Recently I visited two conferences: LOADays and Red Hat Summit. They both focus on open source software, but similarities end there. LOADays in Antwerp is small, free and focuses on Linux administrators. The Red Hat Summit in Boston is huge, expensive and covers a wide variety of topics, including administration among many others. No matter of the differences, both are among my favorite events.
Why sudo? Last year Balabit, the company where I work, was acquired by One Identity. Todd Miller, developer of sudo became my colleague. I was happy to see another open source software around. I read sudo and learned that it has many more features than I knew about, even if I have been using it for decades. So, next to syslog-ng I started to evangelize sudo as well, demonstrating how much more it can be than a simple prefix to administrative commands.
At LOADays I gave a talk about sudo with the title: “What you most likely did not know about sudo…”. Based on the reactions the title was the right choice for the majority of people in the room.
Of course as syslog-ng evangelist I also included a few slides about syslog-ng in my sudo talk. What does it have to do with sudo? Alerting in sudo is limited to e-mail. It works fine, but it is kind of old-fashioned. Using syslog-ng you can send alerts to a wide variety of destinations. In my talk I showed how syslog-ng automatically parses sudo logs and how it can send alerts to Slack if a given user uses sudo to run commands as administrator.
After my talk I received many questions about both software, even the day after. Of course the majority of them focused on different sudo features, but some people wanted to learn more about supported destinations of syslog-ng or how to extend it to support a new one. The Python bindings made it easy to answer, as practically almost all network services have a Python API available.
Red Hat Summit
As about two thirds of syslog-ng users run their software on Red Hat Enterprise Linux (or CentOS), this is by far our most important platform. That is why syslog-ng had a booth at the Red Hat Summit. Almost last minute we got the idea to include sudo too, and it turned out to be a good one. The two together attracted a more visitors and led to very good discussions.
Talking to hundreds of people of course there were many returning questions. Here I list some of the top syslog-ng questions – of course with answers :)
What is the difference between syslog-ng and Splunk? It is like comparing apples and oranges. Even if syslog-ng can do basic log analysis, the focus is central log collection. With Splunk it’s just the other way around: it can do basic log collection, but really shines at analyzing log messages. They are often used together, as they complement each other. Learn more about it from: https://www.syslog-ng.com/community/b/blog/posts/optimize-your-splunk-infrastructure-using-new-syslog-ng-features
Does syslog-ng run in a containerized environment? Yes, of course. You can run your syslog-ng server in a container and can collect logs of the host or from other containers as well. Originally tested using Docker, but the new container tools by Red Hat also work fine. I tested buildah, podman and skopeo as well: https://www.syslog-ng.com/community/b/blog/posts/building-and-running-a-syslog-ng-container-using-the-latest-tools
Can syslog-ng be used as a log collection layer in front of my SIEM? Yes, of course. There are many successful implementations in front of ArcSight, Splunk, QRadar and others. You can optimize your SIEM using syslog-ng: you collect and save all the incoming log messages using syslog-ng to comply with regulations and also parse and filter them to make sure that only relevant log messages reach your SIEM system. It can help you to save considerably both on hardware and licensing costs, as SIEM systems require a lot more resources for the same amount of logs and licensing is often based on the amount of log messages. Learn more about it from https://www.syslog-ng.com/techbrieft/use-case-optimizing-siem8133006/
Is syslog-ng available for RHEL? Yes, it is. An older version of syslog-ng is available in EPEL. For more recent versions you can use my unofficial repos: https://www.syslog-ng.com/community/b/blog/posts/installing-latest-syslog-ng-on-rhel-and-other-rpm-distributions. RHEL 8 was announced during the conference. Once I was back from the conference, I tried to package syslog-ng for it, but Copr – where I build my RPM packages – has only limited support for RHEL 8, so my packages will arrive at a later time.
Is Prometheus supported by syslog-ng? There are multiple solutions for this by the syslog-ng community. It is on my ToDo list to check them out: https://twitter.com/PCzanik/status/1126549756988284928
What is new in syslog-ng? That was easy to answer, as I collected that information into a blog just before starting my conference tour: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-is-coming-to-red-hat-summit
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or you can even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/balabit/syslog-ng. On Twitter, I am available as @PCzanik.