The Linux Audit Parser can parse the log messages of the Linux Audit subsystem (auditd). The syslog-ng PE application can separate these log messages to name-value pairs. For details, see "Linux audit parser" in the Administration Guide.
The windowsevent() source can now automatically process XML arrays, making the array elements available as name-value pairs. For example, the following XML array becomes available as name-value pairs:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <EventID>5059</EventID> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">WIN-K1678A68SQ6$</Data> </EventData> Name-value pairs: Event.System.EventID = 5059 Event.EventData.SubjectUserSid = S-1-5-18 Event.EventData.SubjectUserName = WIN-K1678A68SQ6$
Installing the syslog-ng Premium Edition application in Docker containers is now officially supported on CentOS 7, Red Hat EL 7.5, and Ubuntu 18.04 (Bionic Beaver) platforms. For details, see "Installing syslog-ng in Docker" in the Administration Guide.
The persist-tool utility is now part of the syslog-ng PE package. For details, see the persist-tool manual page.
HTTPS connection, as well as password- and certificate-based authentication is supported. The content of the events is sent in JSON format.
Version 7.0.12 of syslog-ng PE is now available on the Ubuntu 18.04 platform. Note that the Java-based drivers of syslog-ng PE (used for Apache Kafka, Elasticsearch, HDFS) require Java 8, Java 10 is not supported.
The http() destination now supports load balancing, so a single syslog-ng PE instance can feed log data to multiple HTTP servers, for example, multiple ingestion nodes of an Elasticsearch cluster. For details, see "Batch mode and load balancing" in the Administration Guide.
HTTP and HTTPS redirections now also handled automatically.
The syslog() and network() drivers now support the so-reuseport() option that allows multiple sockets on the same host to bind to the same port, improving the performance of multithreaded network server applications running on top of multicore systems.
The Cisco parser now supports Cisco Catalyst formatted triplets.
Extending syslog-ng PE in Python has been supported for several releases, but so far this feature was mostly undocumented. Now you can find more details about this feature in "python: writing custom Python destinations" in the Administration Guide.
Starting with syslog-ng PE version
You can now configure syslog-ng PE to reset the counter that stores the list of known hosts. That way, you can make syslog-ng PE forget old clients that do not exist anymore, and otherwise would be counted against the license limit. This is especially useful in large datacenters or cloud environments where the client hosts are deployed and removed frequently.
For details, see the "Global options" in the Administration Guide.
When hdfs-append-enabled is set to true, syslog-ng PE will append new data to the end of an already existing HDFS file. Note that in this case, archiving is automatically disabled, and syslog-ng PE will ignore the hdfs-archive-dir option.
New template functions are available: url-decode(), url-encode() and base64-encode(). For details, see "Template functions of syslog-ng PE" in the Administration Guide.
The syslog-ng-ctl config command can display the contents of the configuration file that syslog-ng PE is currently running.
The elasticsearch() destination has been deprecated, because it supports only ElasticSearch version 1.x, which has been End-of-Life since January, 2017. Use the elasticsearch2() destination instead.
Using the new Advanced Log Transfer Protocol (ALTP), you can send (and receive) log messages in a reliable way over the TCP transport layer. ALTP is a proprietary transport protocol that prevents message loss during connection breaks. The transport is used between syslog-ng PE hosts (for example, a client and a server, or a client-relay-server), and interoperates with the flow-control and reliable disk-buffer mechanisms of syslog-ng PE, thus providing the best way to prevent message loss.
ALTP is the successor of the Reliable Log Transport Protocol (RLTP) introduced in version 6 LTS. Starting with version 7.0.9, the syslog-ng PE application can receive messages sent using RLTP from hosts that are running version 6 of syslog-ng PE or the syslog-ng Agent for Windows application. Starting with version 7.0.10, syslog-ng PE can now also send messages using ALTP to hosts that are running version 6 or at least version 7.0.9 of syslog-ng PE or the syslog-ng Agent for Windows application. For details, see "Advanced Log Transfer Protocol " in the Administration Guide.
An additional change regarding the Advanced Log Transfer Protocol is that the global flush-lines() option does not affect the batch size of ALTP anymore. Instead, a new ALTP has been introduced, called batch-size(). For details, see "ALTP options" in the Administration Guide.
The failover() option allows you to specify what happens after syslog-ng PE fails over to a secondary server. Additionally, the failover-servers() option has been deprecated and removed from the document. For more information about the failover() option, see "syslog-ng(): Forward logs to another syslog-ng node" in the Administration Guide.
You can now refer to any additional parameters at the end of the argument in a block by adding three dots to it (…). It tells syslog-ng PE that this macro accepts `__VARARGS__`, therefore any name-value pair can be passed without validation. For details, see "Reusing configuration blocks" in the Administration Guide.
You can now make parameters mandatory in block definitions by defining them with empty brackets (). For details, see "Reusing configuration blocks" in the Administration Guide.