Syslog-ng 4.0 – where log management is heading
2023-07-03, 17:05–17:40 (Europe/Paris), Amphitheater

After 13 years, a new major release of the syslog-ng logging application is available. Previously, syslog-ng handled all data as text. Syslog-ng 4.0 can associate the proper type information with data parsed from log messages. You can use type information for comparisons within syslog-ng, and storing data to various destinations, like Elasticsearch or MongoDB. Type support enables more precise filtering and thus real-time security alerting in syslog-ng, and easier searching and reporting in databases. I give a quick overview of the major new syslog-ng 4 features and show with examples how these improve security at your organization.

After 13 years, a new major release of syslog-ng is available. Syslog-ng 4.0 brings type support and many additional enhancements. This presentation gives you an overview of some of the larger syslog-ng 4 features, andproves why type support is a major enhancement, improving both operations and security.

Why is type information important? Many filters in syslog-ng uses comparisons, and for example, if you try to compare numbers as strings, 1000 is smaller than 90, as one precedes nine. Using type information, you can get correct comparison results. Many filters in syslog-ng use comparisons. Filters are used for real-time alerting within syslog-ng. Using proper type information here also means better alerting possibilities both for operations and security.

Previously, syslog-ng handled all data parsed from log messages as text. However, even if the format is text, in practice, it can be a number, a boolean value or a list. Some syslog-ng parsers can now detect and preserve the type of data parsed into name-value pairs. You can also add type information to name-value pairs manually.

Name-value pairs from message parsing, filters and templates were already a major feature of the syslog-ng 3 series. Type support in version 4.0 significantly enhances their usability.

Previously, by default, syslog-ng sent all values as text, even though type information was available when the log messages entered syslog-ng. In some cases, you could set type information manually, or you could map type information on the destination side, for example, in Elasticsearch. Now you can store name-value pairs with the correct type information.

If logs are sent as text, the receiving end often handles them as text. It means, for example, that you cannot create graphs from numbers sent as text. Sending name-value pairs with proper type information makes it possible for the receiving end to properly use the embedded values.

Syslog-ng already provides a lot of run-time information for monitoring purposes. Current developments both extend the information available and make it easier to understand. Support for Prometheus is underway.

See also: slides

Peter is an engineer working as open source evangelist at Balabit (a One Identity business), the company that developed syslog-ng. He assists distributions to maintain the syslog-ng package, follows bug trackers, helps users and talks regularly about sudo and syslog-ng at conferences (SCALE, All Things Open, FOSDEM, LOADays, and others). In his limited free time he is interested in non-x86 architectures, and works on one of his PPC or ARM machines.

This speaker also appears in: