Chat now with support
Chat with Support

syslog-ng Premium Edition 7.0.18 - Release Notes

Highlights of 7.0.4

RHEL6 support

Red Hat Enterprise Linux 6 platform is now supported. For details, see "Supported platforms" in the Administration Guide.

New osquery source

The osquery application allows you to ask questions about your machine using an SQL-like language. For example, you can query running processes, logged in users, installed packages and syslog messages as well. You can make queries on demand, and also schedule them to run regularly.

The osquery() source of syslog-ng PE allows you read the results of periodical osquery queries and automatically parse the messages. For details, see "osquery: Collect and parse osquery result logs" in the Administration Guide.

New HTTP destination

The syslog-ng PE application can directly post log messages to web services using the HTTP protocol, without having to use Java.

HTTPS connection, as well as password- and certificate-based authentication is supported. For details, see "http: Posting messages over HTTP without Java" in the Administration Guide.

Look up GeoIP2 data from IP addresses

The syslog-ng PE application can lookup IP addresses from an offline GeoIP2 database, and make the retrieved data available in name-value pairs. Depending on the database used, you can access country code, longitude, and latitude information, and many more in addition to what you could access with geoip(). For details, see "Looking up GeoIP2 data from IP addresses" in the Administration Guide.

You can use the geoip2 template function to format messages to contain GeoIP data. For details, see "Template functions of syslog-ng PE" in the Administration Guide.

The geoip() parser is deprecated.

The geoip() parser is now deprecated. Use the geoip2 parser instead.

Highlights of 7.0.3

Reading Net-SNMP traps

Using the snmptrap() source, you can read and parse the SNMP traps of the Net-SNMP's snmptrapd application. syslog-ng PE can read these traps from a log file, and extract their content into name-value pairs, making it easy to forward them as a structured log message (for example, in JSON format). For details, see "snmptrap: Read Net-SNMP traps" in the Administration Guide.

Monitor syslog-ng PE more effectively

syslog-ng PE version 7.0.3 also includes new metrics. For details, see "Metrics and counters of syslog-ng PE" in the Administration Guide.

Also note the following changes compared earlier syslog-ng PE versions:

  • The stored counter was renamed to queued.

  • The output of the syslog-ng-ctl query command was changed from <counter-name>: <counter-value> to <counter-name>=<counter-value>

Ported from the syslog-ng PE 6 LTS product line
Other changes

Highlights of 7.0.2

Python support: message parsers and template functions

The Python Log Parser allows you to write your own parser in Python. Practically, that way you can process the log message (or parts of the log message) any way you need. For example, you can import external Python modules to process the messages, query databases to enrich the messages with additional data, and many other things. For details, see "Python parser" in the Administration Guide.

You can write your own template function in Python. You can define a Python block in your syslog-ng PE configuration file, and define one or more Python functions in it. You can use these functions as template functions. For details, see the manual pages.

Monitor syslog-ng PE more effectively

The new monitoring() source allows you to granularly select which statistics of syslog-ng PE you want to monitor. In addition, the statistics are available as structured name-value pairs, so you can format the output similarly to other log messages. That way, you can easily convert the statistics and metrics, for example, into JSON or WELF format, and send the results into your monitoring database. For details, see "The monitoring() source" in the Administration Guide.

syslog-ng PE version 7.0.2 also includes the monitoring-welf() source, which is a preconfigured monitoring() source that generates statistics messages in WELF format. Starting with version 7.0., syslog-ng PE uses this driver for new installations to generate statistics (earlier versions use the internal() source for this purpose).

Ported from the syslog-ng PE 6 LTS product line
  • The functionality of syslog-ng-query application is available in syslog-ng PE 7.0.2, as part of the syslog-ng-ctl utility.

Highlights of 7.0

Enriching data

You can use an external database file to append custom name-value pairs to incoming logs, thus extending, enriching, and complementing the data found in the log message. For example, you can create a database (or export it from an existing tool) that contains a list of hostnames or IP addresses, and the department of your organization that the host belongs to, the role of the host (mailserver, webserver, and so on), or similar contextual information. For details, see "Enriching log messages with external data" in the Administration Guide.

You can correlate and aggregate information from log messages using a few simple filters that are similar to SQL GROUPBY statements. You do not even have to configure a pattern database. Also, when correlating messages containing numerical information, you can use numerical template functions that work on numerical values of a correlation context. For details, see "Correlating log messages" in the Administration Guide and "Template functions of syslog-ng PE" in the Administration Guide.

Improved configuration flexibility

You can define configuration objects inline, where they are actually used, without having to define them in a separate object. This is useful if you need an object only once, for example, a filter or a rewrite rule, because it makes the configuration much easier to read. Every object can be defined inline: sources, destinations, filters, parsers, rewrite rules, and so on. For details, see "Defining configuration objects inline" in the Administration Guide.

From now on, every configuration object is a log expression. Every configuration object is essentially a configuration block, and can include multiple objects. To reference the block, only the top-level object must be referenced. That way you can use embedded log statements, junctions and in-line object definitions within source, destination, filter, rewrite and parser definitions. For example, a source can include a rewrite rule to modify the messages received by the source, and that combination can be used as a simple source in a log statement. For details, see "Using channels in configuration objects" in the Administration Guide.

To make the configuration more readable, and to help avoid misconfiguration, you can use human-readable units when setting configuration options, for example, log-fifo-size(2Mb). For details, see "Notes about the configuration syntax" in the Administration Guide.

Other changes
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating