Chat now with support
Chat with Support

syslog-ng Premium Edition 6.0.17 - Administration Guide

Preface Chapter 1. Introduction to syslog-ng Chapter 2. The concepts of syslog-ng Chapter 3. Installing syslog-ng Chapter 4. The syslog-ng PE quick-start guide Chapter 5. The syslog-ng PE configuration file Chapter 6. Collecting log messages — sources and source drivers Chapter 7. Sending and storing log messages — destinations and destination drivers Chapter 8. Routing messages: log paths, reliability, and filters Chapter 9. Global options of syslog-ng PE Chapter 10. TLS-encrypted message transfer Chapter 11. FIPS-compliant syslog-ng Chapter 12.  Reliable Log Transfer Protocol™ Chapter 13. Reliability and minimizing the loss of log messages Chapter 14. Manipulating messages Chapter 15. Parsing and segmenting structured messages Chapter 16. Processing message content with a pattern database Chapter 17. Statistics and metrics of syslog-ng Chapter 18. Multithreading and scaling in syslog-ng PE Chapter 19. Troubleshooting syslog-ng Chapter 20. Best practices and examples

Versions and releases of syslog-ng PE

Versions and releases of syslog-ng PE

As of June 2011, the following release policy applies to syslog-ng Premium Edition:

  • Long Term Supported or LTS releases (for example, syslog-ng Agent 4 LTS) are supported for 3 years after their original publication date and for 1 year after the next LTS release is published (whichever date is later). The second digit of the revisions of such releases is 0 (for example, syslog-ng PE 4.0.1). Maintenance releases to LTS releases contain only bugfixes and security updates.

  • Feature releases (for example, syslog-ng Agent 4 F1) are supported for 6 months after their original publication date and for 2 months after succeeding Feature or LTS Release is published (whichever date is later). Feature releases contain enhancements and new features, presumably 1-3 new feature per release. Only the last of the feature releases is supported (for example when a new feature release comes out, the last one becomes unsupported).

    Caution:

    Downgrading from a feature release to an earlier (and thus unsupported) feature release, or to the previous LTS release is officially not supported, but usually works as long as your syslog-ng PE configuration file is appropriate for the old syslog-ng PE version. However, persistent data like the position of the last processed message in a file source will be probably lost.

    Logstore files created with a newer version of syslog-ng PE might not be readable with an older version of syslog-ng PE.

Licensing

Licensing benefits

Buying a syslog-ng Premium Edition (syslog-ng PE) license permits you to perform the following:

  • Install one instance of the syslog-ng PE application in server mode to a single host. This host acts as the central log server of the network. You have to install the license file only on this host.

  • Install the syslog-ng PE application in relay or client mode on host computers within your organization (on any supported platform). You cannot redistribute the application to third parties. The total number of hosts permitted to run syslog-ng in relay or client mode is limited by the syslog-ng PE license. The client and relay hosts may use any operating system supported by syslog-ng PE. For details, see the Supported platforms in syslog-ng Premium Edition page.

The syslog-ng Premium Edition license determines the number of individual hosts (also called log source hosts) that can send log messages to syslog-ng PE.

License grants and legal restrictions are fully described in the Software Transaction, License and End User License Agreements. Note that the EULA and the syslog-ng Premium Edition Product Guide apply only to scenarios where the Licensee (the organization who has purchased the product) is the end user of the product. In any other scenario — for example, if you want to offer services provided by syslog-ng Premium Edition to your customers in an OEM or a Managed Service Provider (MSP) scenario — you have to negotiate the exact terms and conditions with One Identity.

Licensing model and modes of operation

A Log Source Host (LSH) is any host, server, or device (including virtual machines, active or passive networking devices, syslog-ng clients and relays, and so on) that is capable of sending log messages. Log Source Hosts are identified by their IP addresses, so virtual machines and vhosts are separately counted.

The syslog-ng Premium Edition application has three distinct modes of operation: Client, Relay, and Server.

  • In Client mode syslog-ng Premium Edition collects local logs generated by the host it is running on, and forwards them through a network connection to the central syslog-ng PE server, a relay, or another network destination. If you install the syslog-ng Premium Edition application in Client mode on a host, it counts as a Log Source Host, even if it does not send log messages to a syslog-ng Premium Edition server.

  • In Relay mode syslog-ng Premium Edition receives logs through the network from Log Source Hosts and forwards them to the central syslog-ng PE server, a relay, or another network destination. If you install the syslog-ng Premium Edition application in Relay mode on a host, it counts as a Log Source Host, even if it does not send log messages to a syslog-ng Premium Edition server.

    Relays cannot store the received log messages in local files, except for the log messages of the relay host. Naturally, relays can use disk-based buffering for every message.

  • In Server mode syslog-ng Premium Edition acts as a central log-collecting server that receives messages through a network connection, and stores them locally, or forwards them to other destinations or external systems (for example, a SIEM or a database). Installing the syslog-ng Premium Edition application in Server mode requires a license file, this license file determines the number of Log Source Hosts that can send log messages to the syslog-ng Premium Edition server.

    Note that the number of source hosts is important, not the number of hosts that directly sends messages to syslog-ng Premium Edition: every host that send messages to the server (directly or using a relay) counts as a Log Source Host.

Table 2.1. Modes of operation in syslog-ng PE

Client mode Relay mode Server mode
Collect the local logs of the host
Forward local logs over the network
Store local messages in local files
Receive logs over the network no
Forward received logs over the network no
Store received logs in local files no no
Forward logs using special destinations (for example, databases) no no
Requires license file no no

Notes about counting the licensed hosts

Caution:
  • If the actual IP address of the host differs from the IP address received by looking up its IP address from its hostname in the DNS, the syslog-ng server counts them as two different hosts.

  • The chain-hostnames() option of syslog-ng can interfere with the way syslog-ng PE counts the log source hosts, causing syslog-ng to think there are more hosts logging to the central server, especially if the clients sends a hostname in the message that is different from its real hostname (as resolved from DNS). Disable the chain-hostnames() option on your log source hosts to avoid any problems related to license counting.

  • If the number of Log Source Hosts reaches the license limit, the syslog-ng PE server will not accept connections from additional hosts. The messages sent by additional hosts will be dropped, even if the client uses a reliable transport method (for example, RLTP).

  • If the no-parse flag is set in a message source on the syslog-ng PE server, syslog-ng PE assumes that the message arrived from the host (that is, from the last hop) that sent the message to syslog-ng PE, and information about the original sender is lost.

Licensing examples

Example 2.1. A simple example

Scenario: 

  • You want to install syslog-ng PE in server mode on a log server.

  • 45 servers with syslog-ng PE installed in client mode send logs to the syslog-ng PE log server.

  • 45 networks devices without syslog-ng PE installed send logs to the syslog-ng PE log server.

License requirements: You need a syslog-ng Premium Edition license for at least 100 Log Source Host (LSH) as there are 90 LSHs (45+45=90) in this scenario.


Example 2.2. High Availability (HA) cluster

Scenario: 

  • You want to install syslog-ng PE in server mode on two hosts that run as an active-passive high-availability cluster.

  • 45 servers with syslog-ng PE installed in client mode send logs to the syslog-ng PE log server.

  • 45 networks devices without syslog-ng PE installed send logs to the syslog-ng PE log server.

License requirements: You need a syslog-ng Premium Edition license for at least 100 Log Source Host (LSH) as there are 90 LSHs (45+45=90) in this scenario. You also need a High Availability (HA) license for the passive log server.


Example 2.3. Using alternative log servers with syslog-ng PE clients

Scenario: 

  • You want to install syslog-ng PE in server mode on a log server.

  • 45 servers with syslog-ng PE installed in client mode send logs to the syslog-ng PE log server.

  • 45 networks devices without syslog-ng PE installed send logs to the syslog-ng PE log server.

  • 100 servers with syslog-ng PE installed send log messages to a log server without syslog-ng PE installed.

License requirements: You need a syslog-ng Premium Edition license for at least 200 LSHs as there are 190 LSHs (45+45 that send logs to a syslog-ng PE log server, and another 100 that run syslog-ng PE, 45+45+100=190) in this scenario.


Example 2.4. Using syslog-ng PE relays

Scenario: 

  • You want to install syslog-ng PE in server mode on a log server.

  • 45 servers with syslog-ng PE installed in client mode send logs directly to the syslog-ng PE log server.

  • 5 servers with syslog-ng PE installed in relay mode send logs to the syslog-ng PE log server.

  • Every syslog-ng PE relay receives logs from 9 networks devices without syslog-ng PE installed (a total of 45 devices).

  • 100 servers with syslog-ng PE installed send log messages to a log server without syslog-ng PE installed.

License requirements: You need syslog-ng Premium Edition license for at least 200 LSH as there are 195 LSHs (45+5+(5*9)+100=195) in this scenario.


Example 2.5. Multiple facilities

You have two facilities (for example data centers or server farms). Facility 1 has 75 AIX servers and 20 Microsoft Windows hosts, Facility 2 has 5 HP-UX servers and 40 Debian servers. That is 140 hosts altogether.

NOTE:

If, for example, the 40 Debian servers at Facility 2 are each running 3 virtual hosts, then the total number of hosts at Facility 2 is 125, and the license sizes in the following examples should be calculated accordingly.

  • Scenario: The log messages are collected to a single, central syslog-ng PE log server.

    License requirements: You need a syslog-ng Premium Edition license for 150 LSH as there are 140 LSHs (75+20+5+40) in this scenario.

  • Scenario: Each facility has its own syslog-ng PE log server, and there is no central log server.

    License requirements: You need two separate licenses: a license for at least 95 LSHs (75+20) at Facility 1, and a license for at least 45 LSHs (5+40) at Facility 2. You need a license for 100 LSHs at Facility 1, and a license for 50 LSHs at Facility 2.

  • Scenario: The log messages are collected to a single, central syslog-ng PE log server. Facility 1 and 2 each have a syslog-ng PE relay that forwards the log messages to the central syslog-ng PE log server.

    License requirements: You need a syslog-ng Premium Edition license for 150 LSH as there are 142 LSHs (1+75+20+1+5+40) in this scenario (since the relays are also counted as an LSH).

  • Scenario: Each facility to has its own local syslog-ng PE log server, and there is also a central syslog-ng PE log server that collects every log message independently from the two local log servers.

    License requirements: You need three separate licenses. A syslog-ng Premium Edition a license for at least 95 LSHs (75+20) at Facility 1, a license for at least 45 LSHs (5+40) at Facility 2, and also a license for at least 147 LSHs for the central syslog-ng Premium Edition log server (assuming that you want to collect the logs of the local log servers as well).


GPL and LGPL licenses

Starting with version 4 F1, the syslog-ng Premium Edition application is based on the syslog-ng Open Source Edition application, and includes elements that are licensed under the LGPL or GPL licenses. You can download the core of syslog-ng PE here. The components located under the /lib directory are licensed under the GNU Lesser General Public License Version 2.1 license, while the rest of the codebase is licensed under the GNU General Public License Version 2 license. External libraries and other dependencies used by syslog-ng PE have their own licenses, typically GPL, LGPL, MIT, or BSD.

Appendix C, Open source licenses includes the text of the licenses applicable to syslog-ng Premium Edition.

High availability support

Multiple syslog-ng servers can be run in fail-over mode. The syslog-ng application does not include any internal support for this, as clustering support must be implemented on the operating system level. A tool that can be used to create UNIX clusters is Heartbeat (for details, see this page).

One Identity also has a log server appliance called syslog-ng Store Box that supports high-availability. For details, see the syslog-ng Store Box Product Page.

Related Documents