Chat now with support
Chat with Support

syslog-ng Premium Edition 7.0.20 - Release Notes

New features in syslog-ng PE 7.0.14

Google Stackdriver destination

The stackdriver destination of syslog-ng PE can send log messages to the Google Stackdriver cloud. Google Stackdriver is a widely used metrics, event, and log aggregator and analyzer system. For details, see "stackdriver: Sending logs to the Google Stackdriver cloud" in the Administration Guide.

Elasticsearch HTTP destination

Version 7.0.14 of syslog-ng PE can directly post log messages to an Elasticsearch deployment using the Elasticsearch Bulk API over the HTTP and Secure HTTP (HTTPS) protocols. For details, see "elasticsearch-http: Sending messages to Elasticsearch HTTP Event Collector" in the Administration Guide.

Windows Server 2019 logs

The Windows Event Collector application now supports Windows Server 2019.

  • The syslog-ng-ctl reload command now has a return value: 0 if the operation was successful, 1 otherwise.

  • Instead of dropping incoming messages that are too long, you can now trim them using the trim-large-messages() option of the syslog() source.

New features in syslog-ng PE 7.0.13

Linux Audit Parser

The Linux Audit Parser can parse the log messages of the Linux Audit subsystem (auditd). The syslog-ng PE application can separate these log messages to name-value pairs. For details, see "Linux audit parser" in the Administration Guide.

Processing arrays in Windows Eventlog messages

The windowsevent() source can now automatically process XML arrays, making the array elements available as name-value pairs. For example, the following XML array becomes available as name-value pairs:

<Event xmlns="">
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">WIN-K1678A68SQ6$</Data>

Name-value pairs:
Event.System.EventID = 5059
Event.EventData.SubjectUserSid = S-1-5-18
Event.EventData.SubjectUserName = WIN-K1678A68SQ6$

For details, see "windowsevent: Collecting Windows event logs" in the Administration Guide.

Docker support

Installing the syslog-ng Premium Edition application in Docker containers is now officially supported on CentOS 7, Red Hat EL 7.5, and Ubuntu 18.04 (Bionic Beaver) platforms. For details, see "Installing syslog-ng in Docker" in the Administration Guide.

  • The persist-tool utility is now part of the syslog-ng PE package. For details, see the persist-tool manual page.

New features in syslog-ng PE 7.0.12

Send log messages directly to Splunk HEC

Version 7.0.12 of syslog-ng PE can directly post log messages to a Splunk deployment using the HTTP Event Collector (HEC) over the HTTP and Secure HTTP (HTTPS) protocols. The solution is optimized for performance, and supports sending messages in batch mode, multithreaded message sending, and load-balancing to multiple Splunk indexer nodes.

HTTPS connection, as well as password- and certificate-based authentication is supported. The content of the events is sent in JSON format.

For details, see "splunk-hec: Sending messages to Splunk HTTP Event Collector" in the Administration Guide.

Ubuntu 18.04 (Bionic Beaver) support

Version 7.0.12 of syslog-ng PE is now available on the Ubuntu 18.04 platform. Note that the Java-based drivers of syslog-ng PE (used for Apache Kafka, Elasticsearch, HDFS) require Java 8, Java 10 is not supported.

http() destination improvements

The http() destination now supports load balancing, so a single syslog-ng PE instance can feed log data to multiple HTTP servers, for example, multiple ingestion nodes of an Elasticsearch cluster. For details, see "Batch mode and load balancing" in the Administration Guide.

HTTP and HTTPS redirections now also handled automatically.

  • The syslog() and network() drivers now support the so-reuseport() option that allows multiple sockets on the same host to bind to the same port, improving the performance of multithreaded network server applications running on top of multicore systems.

  • The Cisco parser now supports Cisco Catalyst formatted triplets.

New features in syslog-ng PE 7.0.11

Write your own destination in Python

Extending syslog-ng PE in Python has been supported for several releases, but so far this feature was mostly undocumented. Now you can find more details about this feature in "python: writing custom Python destinations" in the Administration Guide.

Write your own message source in Python

Starting with syslog-ng PE version 7.0.11, you can write custom message sources in Python. Both server-style and fetcher-style sources are supported. For more details, see "python: writing server-style Python sources" in the Administration Guide and "python-fetcher: writing fetcher-style Python sources" in the Administration Guide.

Reset the license counter

You can now configure syslog-ng PE to reset the counter that stores the list of known hosts. That way, you can make syslog-ng PE forget old clients that do not exist anymore, and otherwise would be counted against the license limit. This is especially useful in large datacenters or cloud environments where the client hosts are deployed and removed frequently.

For details, see the "Global options" in the Administration Guide.

  • When hdfs-append-enabled is set to true, syslog-ng PE will append new data to the end of an already existing HDFS file. Note that in this case, archiving is automatically disabled, and syslog-ng PE will ignore the hdfs-archive-dir option.

  • New template functions are available: url-decode(), url-encode() and base64-encode(). For details, see "Template functions of syslog-ng PE" in the Administration Guide.

  • The syslog-ng-ctl config command can display the contents of the configuration file that syslog-ng PE is currently running.

Deprecated features

The elasticsearch() destination has been deprecated, because it supports only ElasticSearch version 1.x, which has been End-of-Life since January, 2017. Use the elasticsearch2() destination instead.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating