The syslog-ng application is not log analysis software. It can filter log messages and select only the ones matching certain criteria. It can even convert the messages and restructure them to a predefined format, or parse the messages and segment them into different fields. But syslog-ng cannot interpret and analyze the meaning behind the messages, or recognize patterns in the occurrence of different messages.
Log messages contain information about the events happening on the hosts. Monitoring system events is essential for security and system health monitoring reasons.
The original syslog protocol separates messages based on the priority of the message and the facility sending the message. These two parameters alone are often inadequate to consistently classify messages, as many applications might use the same facility, and the facility itself is not even included in the log message. To make things worse, many log messages contain unimportant information. The syslog-ng application helps you to select only the really interesting messages, and forward them to a central server.
Company policies or other regulations often require log messages to be archived. Storing the important messages in a central location greatly simplifies this process.
Version 3.22 of syslog-ng Open Source Edition includes the following main features.
Starting with version
As a result of these changes the log-fifo-size() option only affects log paths that are not flow-controlled. It is expected that after configuring the dynamic message window, you can decrease the value of log-fifo-size(). For details, see "Managing incoming and outgoing messages with flow-control" in the Administration Guide.
Flow control and the log-fifo-size() option works differently starting with syslog-ng OSE
The new behavior is automatically enabled when you update your the @version string in your configuration file. Consider lowering the value of log-fifo-size() option after updating the @version string. For details, see "Managing incoming and outgoing messages with flow-control" in the Administration Guide.
You can now send SNMP traps directly from syslog-ng OSE using the snmp() destination driver. For details, see "snmp: Sending SNMP traps" in the Administration Guide.
A new template function called template can resolve static and dynamic templates in template functions. For example, the name of the template to be invoked can be extracted from the message, or from a name-value pair set using the add-contextual-data() feature. For details, see "Template functions of syslog-ng OSE" in the Administration Guide.
Numerical template functions can now handle floating-point numbers. For details, see the ceil, floor, numerical operations, and round template functions.
HTTP-based destinations can now accept multiple URLs in various formats.
The message rate of the loggen command can be changed while loggen is running. Send SIGUSR1 to double the message rate, or SIGUSR2 to halve it, for example: kill -USR1 <loggen-pid>
The Check Point Log Exporter parser can now parse Check Point log messages in the Splunk format. For details, see "Check Point Log Exporter parser" in the Administration Guide.
New constants are available in the fetch method of the Python source. For details, see "python-fetcher: writing fetcher-style Python sources" in the Administration Guide.
Global option can be defined in reusable blocks. For details, see "Reusing configuration blocks" in the Administration Guide.
The date-parser() now supports microseconds (%f). For details, see "Options of date-parser() parsers" in the Administration Guide.
The value of add-contextual-data() selectors can be a template or a template function, not only a string. For details, see "Adding metadata from an external file" in the Administration Guide.
The syslog-ng application is used worldwide by companies and institutions who collect and manage the logs of several hosts, and want to store them in a centralized, organized way. Using syslog-ng is particularly advantageous for:
Internet Service Providers
Financial institutions and companies requiring policy compliance
Server, web, and application hosting companies
Wide area network (WAN) operators
Server farm administrators.