Insider 2018-08: 3.16 & 3.17; Splunk; IoT security; Telegram; Throttling;

Dear syslog-ng users,

This is the 68th issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news.


syslog-ng 3.16 & 3.17 are released

Version 3.16 & 3.17 of syslog-ng are now available. Support to send log messages to Telegram was added. You can also use failback mode when you have failover enabled and send your logs to your primary log server as soon as it is available again.

For a complete list of changes, check

For binary packages, check

Using the syslog-ng Store Box (SSB) in front of Splunk

The syslog-ng application was used for many years as a log collection layer in front of Splunk. But why use a full-blown log management appliance like SSB with a graphical user interface instead of a simple command line application? I learned the answers at Red Hat Summit while talking to my fellow Balabit engineers and booth visitors.

IoT security: logging

Recently SANS published a brand new white paper about the Internet of Things: “Stopping IoT-based Attacks on Enterprise Networks”. IoT devices have been around in the networks of enterprises for many years, just think about network-connected printers. But recently, both the number and variety of these devices skyrocketed and enterprises now have to embrace everything from BYOD phones to smart lamps. In this blog post, I would like to highlight a critical aspect of how you can protect your organization from potential IoT-based attacks: logging.

Telegram destination in syslog-ng

Getting started with the Telegram destination of syslog-ng is not an easy and straightforward process, but it is well worth the efforts. If you do not know Telegram yet, Telegram is a cloud-based messaging application known for its security and speed. Best of all, it is a free app without ads. No wonder that Telegram is also used by many system administrators. With the Telegram destination of syslog-ng introduced in version 3.16, we intend to help your work as a sysadmin. As a result, you can now receive critical log messages in real-time on your mobile or desktop Telegram client.

hook-commands: easy driver setup

The hook-commands() option of syslog-ng makes it easy to execute external commands when a driver is started or stopped. For example, you can open a port in the firewall when a network source is started and close it once syslog-ng is shut down. Or you could also run a command each time syslog-ng is reloaded. From this blog, you can learn how to start and stop auditing file system changes using auditctl from syslog-ng, then collect, parse and filter the results, and finally send them to Elasticsearch for storage and further analysis.

Throttling log messages

One of the main advantages of syslog-ng is that it is high performance and low on resource usage. Why throttle the messages then? There are three main reasons – licensing, performance, and bandwidth – all outside of syslog-ng. From this blog, you can learn how to identify use cases for the throttling of log messages, read about a possible drawback, and finally get a sample configuration.

Your feedback and news, or tips about the next issue are welcome at