Syslog-ng

syslog-ng
Original author(s)	Balázs Scheidler
Initial release	1998
Stable release	4.8.0 / 23 July 2024;10 days ago
Repository	github.com/syslog-ng/syslog-ng ;
Operating system	Unix-like
Type	System logging
License	Core: LGPL ; Plugins: GPLv2 ;
Website	www.syslog-ng.com/products/open-source-log-management/

Last updated August 03, 2024

syslog-ng is a free and open-source implementation of the syslog protocol for Unix and Unix-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features to syslog, like using TCP for transport. Syslog-ng is developed in the Budapest office of One Identity LLC. It has three editions with a common codebase. The first is called syslog-ng, also referred as syslog-ng Open Source Edition (OSE) with the license LGPL + GPLv2. The second is called syslog-ng Premium Edition (PE) and has additional plugins (modules) under a proprietary license. The third is called syslog-ng Storebox (SSB), which comes as an appliance with a Web-based UI as well as additional features including ultra-fast-text search, unified search, content-based alerting and a premier tier support.^[2]

Protocol

syslog-ng uses the standard BSD syslog protocol, specified in RFC 3164. As the text of RFC 3164 is an informational description and not a standard, some incompatible extensions of it emerged. Since version 3.0 syslog-ng also supports the syslog protocol specified in RFC 5424. syslog-ng interoperates with a variety of devices, and the format of relayed messages can be customized.

Extensions to the original syslog-ng protocol include:

ISO 8601 timestamps with millisecond granularity and time zone information
The addition of the name of relays in additional host fields, to make it possible to track the path of a given message
Reliable transport using TCP
TLS encryption (Since 3.0.1 in OSE ^[3])

History

The syslog-ng project began in 1998, when Balázs Scheidler, the primary author of syslog-ng, ported the existing nsyslogd code to Linux. The 1.0.x branch of syslog-ng was still based on the nsyslogd sources and are available in the syslog-ng source archive. ^[4]

Right after the release of syslog-ng 1.0.x, a reimplementation of the code base started to address some of the shortcomings of syslog and to address the licensing concerns of Darren Reed, the original syslog author. This reimplementation was named stable in the October 1999 with the release of version 1.2.0. This time around, syslog-ng depended on some code originally developed for lsh by Niels Möller.

Three major releases (1.2, 1.4 and 1.6) were using this code base, the last release of the 1.6.x branch in February 2007. In this period of about 8 years, syslog-ng became one of the popular alternative syslog implementations.

In a volunteer based effort, yet another rewrite was started back in 2001, dropping lsh code and using the more widely available GLib library. This rewrite of the codebase took its time, the first stable release of 2.0.0 happened in October 2006.

Development efforts were focused on improving the 2.0.x branch; support for 1.6.x was dropped at the end of 2007. Support for 2.x was dropped at the end of 2009, but it is still used in some Linux distributions.^[5]^[6] Balabit, the company behind syslog-ng, started a parallel, commercial fork of syslog-ng, called syslog-ng Premium Edition. Portions of the commercial income are used to sponsor development of the free version.

Syslog-ng version 3.0 was released in the fourth quarter of 2008.

Starting with the 3.0 version developments efforts were parallel on the Premium and on the Open Source Editions. PE efforts were focused on quality, transport reliability, performance and encrypted log storage. The Open Source Edition efforts focused on improving the flexibility of the core infrastructure to allow more and more different, non-syslog message sources.

The syslog-ng 3.X series brought many major changes to syslog-ng without breaking backwards compatibility. Syslog-ng became modular and multi-threaded. Support for various document stores and message queuing systems was added. Many message types are now automatically parsed and turned into name-value-pairs. Extending syslog-ng using Java and Python became possible.

Version 4.0 of syslog-ng was released in December, 2022. The main version number change was necessary due to a major change in type support for name-value pairs, which was incompatible with the 3.X series. It allows more precise filtering and sending data with proper type information to databases and document stores. While syslog-ng PE is based on the open-source edition, its version numbering is completely independent of it.

Features

syslog-ng provides a number of features in addition to transporting syslog messages and storing them in plain text log files:

The ability to format log messages using Unix shell-like variable expansion (can break cross-platform log format compatibility)
The use of this shell-like variable expansion when naming files, covering multiple destination files with a single statement
The ability to send log messages to local applications
Support for message flow-control in network transport
Logging directly into a database (since syslog-ng OSE 2.1)
Rewrite portions of the syslog message with set and substitute primitives (since syslog-ng OSE 3.0)
Classify incoming log messages and at the same time extract structured information from the unstructured syslog message (since syslog-ng OSE 3.0)
Generic name–value support: each message is just a set of name–value pairs, which can be used to store extra information (since syslog-ng OSE 3.0)
The ability to process structured message formats transmitted over syslog, like extract columns from CSV formatted lines (since syslog-ng OSE 3.0)
The ability to correlate multiple incoming messages to form a more complex, correlated event (since syslog-ng OSE 3.2);^[7]

Distributions

syslog-ng is available on a number of different Linux and Unix distributions. Some install it as the system default, or provide it as a package that replaces the previous standard syslogd. Several Linux distributions that used syslog-ng have replaced it with rsyslog.^{[ citation needed ]}

openSUSE used it as default prior to openSUSE 11.2, and is still available
SLES used it prior to SUSE Linux Enterprise Server 12
Debian GNU/Linux used syslogd and klogd prior to 5.0; post-5.0 ("Lenny"), rsyslog is used^[8]
Gentoo Linux
Fedora used it prior to Fedora 10
Arch Linux used it as default prior to the adoption of systemd in 2012
Hewlett-Packard's HP-UX
FreeBSD port
A Cygwin port is available for Microsoft Windows

Portability

syslog-ng is highly portable to many Unix systems, old and new alike. A list of the currently known to work Unix versions are found below:

Linux on i386, ARM, PowerPC, SPARC and x86-64 CPUs
FreeBSD 7.x - 9.x on i386 and x86-64 CPUs
AIX 5, 6 and 7 on IBM Power microprocessors
HP-UX 11iv1, 11iv2 and 11iv3 on PA-RISC and Itanium CPUs
Solaris 8, 9, 10 on SPARC, x86-64 and i386 CPUs
Tru64 5.1b on Alpha CPUs

The list above is based on BalaBit's current first hand experience, other platforms may also work, but your mileage may vary.

Related RFCs & working groups

RFC 3164 - The BSD syslog protocol
RFC 5424 - The Syslog Protocol
RFC 5425 - Transport Layer Security (TLS) Transport Mapping for Syslog
RFC 5426 - Transmission of Syslog Messages over UDP

Related Research Articles

Berkeley DB (BDB) is an embedded database software library for key/value data, historically significant in open-source software. Berkeley DB is written in C with API bindings for many other programming languages. BDB stores arbitrary key/data pairs as byte arrays and supports multiple data items for a single key. Berkeley DB is not a relational database, although it has database features including database transactions, multiversion concurrency control and write-ahead logging. BDB runs on a wide variety of operating systems, including most Unix-like and Windows systems, and real-time operating systems.

IA-32 is the 32-bit version of the x86 instruction set architecture, designed by Intel and first implemented in the 80386 microprocessor in 1985. IA-32 is the first incarnation of x86 that supports 32-bit computing; as a result, the "IA-32" term may be used as a metonym to refer to all x86 versions that support 32-bit computing.

The Intel 386, originally released as 80386 and later renamed i386, is a 32-bit microprocessor designed by Intel. The first pre-production samples of the 386 were released to select developers in 1985, while mass production commenced in 1986. The processor was a significant evolution in the x86 architecture, extending a long line of processors that stretched back to the Intel 8008. The 386 was the central processing unit (CPU) of many workstations and high-end personal computers of the time. The 386 began to fall out of public use starting with the release of the i486 processor in 1989, while in embedded systems the 386 remained in widespread use until Intel finally discontinued it in 2007.

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

In computing, Physical Address Extension (PAE), sometimes referred to as Page Address Extension, is a memory management feature for the x86 architecture. PAE was first introduced by Intel in the Pentium Pro, and later by AMD in the Athlon processor. It defines a page table hierarchy of three levels (instead of two), with table entries of 64 bits each instead of 32, allowing these CPUs to directly access a physical address space larger than 4 gigabytes (2³² bytes).

In Unix computing, Ion is a tiling and tabbing window manager for the X Window System. It is designed such that it is possible to manage windows using only a keyboard, without needing a mouse. It is the successor of PWM and is written by the same author, Tuomo Valkonen. Since the first release of Ion in the summer 2000, similar alternative window management ideas have begun to show in other new window managers: Larswm, ratpoison, StumpWM, wmii, xmonad and dwm.

Xen is a free and open-source type-1 hypervisor, providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently. It was originally developed by the University of Cambridge Computer Laboratory and is now being developed by the Linux Foundation with support from Intel, Citrix, Arm Ltd, Huawei, AWS, Alibaba Cloud, AMD, Bitdefender and epam.

Unified Extensible Firmware Interface is a specification that defines the architecture of the platform firmware used for booting the computer hardware and its interface for interaction with the operating system. Examples of firmware that implement the specification are AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O. UEFI replaces the BIOS which was present in the boot ROM of all personal computers that are IBM PC compatible, although it can provide backwards compatibility with the BIOS using CSM booting. Intel developed the original Extensible Firmware Interface (EFI) specification. Some of the EFI's practices and data formats mirror those of Microsoft Windows. In 2005, UEFI deprecated EFI 1.10.

W^X is a security feature in operating systems and virtual machines. It is a memory protection policy whereby every page in a process's or kernel's address space may be either writable or executable, but not both. Without such protection, a program can write CPU instructions in an area of memory intended for data and then run those instructions. This can be dangerous if the writer of the memory is malicious. W^X is the Unix-like terminology for a strict use of the general concept of executable space protection, controlled via the mprotect system call.

Technical variations of Linux distributions include support for different hardware devices and systems or software package configurations. Organizational differences may be motivated by historical reasons. Other criteria include security, including how quickly security upgrades are available; ease of package management; and number of packages available.

Interix was an optional, POSIX-conformant Unix subsystem for Windows NT operating systems. Interix was a component of Windows Services for UNIX, and a superset of the Microsoft POSIX subsystem. Like the POSIX subsystem, Interix was an environment subsystem for the NT kernel. It included numerous open source utility software programs and libraries. Interix was originally developed and sold as OpenNT until purchased by Microsoft in 1999.

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level.

inetd is a super-server daemon on many Unix systems that provides Internet services. For each configured service, it listens for requests from connecting clients. Requests are served by spawning a process which runs the appropriate executable, but simple services such as echo are served by inetd itself. External executables, which are run on request, can be single- or multi-threaded. First appearing in 4.3BSD, it is generally located at /usr/sbin/inetd. inetd is based on the (service) activator pattern

The following tables compare general and technical information between a number of notable IRC client programs which have been discussed in independent, reliable prior published sources.

BioLinux is a term used in a variety of projects involved in making access to bioinformatics software on a Linux platform easier using one or more of the following methods:

In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit, or in some cases software emulation of those features. However, technologies that emulate or supply an NX bit will usually impose a measurable overhead while using a hardware-supplied NX bit imposes no measurable overhead.

Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, queued operations to handle offline outputs, support for different module outputs, flexible configuration options and adds features such as using TCP for transport.

Rainer Gerhards is a German software engineer, network engineer, and protocol designer best known for his Computer data logging work including Rsyslog and Reliable Event Logging Protocol. He began developing Rsyslog in 2004, to forward log messages in an Internet Protocol Network from UNIX and Unix-like computer systems. In 1988, Gerhards founded the company RG Informationssysteme, which was later rebranded as Adiscon GmbH in 1997.

<span class="mw-page-title-main">Octopussy (software)</span> Log analysis software

Octopussy, also known as 8Pussy, is a free and open-source computer-software which monitors systems, by constantly analyzing the syslog data they generate and transmit to such a central Octopussy server. Therefore, software like Octopussy plays an important role in maintaining an information security management system within ISO/IEC 27001-compliant environments.

NXLog is a multi-platform log management solution that allows to collect logs from various sources, filter log events, transform log data and route (forward) it to different destinations. It's available both as a free-of-charge NXLog Community Edition and as a commercial NXLog Enterprise Edition with enhanced capabilities, including agent management.

References

↑ "Release 4.8.0". 23 July 2024. Retrieved 28 July 2024.
↑ "Syslog-ng - Log Management Solutions".
↑ "Changelog 3.0.1" . Retrieved 2009-01-21.
↑ "Interview: syslog-ng 2.0 developer Balázs Scheidler" . Retrieved 2024-07-31.
↑ "Debian syslog-ng package" . Retrieved 2011-11-11.
↑ "SLES syslog-ng documentation" (PDF). Archived from the original (PDF) on 2011-08-13. Retrieved 2011-11-11.
↑ "Correlating lo messages with syslog-ng" . Retrieved 2011-11-11.
↑ "Chapter 2. What's new in Debian GNU/Linux 5.0" . Retrieved 2010-05-22.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[wikidata-f21039cb0499e98f7ca39d66c49dcce97642a107-v13-1] "Release 4.8.0". 23 July 2024. Retrieved 28 July 2024.

[2] "Syslog-ng - Log Management Solutions".

[3] "Changelog 3.0.1" . Retrieved 2009-01-21.

[4] "Interview: syslog-ng 2.0 developer Balázs Scheidler" . Retrieved 2024-07-31.

[5] "Debian syslog-ng package" . Retrieved 2011-11-11.

[6] "SLES syslog-ng documentation" (PDF). Archived from the original (PDF) on 2011-08-13. Retrieved 2011-11-11.

[7] "Correlating lo messages with syslog-ng" . Retrieved 2011-11-11.

[8] "Chapter 2. What's new in Debian GNU/Linux 5.0" . Retrieved 2010-05-22.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]