Red Hat Enterprise Linux 6 platform is now supported. For details, see "Supported platforms" in the Administration Guide.
The osquery application allows you to ask questions about your machine using an SQL-like language. For example, you can query running processes, logged in users, installed packages and syslog messages as well. You can make queries on demand, and also schedule them to run regularly.
The osquery() source of syslog-ng PE allows you read the results of periodical osquery queries and automatically parse the messages. For details, see "osquery: Collect and parse osquery result logs" in the Administration Guide.
The syslog-ng PE application can directly post log messages to web services using the HTTP protocol, without having to use Java.
HTTPS connection, as well as password- and certificate-based authentication is supported. For details, see "http: Posting messages over HTTP without Java" in the Administration Guide.
The syslog-ng PE application can lookup IP addresses from an offline GeoIP2 database, and make the retrieved data available in name-value pairs. Depending on the database used, you can access country code, longitude, and latitude information, and many more in addition to what you could access with geoip(). For details, see "Looking up GeoIP2 data from IP addresses" in the Administration Guide.
You can use the geoip2 template function to format messages to contain GeoIP data. For details, see "Template functions of syslog-ng PE" in the Administration Guide.
The geoip() parser is now deprecated. Use the geoip2 parser instead.
Using the snmptrap() source, you can read and parse the SNMP traps of the Net-SNMP's snmptrapd application. syslog-ng PE can read these traps from a log file, and extract their content into name-value pairs, making it easy to forward them as a structured log message (for example, in JSON format). For details, see "snmptrap: Read Net-SNMP traps" in the Administration Guide.
syslog-ng PE version 7.0.3 also includes new metrics. For details, see "Metrics and counters of syslog-ng PE" in the Administration Guide.
Also note the following changes compared earlier syslog-ng PE versions:
The stored counter was renamed to queued.
The output of the syslog-ng-ctl query command was changed from <counter-name>: <counter-value> to <counter-name>=<counter-value>
The functionality of wildcard file sources are available in syslog-ng PE 7.0.3 as a separate source driver. For details, see "wildcard-file: Collecting messages from multiple text files" in the Administration Guide.
The default value of the log-msg-size() option has been increased to 64k. That way syslog-ng PE will not truncate long log messages, which are getting increasingly common.
The syslog-debun utility now supports IBM AIX.
The hdfs() destination now supports Kerberos authentication. For details, see "Kerberos authentication with syslog-ng hdfs() destination" in the Administration Guide.
The new basename() and dirname() template functions allow you to easily separate the path and filenames. For details, see "Template functions of syslog-ng PE" in the Administration Guide.
The Python Log Parser allows you to write your own parser in Python. Practically, that way you can process the log message (or parts of the log message) any way you need. For example, you can import external Python modules to process the messages, query databases to enrich the messages with additional data, and many other things. For details, see "Python parser" in the Administration Guide.
You can write your own template function in Python. You can define a Python block in your syslog-ng PE configuration file, and define one or more Python functions in it. You can use these functions as template functions. For details, see the manual pages.
The new monitoring() source allows you to granularly select which statistics of syslog-ng PE you want to monitor. In addition, the statistics are available as structured name-value pairs, so you can format the output similarly to other log messages. That way, you can easily convert the statistics and metrics, for example, into JSON or WELF format, and send the results into your monitoring database. For details, see "The monitoring() source" in the Administration Guide.
syslog-ng PE version 7.0.2 also includes the monitoring-welf() source, which is a preconfigured monitoring() source that generates statistics messages in WELF format. Starting with version 7.0., syslog-ng PE uses this driver for new installations to generate statistics (earlier versions use the internal() source for this purpose).
The functionality of syslog-ng-query application is available in syslog-ng PE 7.0.2, as part of the syslog-ng-ctl utility.
You can use an external database file to append custom name-value pairs to incoming logs, thus extending, enriching, and complementing the data found in the log message. For example, you can create a database (or export it from an existing tool) that contains a list of hostnames or IP addresses, and the department of your organization that the host belongs to, the role of the host (mailserver, webserver, and so on), or similar contextual information. For details, see "Enriching log messages with external data" in the Administration Guide.
You can correlate and aggregate information from log messages using a few simple filters that are similar to SQL GROUPBY statements. You do not even have to configure a pattern database. Also, when correlating messages containing numerical information, you can use numerical template functions that work on numerical values of a correlation context. For details, see "Correlating log messages" in the Administration Guide and "Template functions of syslog-ng PE" in the Administration Guide.
You can define configuration objects inline, where they are actually used, without having to define them in a separate object. This is useful if you need an object only once, for example, a filter or a rewrite rule, because it makes the configuration much easier to read. Every object can be defined inline: sources, destinations, filters, parsers, rewrite rules, and so on. For details, see "Defining configuration objects inline" in the Administration Guide.
From now on, every configuration object is a log expression. Every configuration object is essentially a configuration block, and can include multiple objects. To reference the block, only the top-level object must be referenced. That way you can use embedded log statements, junctions and in-line object definitions within source, destination, filter, rewrite and parser definitions. For example, a source can include a rewrite rule to modify the messages received by the source, and that combination can be used as a simple source in a log statement. For details, see "Using channels in configuration objects" in the Administration Guide.
To make the configuration more readable, and to help avoid misconfiguration, you can use human-readable units when setting configuration options, for example, log-fifo-size(2Mb). For details, see "Notes about the configuration syntax" in the Administration Guide.
The default value of log-msg-size() is 8192 instead of 65536. Increase it if needed.
The skip-cluster-health-check() option is available for the elasticsearch2() destination. For details, see "Elasticsearch2 destination options (DEPRECATED)" in the Administration Guide.
The qdisk-dir option of syslog-ng PE is not available as a command-line option, use the dir() option of disk-buffer() in the configuration of the destination instead.
Several features and platforms that are available in syslog-ng Premium Edition 6 LTS are not yet available in syslog-ng PE 7. For details, see Differences in features between syslog-ng PE 6 LTS and 7.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy
