting from syslog-ng PE version 5.0.4, LTS versions are Federal Information Processing Standards (FIPS)-compliant. Note that only the LTS versions of syslog-ng PE are FIPS-compliant, feature releases are not. For details on the versioning policy of syslog-ng PE see the section called “Versions and releases of syslog-ng PE”.
For the FIPS-compliant version of syslog-ng PE, you are required to use the new license file. It uses SHA-512 algorithm, and therefore is accepted by the FIPS-compliant version. The non-FIPS-compliant syslog-ng PE will accept both the previously released license files and the new license files as well.
The following Linux platforms are supported:
debian-etch, debian-lenny, debian-squeeze
suse-10.1, sles-10.2, sles-11.0, sles-11.1
rhel-4, rhel-5, rhel-6
The FIPS-compliant version of syslog-ng PE is installed using a dedicated installer. The FIPS-compliant syslog-ng PE installer will replace the existing non-FIPS-compliant syslog-ng PE and the tools shipped with it to its FIPS-compliant counterpart. For the supported plaforms both .run and native installers are available. The name of the FIPS-compliant syslog-ng PE installers includes the 'fips' specifier, for example:
Upgrading from a non-FIPS-compliant version of syslog-ng PE to a FIPS-compliant version is simple, in most cases you can use your old configuration files. After starting the FIPS-compliant version of syslog-ng PE, it will print those options in your configuration that cannot be used with the FIPS-compliant version of syslog-ng PE.
To check the version of syslog-ng PE, use the
-V command line option. It will display version details, modules, and enabled options. In the FIPS-compliant version the
Enable-FIPS option is set to
on while in the non-FIPS-compliant version it is set to
The startup message will also indicate this, the FIPS-compliant version of syslog-ng PE will display the following:
The FIPS-compliant syslog-ng PE is compatible with the non-FIPS-compliant version with the following limitations:
The current FIPS-compliant version can only be run on Linux platforms.
The FIPS-compliant version of syslog-ng PE uses only those cryptographic algorithms that are considered to be secure according to the FIPS-140 standard, therefore the support of some hashing and encryption algorithms have been removed (for example MD5 and DES).
Currently there is no database support in the FIPS-compliant version (neither as source nor as destination).
The layout of the Certiface Authority directory (ca-dir) and the Certificate Revocation List directory (crl-dir) cannot be hashed with MD5. If the layout of your Certiface Authority directory (ca-dir) or the Certificate Revocation List directory is hashed with MD5, you must rehash it with SHA-1 to be able to use it with the FIPS-compliant version of syslog-ng PE.
To use verified TLS/SSL communtication in the FIPS-compliant version of syslog-ng PE, you are required to use certificates that are using one of the SHA-1 or SHA-2 algorithms ('SHA-1', 'SHA-224', 'SHA-256', 'SHA-384' or 'SHA-512').
The FIPS-compliant version of syslog-ng PE is unable to use DES or MD5 during the SNMP-authentication.
To use logstore with the FIPS-compliant version of syslog-ng PE you are required to set the cipher to one of the AES-based algorithms and to set the digest to one of the SHA-1 or SHA-2 algorithms ('SHA-1', 'SHA-224', 'SHA-256', 'SHA-384' or 'SHA-512').
With the FIPS-compliant version of syslog-ng PE, you will be unable to use the previously generated logstores that do not meet the abovementioned requirements. However, previously generated logstores that meet those requirements can be used.
For details on FIPS security functions, see Security Requirements for Cryptographic Modules.
Syslog-ng Premium Edition version 5.0.4 and the subsequent releases may claim FIPS compliance by use of the OpenSSL FIPS Object Module v2.0.5 cryptographic component. This component was certified by the Open Source Software Institute and obtained the FIPS-140-2 validation Level 1 (certificate number 1747) from the U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC).
The FIPS-compliant version of syslog-ng Premium Edition v5.0.4 and the subsequent releases exclusively use the OpenSSL FIPS Object Module indicated above for crypthograpy. The build process of the FIPS-compliant version of syslog-ng Premium Edition complies with the OpenSSL FIPS 140-2 Security Policy Version 2.0.5f.
The syslog-ng PE application can send and receive log messages in a reliable way over the TCP transport layer using the Reliable Log Transfer Protocol™ (RLTP™). RLTP™ is a proprietary transport protocol that prevents message loss during connection breaks. The transport is used between syslog-ng PE hosts (for example, a client and a server, or a client-relay-server), and interoperates with the flow-control and reliable disk-buffer mechanisms of syslog-ng PE, thus providing the best way to prevent message loss. The sender detects which messages has the receiver successfully received. If messages are lost during the transfer, the sender resends the missing messages, starting from the last successfully received message. Therefore, messages are not duplicated at the receiving end in case of a connection break (however, in failover mode this is not completely ensured). RLTP™ also allows to receive encrypted and non-encrypted connections on the same port, using a single source driver.
Because of the communication overhead, the RLTP™ protocol is slower than other transport protocols, which might be a problem if you need to collect a high amount (over 200000 messages per second) of log messages on your log server. For performance details of syslog-ng PE see the syslog-ng Premium Edition Performance Guideline at the syslog-ng Documentation page.
Make sure that you have set the value of the
In the following cases, it is possible to lose log messages even if you use RLTP™:
The RLTP™ protocol works on top of TCP, and can use STARTTLS for encryption. RLTP™ supports IPv4 and IPv6 addresses. Inside the RLTP™ message, the message can use any format, for example, RFC3164 (BSD-syslog) or RFC5424 (IETF-syslog). The default port of RLTP™ is
RLTP™ can be added to the configuration like a transport protocol within the
syslog() driver and the
Procedure 12.1. How RLTP™ connections work
This procedure summarizes how two syslog-ng PE hosts (a sender and a receiver) communicate using the Reliable Log Transfer Protocol™ (RLTP™).
The sender (also called the client) is the host that has RLTP™ configured in its destination driver. The receiver (also called the server) is the host that has RLTP™ configured in its source driver.
The sender initiates the connection to the receiver.
The sender and the receiver negotiate whether to encrypt the connection and to use compression or not.
If the connection should be encrypted, the sender and the receiver perform authentication (as configured in the
tls() options of their configuration).
If the sender and the receiver have communicated earlier using RLTP™, the receiver indicates which was the last message received from the sender.
The sender starts sending messages in batches. Batch size depends on the
flush-lines() parameter of the sender.
For optimal performance when sending messages to an syslog-ng PE server, make sure that the
flush-lines() is smaller than the window size set using the
log-iw-size() option in the source of your server.
When the receiver has successfully processed the messages in the batch, it sends an acknowledgement of the processed messages to the sender.
What "successfully processed" means depends on the configuration of the receiver, for example, written to disk in a destination, forwarded to a remote destination using notRLTP™, dropped because of filter settings, or written to the disk-buffer. (If the messages are forwarded using RLTP™, see the section called “Using RLTP™ in a client-relay-server scenario”.)
After receiving the acknowledgement, the sender sends another batch of messages.
You can use RLTP™ between multiple syslog-ng PE hosts, for example, in a client-relay-server scenario. In such case, the communication described in Procedure 12.1, “How RLTP™ connections work” applies both between the client and the relay, and the relay and the server. However, note the following points:
Unless you use disk-buffer on the relay, the relay waits for acknowledgement from the server before acknowledging the messages to the client. If you send the messages in large batches, and the server can process the messages slowly (or the network connection is slow), you might have to adjust the
message-acknowledgement-timeout() on the client.
If you use reliable disk-buffer on the relay, the relay will acknowledge the messages when the messages are written to the disk-buffer. That way, the client does not have to wait while the server acknowledges the messages.