Upgrading syslog-ng PE from version 6 to 7

Learn the major steps necessary to upgrade your system from syslog-ng Premium Edition version 6 to 7. As you will see, it is no more difficult than any other major software version upgrade, and after the upgrade you can start using all the new and useful features that are available in version 7.

Version 7 of syslog-ng Premium Edition (PE) brought quite a lot of changes compared version 6. The main reason for this was that syslog-ng PE source code was synchronized with syslog-ng Open Source Edition (OSE), and initially many of the PE specific features were unavailable in version 7. It also meant, that direct upgrade between version 6 and 7 was not possible.

There are many new features in syslog-ng PE version 7 and most of the old features are available again. Due to this people started to upgrade their old installations and easy upgrade between the two versions became an important topic. Obviously, as with any major software upgrades, there are some limitations, but you do not need start an installation from scratch if you want to migrate from syslog-ng PE version 6 to 7.

Making upgrades easy needed two major changes in syslog-ng PE 7. One is providing backwards compatibility to the old way of configuring features together with warning messages related to changes. The other is handling the persists file – a file containing internal syslog-ng data, like the position until syslog-ng read a source – from the old syslog-ng version properly. Starting with syslog-ng PE 7.0.17 both are handled properly.

Before you begin

Before you start downloading anything from the One Identity website, make sure that you read the release notes. There are two major group of changes which might affect your migration process:

  • There is a change in the supported platforms. Unlike PE 6, which also supports Windows and a number of UNIX variants, PE 7 only supports 64-bit Linux at the moment. FIPS-compliant packages are not available. Note that PE 7 has a component that allows you to fetch Windows event logs without installing an agent. For details, see the Windows Event Collector Administration Guide at https://support.oneidentity.com/technical-documents/syslog-ng-premium-edition/windows-event-collector-administration-guide/

  • Not all of the PE 6 features are available in PE 7 (for example SQL source is missing). Some features are available but not all of their original options are available (for example read-old-records() is missing from the file source). For a detailed list, see the Release Notes (http://support.oneidentity.com/technical-documents/syslog-ng-premium-edition/release-notes/release-notes/differences-in-features-between-syslog-ng-pe-6-lts-and-7)

Once you are aware of the changes and know that your features and your platform are supported, go ahead and download the latest version of syslog-ng PE 7. At the time of writing it is version 7.0.17 (for a smooth upgrade experience, I recommend using the latest available version). Make sure that you also download your license file, otherwise you cannot use the server features of syslog-ng PE.


If you are really adventurous you can go ahead and upgrade syslog-ng PE 7 without reading the release notes. But in this case be prepared for an extended down time :)

For the rest of us it is recommended to do some testing, before installing syslog-ng PE 7 in production. This way you can minimize down time on your production server, as configuration testing and editing is done in a test environment.

  1. Install syslog-ng PE 7 on a test machine.

  2. Copy the syslog-ng configuration from your PE 6 machine and overwrite the syslog-ng PE 7 configuration with it.

  3. Edit the first line of configuration and change the version string to 7.0.
    Now you are ready to check your configuration for problems.

  4. Run your freshly installed syslog-ng application with the -s option, which verifies if the configuration is syntactically correct, prints any problems and exits. You can use information from the release notes and the syntax check to edit your configuration.

Once there are no more warning messages (or you do not expect real problems from the warning message) the next step is testing syslog-ng with logs to check that syslog-ng works as expected. Start syslog-ng and send some logs at it. You can use the logger utility to send individual test messages or the loggen utility bundled with syslog-ng to send a large amount of synthetic messages at syslog-ng for benchmarking. You can also do some close to real-world testing by configuring one of your clients to send logs also to the test server.

Note, that if you integrate syslog-ng with any other software, like a SIEM or Elasticsearch, then you should also double check that output formatting works as expected.


Now that your configuration does not give any more warnings and even the test messages arrive as expected and in the right format, it’s time to do the actual upgrade.

  1. First of all – as a general precaution – create a backup of your old syslog-ng directory (/opt/syslog-ng).

  2. Also make sure that the configuration prepared during testing is copied to the production machine.

  3. You can now delete syslog-ng PE 6.

  4. Once syslog-ng PE 6 is removed, install PE 7. The new version of syslog-ng is started automatically at the end of installation.

  5. Copy the fully tested configuration in place and restart syslog-ng to make the configuration live.Check your logs if syslog-ng started correctly. By now everything should work as expected.

As you can see, upgrading from syslog-ng PE 6 to PE 7 is not difficult any more. Download syslog-ng PE 7 now: https://www.syslog-ng.com/products/log-management-software/

Related Content