Syslog-ng

Last updated
syslog-ng
Original author(s) Balázs Scheidler
Initial release1998
Stable release
4.8.3 [1]   OOjs UI icon edit-ltr-progressive.svg / 12 May 2025;50 days ago (12 May 2025)
Repository
Operating system Unix-like
Type System logging
License
Website www.syslog-ng.com/products/open-source-log-management/   OOjs UI icon edit-ltr-progressive.svg

syslog-ng is a free and open-source implementation of the syslog protocol for Unix and Unix-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features to syslog, like using TCP for transport. Syslog-ng is developed in the Budapest office of One Identity LLC. It has three editions with a common codebase. The first is called syslog-ng, also referred as syslog-ng Open Source Edition (OSE) with the license LGPL + GPLv2. The second is called syslog-ng Premium Edition (PE) and has additional plugins (modules) under a proprietary license. The third is called syslog-ng Storebox (SSB), which comes as an appliance with a Web-based UI as well as additional features including ultra-fast-text search, unified search, content-based alerting and a premier tier support. [2]

Contents

In January 2018, syslog-ng, as part of Balabit, was acquired by One Identity under the Quest Software umbrella. The syslog-ng team remains an independent business within the One Identity organization and continues under the syslog-ng brand.

In May 2024, the original author of syslog-ng, Balázs Scheidler, forked syslog-ng and launched AxoSyslog, a fully open-source, drop in replacement that develops syslog-ng into a generic security data processor, integrating it with various cloud native tools and services.

Protocol

syslog-ng supports a wide variety of protocols to receive or send log data. While its origins are in syslog, today it supports modern, cloud native transports such as OpenTelemetry (OTLP), Google PubSub or Kafka. syslog-ng interoperates with a variety of devices, and is capable of consuming and transforming data between various sources and destinations.

Extensions to the original syslog-ng protocol include:

History

The syslog-ng project began in 1998, when Balázs Scheidler, the primary author of syslog-ng, ported the existing nsyslogd code to Linux. The 1.0.x branch of syslog-ng was still based on the nsyslogd sources and are available in the syslog-ng source archive. [4]

Right after the release of syslog-ng 1.0.x, a reimplementation of the code base started to address some of the shortcomings of syslog and to address the licensing concerns of Darren Reed, the original syslog author. This reimplementation was named stable in the October 1999 with the release of version 1.2.0. This time around, syslog-ng depended on some code originally developed for lsh by Niels Möller.

Three major releases (1.2, 1.4 and 1.6) were using this code base, the last release of the 1.6.x branch in February 2007. In this period of about 8 years, syslog-ng became one of the popular alternative syslog implementations.

In a volunteer based effort, yet another rewrite was started back in 2001, dropping lsh code and using the more widely available GLib library. This rewrite of the codebase took its time, the first stable release of 2.0.0 happened in October 2006.

Development efforts were focused on improving the 2.0.x branch; support for 1.6.x was dropped at the end of 2007. Support for 2.x was dropped at the end of 2009, but it is still used in some Linux distributions. [5] [6] Balabit, the company behind syslog-ng, started a parallel, commercial fork of syslog-ng, called syslog-ng Premium Edition. Portions of the commercial income are used to sponsor development of the free version.

Syslog-ng version 3.0 was released in the fourth quarter of 2008.

Starting with the 3.0 version developments efforts were parallel on the Premium and on the Open Source Editions. PE efforts were focused on quality, transport reliability, performance and encrypted log storage. The Open Source Edition efforts focused on improving the flexibility of the core infrastructure to allow more and more different, non-syslog message sources.

The syslog-ng 3.X series brought many major changes to syslog-ng without breaking backwards compatibility. Syslog-ng became modular and multi-threaded. Support for various document stores and message queuing systems was added. Many message types are now automatically parsed and turned into name-value-pairs. Extending syslog-ng using Java and Python became possible.

Version 4.0 of syslog-ng was released in December, 2022. The main version number change was necessary due to a major change in type support for name-value pairs, which was incompatible with the 3.X series. It allows more precise filtering and sending data with proper type information to databases and document stores.

While syslog-ng PE is based on the open-source edition, its version numbering is completely independent of it.

Features

syslog-ng provides a number of features in addition to transporting syslog messages and storing them in plain text log files:

Distributions

syslog-ng is available on a number of different Linux and Unix distributions. Some install it as the system default, or provide it as a package that replaces the previous standard syslogd. Several Linux distributions that used syslog-ng have replaced it with rsyslog.[ citation needed ]

Portability

syslog-ng is highly portable to many Unix systems, old and new alike. A list of the currently known to work Unix versions are found below:

The list above is based on BalaBit's current first hand experience, other platforms may also work, but your mileage may vary.

See also

References

  1. "Release 4.8.3". 12 May 2025. Retrieved 1 June 2025.
  2. "syslog-ng - Log Management Solutions". www.syslog-ng.com. Retrieved 2024-09-09.
  3. "Changelog 3.0.1" . Retrieved 2009-01-21.
  4. "Interview: syslog-ng 2.0 developer Balázs Scheidler" . Retrieved 2024-07-31.
  5. "Debian syslog-ng package" . Retrieved 2011-11-11.
  6. "SLES syslog-ng documentation" (PDF). Archived from the original (PDF) on 2011-08-13. Retrieved 2011-11-11.
  7. "Correlating lo messages with syslog-ng" . Retrieved 2011-11-11.
  8. "Chapter 2. What's new in Debian GNU/Linux 5.0" . Retrieved 2010-05-22.