Chat now with support
Chat with Support

syslog-ng Premium Edition 7.0.20 - Release Notes

New features in syslog-ng PE 7.0.10

Send logs using the Advanced Log Transport Protocol (ALTP)

Using the new Advanced Log Transfer Protocol (ALTP), you can send (and receive) log messages in a reliable way over the TCP transport layer. ALTP is a proprietary transport protocol that prevents message loss during connection breaks. The transport is used between syslog-ng PE hosts (for example, a client and a server, or a client-relay-server), and interoperates with the flow-control and reliable disk-buffer mechanisms of syslog-ng PE, thus providing the best way to prevent message loss.

ALTP is the successor of the Reliable Log Transport Protocol (RLTP) introduced in version 6 LTS. Starting with version 7.0.9, the syslog-ng PE application can receive messages sent using RLTP from hosts that are running version 6 of syslog-ng PE or the syslog-ng Agent for Windows application. Starting with version 7.0.10, syslog-ng PE can now also send messages using ALTP to hosts that are running version 6 or at least version 7.0.9 of syslog-ng PE or the syslog-ng Agent for Windows application. For details, see "Advanced Log Transfer Protocol " in the Administration Guide.

An additional change regarding the Advanced Log Transfer Protocol is that the global flush-lines() option does not affect the batch size of ALTP anymore. Instead, a new ALTP has been introduced, called batch-size(). For details, see "ALTP options" in the Administration Guide.

Enhancements

Highlights of 7.0.9

Receive logs using the Advanced Log Transport Protocol (ALTP)

With the new Advanced Log Transport Protocol (ALTP) you can receive log messages in a reliable way over the TCP transport layer. ALTP is a proprietary transport protocol that prevents message loss during connection breaks. The transport is used between syslog-ng PE hosts (for example, a client and a server, or a client-relay-server), and interoperates with the flow-control and reliable disk-buffer mechanisms of syslog-ng PE, thus providing the best way to prevent message loss.

ALTP is the successor of the Reliable Log Transport Protocol (RLTP) introduced in version 6 LTS. Starting with version 7.0.9, the syslog-ng PE application can receive messages sent using RLTP from hosts that are running version 6 of syslog-ng PE or the syslog-ng Agent for Windows application. For details, see "Advanced Log Transfer Protocol " in the Administration Guide.

Easily receive and parse messages from remote hosts

The default-network-drivers() source is a special source that uses multiple source drivers to receive and parse several different types of syslog messages from the network. For details, see "default-network-drivers: Receive and parse common syslog messages" in the Administration Guide.

Transfer log messages and their key-value pairs between syslog-ng nodes

The Enterprise-wide message model or EWMM allows you to deliver structured messages from the initial receiving syslog-ng component right up to the central log server, through any number of hops. It does not matter if you parse the messages on the client, on a relay, or on the central server, their structured results will be available where you store the messages. Optionally, you can also forward the original raw message as the first syslog-ng component in your infrastructure has received it, which is important if you want to forward a message for example, to a SIEM system. To make use of the enterprise-wide message model, you have to use the syslog-ng() destination on the sender side, and the default-network-drivers() source on the receiver side.

Clearer configuration using if, else, elif conditions

You can use if {}, elif {}, and else {} blocks to configure conditional expressions. For details, see "if-else-elif: Conditional expressions" in the Administration Guide.

Message parsing

syslog-ng PE version 7.0.9 includes parsers for the sudo and iptables applications.

Compliance and integration

You can now store and forward the incoming messages exactly as received using the store-raw-message source flag and the RAWMSG macro. These are especially useful if you are forwarding the messages to a SIEM, or if you have to preserve the original message for legal reasons. For details, see "Macros of syslog-ng PE" in the Administration Guide.

Enhancements

Highlights of 7.0.8

Client-side failover

The failover-servers() option of the network() and syslog() destinations is now available in syslog-ng PE version 7.

For more information, see "Client-side failover" in the Administration Guide.

New log path flag: drop-unmatched

A new log path flag, drop-unmatched, has been added. The new flag causes messages to be dropped along a log path when they do not match a filter or are discarded by a parser. For details, see "Log path flags" in the Administration Guide.

Support for Elasticsearch's Shield security discontinued

Elasticsearch deleted the Shield .jar files required for syslog-ng PE to work with Shield so support for Shield has been removed.

Support for POSIX regular expressions discontinued

Support for POSIX regular expressions has been removed. All "posix" regular expressions are automatically switched to "pcre". In case you have POSIX regular expressions configured, ensure that your regexps work with PCRE, and also specify type("pcre") explicitly.

Highlights of 7.0.7

Logstore destination

The logstore() destination that was available only in syslog-ng PE version 6 is now available in version 7.0.7, allowing you to store messages in encrypted files.

For more information, see "logstore: Storing messages in encrypted files" in the Administration Guide.

Password-protected private keys

Starting with syslog-ng PE version 7.0.7, you can use password-protected private keys in the network() and syslog() source and destination drivers.

For more information, see "Password-protected keys" in the Administration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating