You can use an external database file to append custom name-value pairs to incoming logs, thus extending, enriching, and complementing the data found in the log message. For example, you can create a database (or export it from an existing tool) that contains a list of hostnames or IP addresses, and the department of your organization that the host belongs to, the role of the host (mailserver, webserver, and so on), or similar contextual information. For details, see "Enriching log messages with external data" in the Administration Guide.
You can correlate and aggregate information from log messages using a few simple filters that are similar to SQL GROUPBY statements. You do not even have to configure a pattern database. Also, when correlating messages containing numerical information, you can use numerical template functions that work on numerical values of a correlation context. For details, see "Correlating log messages" in the Administration Guide and "Template functions of syslog-ng PE" in the Administration Guide.
You can define configuration objects inline, where they are actually used, without having to define them in a separate object. This is useful if you need an object only once, for example, a filter or a rewrite rule, because it makes the configuration much easier to read. Every object can be defined inline: sources, destinations, filters, parsers, rewrite rules, and so on. For details, see "Defining configuration objects inline" in the Administration Guide.
From now on, every configuration object is a log expression. Every configuration object is essentially a configuration block, and can include multiple objects. To reference the block, only the top-level object must be referenced. That way you can use embedded log statements, junctions and in-line object definitions within source, destination, filter, rewrite and parser definitions. For example, a source can include a rewrite rule to modify the messages received by the source, and that combination can be used as a simple source in a log statement. For details, see "Using channels in configuration objects" in the Administration Guide.
To make the configuration more readable, and to help avoid misconfiguration, you can use human-readable units when setting configuration options, for example, log-fifo-size(2Mb). For details, see "Notes about the configuration syntax" in the Administration Guide.
The default value of log-msg-size() is 8192 instead of 65536. Increase it if needed.
The skip-cluster-health-check() option is available for the elasticsearch2() destination. For details, see "Elasticsearch2 destination options (DEPRECATED)" in the Administration Guide.
The qdisk-dir option of syslog-ng PE is not available as a command-line option, use the dir() option of disk-buffer() in the configuration of the destination instead.
Several features and platforms that are available in syslog-ng Premium Edition 6 LTS are not yet available in syslog-ng PE 7. For details, see Differences in features between syslog-ng PE 6 LTS and 7.
The following is a list of features that have been removed from syslog-ng PE version 7.0.19.
Version 7.0.19 of syslog-ng PE does not support Solaris OS. The sun-streams() source is currently not available.
The following is a list of features that are no longer supported starting with version 7.0.19.
The following deprecated options have been removed from the mongodb() destination:
The following is a list of issues addressed in this release.
Resolved Issue | Issue ID |
---|---|
OpenSSL upgraded to version 1.1.1d |
SYSLOGDEV-5113 |
File source cannot process new message when the log-msg-size() option is increased after reading a longer message. |
SYSLOGDEV-5044 |
The log_id() option is mandatory for the stackdriver() destination |
SYSLOGDEV-4726 |
Added the multi-line-timeout() option for file source. |
SYSLOGDEV-3830 |
Resolved Issue | Issue ID |
---|---|
Configuration objects preceded by an inline destination are ignored |
SYSLOGDEV-4975 |
The loggen tool does not run when installed from dot run installer into a custom directory |
SYSLOGDEV-5001 |
Monitoring source does not set the log level correctly |
SYSLOGDEV-5026 |
Memory leak during reading logstores |
SYSLOGDEV-5036 |
http() destination ignores the frac-digits() global setting |
SYSLOGDEV-5057 |
Resolved Issue | Issue ID |
---|---|
WEC: handle invalid UTF-16 characters gracefully |
SYSLOGDEV-4182 |
Fix TID reinitialization mechanism in ALTP during restart |
SYSLOGDEV-4333 |
splunk-hec(): Fix an error in handling indexed fields |
SYSLOGDEV-4689 |
Fix persist structure during upgrade from PE version 6 |
SYSLOGDEV-4787 |
RPM upgrade overwrites WEC configuration |
SYSLOGDEV-4812 |
Reliable disk queue corruption fixes |
SYSLOGDEV-4826 |
ALTP ack_timeout fix |
SYSLOGDEV-4835 |
WEC: forwarded logs have incorrect hostname |
SYSLOGDEV-4847 |
OpenSSL upgraded to 1.0.2t |
SYSLOGDEV-4981 |
OpenSSL upgraded to 1.1.0l on Ubuntu Bionic |
SYSLOGDEV-4982 |
Resolved Issue | Issue ID |
---|---|
Crash in patterndb during context timeout |
SYSLOGDEV-4945 |
Memory leak in dbparser |
SYSLOGDEV-4925 |
OpenSSL upgraded to 1.1.0k on Bionic platform |
SYSLOGDEV-4831 |
OpenSSL upgraded to 1.0.2s |
SYSLOGDEV-4829 |
syslog-ng hangs under high load |
SYSLOGDEV-4745 |
Incorrect numerical operators in filter statements |
SYSLOGDEV-4785 |
Bad quotation in splunk-hec() destination prevents load-balancing working correctly |
SYSLOGDEV-4794 |
http destination should give a warning if workers() is less than urls() |
SYSLOGDEV-4929 |
geoip2 does not include IP address in the error messages |
SYSLOGDEV-4928 |
Infinite loop during reload |
SYSLOGDEV-4927 |
Improve error handling in --preprocess-into |
SYSLOGDEV-4926 |
Reset timezone on configuration reload |
SYSLOGDEV-4924 |
Flushing destination on reload is slow |
SYSLOGDEV-4923 |
Wildcard filesource crashes |
SYSLOGDEV-4922 |
Resolved Issue | Issue ID |
---|---|
Crash in network source with ALTP due to idle timer |
SYSLOGDEV-4711 |
OpenSSL 1.0.2r upgrade |
SYSLOGDEV-4742 |
http-destination stuck when reverting to old configuration |
SYSLOGDEV-4747 |
syslog-ng segmentation fault on statistics query |
SYSLOGDEV-4759 |
WEC: Adds list support to Windowsevent-parser |
SYSLOGDEV-4789 |
Resolved Issue | Issue ID |
---|---|
Fix loggen parameters |
SYSLOGDEV-4684 |
Fix seeking in logstore using lgstool cat command |
SYSLOGDEV-4680 |
Empty disk queue truncate fix |
SYSLOGDEV-4628 |
Memory leak during reload when using the app-parser |
SYSLOGDEV-4564 |
Race condition during reload when using license-counter-reset |
SYSLOGDEV-4540 |
Resolved Issue | Issue ID |
---|---|
non-reliable diskq: fixes false positive corruption detection |
SYSLOGDEV-4674 |
Dqtool reported disk queue corrupted false positively |
SYSLOGDEV-4407 |
Append $(basename) to filename template correctly |
SYSLOGDEV-4673 |
SSL: Multiple ca-dir() related issues fixed |
SYSLOGDEV-4669 |
Fix frequent disconnects of syslog() driver when using TLS |
SYSLOGDEV-4667 |
OpenSSL upgraded to 1.0.2q |
SYSLOGDEV-4650 |
File destination fd leak after reload when time-reap elapsed |
SYSLOGDEV-4609 |
hdfs: fd leak during reload |
SYSLOGDEV-4581 |
tls: Handle allow-compress correctly |
SYSLOGDEV-4580 |
Socket leak when using udp destination with spoof-source enabled |
SYSLOGDEV-4552 |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy