syslog-ng Premium Edition 7.0.14 - Release Notes

Highlights of 7.0.9

Receive logs using the Advanced Log Transport Protocol (ALTP)

With the new Advanced Log Transport Protocol (ALTP) you can receive log messages in a reliable way over the TCP transport layer. ALTP is a proprietary transport protocol that prevents message loss during connection breaks. The transport is used between syslog-ng PE hosts (for example, a client and a server, or a client-relay-server), and interoperates with the flow-control and reliable disk-buffer mechanisms of syslog-ng PE, thus providing the best way to prevent message loss.

ALTP is the successor of the Reliable Log Transport Protocol (RLTP) introduced in version 6 LTS. Starting with version 7.0.9, the syslog-ng PE application can receive messages sent using RLTP from hosts that are running version 6 of syslog-ng PE or the syslog-ng Agent for Windows application. For details, see "Advanced Log Transfer Protocol " in the Administration Guide.

Easily receive and parse messages from remote hosts

The default-network-drivers() source is a special source that uses multiple source drivers to receive and parse several different types of syslog messages from the network. For details, see "default-network-drivers: Receive and parse common syslog messages" in the Administration Guide.

Transfer log messages and their key-value pairs between syslog-ng nodes

The Enterprise-wide message model or EWMM allows you to deliver structured messages from the initial receiving syslog-ng component right up to the central log server, through any number of hops. It does not matter if you parse the messages on the client, on a relay, or on the central server, their structured results will be available where you store the messages. Optionally, you can also forward the original raw message as the first syslog-ng component in your infrastructure has received it, which is important if you want to forward a message for example to a SIEM system. To make use of the enterprise-wide message model, you have to use the syslog-ng() destination on the sender side, and the default-network-drivers() source on the receiver side.

Clearer configuration using if, else, elif conditions

You can use if {}, elif {}, and else {} blocks to configure conditional expressions. For details, see "if-else-elif: Conditional expressions" in the Administration Guide.

Message parsing

syslog-ng PE version 7.0.9 includes parsers for the sudo and iptables applications.

Compliance and integration

You can now store and forward the incoming messages exactly as received using the store-raw-message source flag and the RAWMSG macro. These are especially useful if you are forwarding the messages to a SIEM, or if you have to preserve the original message for legal reasons. For details, see "Macros of syslog-ng PE" in the Administration Guide.


Highlights of 7.0.8

Client-side failover

The failover-servers() option of the network() and syslog() destinations is now available in syslog-ng PE version 7.

For more information, see "Client-side failover" in the Administration Guide.

New log path flag: drop-unmatched

A new log path flag, drop-unmatched, has been added. The new flag causes messages to be dropped along a log path when they do not match a filter or are discarded by a parser. For details, see "Log path flags" in the Administration Guide.

Support for Elasticsearch's Shield security discontinued

Elasticsearch deleted the Shield .jar files required for syslog-ng PE to work with Shield so support for Shield has been removed.

Support for POSIX regular expressions discontinued

Support for POSIX regular expressions has been removed. All "posix" regular expressions are automatically switched to "pcre". In case you have POSIX regular expressions configured, ensure that your regexps work with PCRE, and also specify type("pcre") explicitly.

Highlights of 7.0.7

Logstore destination

The logstore() destination that was available only in syslog-ng PE version 6 is now available in version 7.0.7, allowing you to store messages in encrypted files.

For more information, see "logstore: Storing messages in encrypted files" in the Administration Guide.

Password-protected private keys

Starting with syslog-ng PE version 7.0.7, you can use password-protected private keys in the network() and syslog() source and destination drivers.

For more information, see "Password-protected keys" in the Administration Guide.

Highlights of 7.0.6

Windows Event Collector for syslog-ng PE

The Windows Event Collector (WEC) acts as a log collector and forwarder tool for the Microsoft Windows platform. It collects the log messages of Windows-based hosts over HTTPS (using TLS encryption and mutual authentication), and forwards them to a syslog-ng PE server. In Windows terminology, this tool allows you to define source-initiated subscriptions, and have them forwarded to a syslog-ng PE server.

Unlike the syslog-ng Agent for Windows, the Windows Event Collector is a standalone tool that does not require installing on the Windows-based host itself. This can be an advantage when your organization's policies restrict or do not allow the installation of third-party tools. The Windows Event Collector sits between your Windows hosts and your syslog-ng Premium Edition server, accepting log messages from the remote Windows side with WinRM and feeding them to syslog-ng Premium Edition 7.0.

For more information, see:

Support for unsetting a group of fields

In addition to unsetting a macro or a field of a message, you can now explicitly unset a group of fields too, using the groupunset() rewrite rule.

For more information, see "Unsetting message fields" in the Administration Guide.

Related Documents