Syslog-ng

From Wikipedia, the free encyclopedia

syslog-ng

Original author(s)	Balázs Scheidler
Initial release	1998
Stable release	3.0.5 / December 3, 2009; 2 month(s) ago (2009-12-03)
Operating system	Unix-like
Type	System logging
Website	http://www.balabit.com/network-security/syslog-ng/

syslog-ng is an open source implementation of the Syslog protocol for Unix and Unix-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features to syslog, like using TCP for transport.

Contents 1 Protocol 2 History 3 Features 4 Distributions 5 Portability 6 Related RFCs & working groups 7 References 8 External links

[edit] Protocol

syslog-ng uses the quasi-standard BSD syslog protocol, specified in RFC 3164. As the text of RFC 3164 is vague and is just an informational description and not a standard, various incompatible extensions of it emerged. syslog-ng tries hard to interoperate with a wide variety of devices, and the format of relayed messages can be customized.

The most important extensions of the original protocol endorsed by syslog-ng are:

• ISO 8601 timestamp with millisecond granularity and timezone information
• the addition of the name of relays in the host fields to make it possible to track the path a given message has traversed
• reliable transport using TCP
• TLS encryption (Since 3.0.1 in OSE ^[1])

[edit] History

The syslog-ng project began in 1998, when Balázs Scheidler, the primary author of syslog-ng, ported the existing nsyslogd code to Linux. The 1.0.x branch of syslog-ng was still based on the nsyslogd sources and are available in the syslog-ng source archive.

Right after the release of syslog-ng 1.0.x, a reimplementation of the code base started to address some of the shortcomings of nsyslogd and to address the licensing concerns of Darren Reed, the original nsyslogd author. This reimplementation was named stable in the October of 1999 with the release of 1.2.0. This time around, syslog-ng depended on some code originally developed for lsh by Niels Möller.

Three major releases (1.2, 1.4 and 1.6) were using this code base, the last release of the 1.6.x branch in February 2007. In this period of about 8 years, syslog-ng became one of the most popular alternative syslog implementations.

In a volunteer based effort, yet another rewrite was started back in 2001, dropping lsh code and using the more widely available GLib library. This rewrite of the codebase took its time, the first stable release of 2.0.0 happened in October 2006.

Development efforts are focused on improving the 2.0.x branch; support for 1.6.x is expected to be dropped in the near future (as of May 2007). BalaBit, the company behind syslog-ng, started a parallel, commercial fork of syslog-ng, called syslog-ng Premium Edition. Portions of the commercial income are used to sponsor development of the free version.

Syslog-ng version 3.0 was released in the fourth quarter of 2008.

[edit] Features

syslog-ng has a much larger scope than merely transporting syslog messages and storing them to plain text log files:

• the ability to format log messages using UNIX shell-like variable expansion;
• the use of this shell-like variable expansion when naming files, thus covering thousands of destination files with a single statement;
• the ability to send log messages to local applications;
• logging directly into a database (since syslog-ng OSE 2.1);
• rewrite portions of the syslog message with set and substitute primitives (since syslog-ng OSE 3.0);
• classify incoming log messages and at the same time extract structured information from the unstructured syslog message (since syslog-ng OSE 3.0);
• generic name-value support: each message is just a set of name-value pairs, which can be used to store extra information (since syslog-ng OSE 3.0);
• the ability to process structured message formats transmitted over syslog, like extract columns from CSV formatted lines (since syslog-ng OSE 3.0);

[edit] Distributions

syslog-ng is part of a number of different GNU/Linux and Unix distributions. Some distributions install it as the default system logger, others only provide a package and an upgrade path from the standard syslogd.

Among others:

• SUSE Linux
• Debian GNU/Linux before version 5.0 (Lenny (5.0) uses Rsyslog)
• Gentoo Linux
• Fedora
• Arch Linux
• Hewlett-Packard's HP-UX
• FreeBSD

[edit] Portability

syslog-ng is highly portable to a number of UNIX systems, old a new alike. A list of the currently known to work UNIX versions are found below:

• Linux on i386, SPARC and x86_64 CPUs
• FreeBSD 6.x, 7.x on i386 CPUs
• AIX 5 on power CPUs
• HP-UX 11iv1, 11iv2 on PA-RISC and ia64 CPUs
• Solaris 8, 9, 10 on SPARC, x86_64 and i386 CPUs
• Tru64 5.1b on Alpha CPUs

The list above is based on BalaBit's current first hand experience, other platforms may also work, but your mileage may vary.

[edit] Related RFCs & working groups

• RFC 3164 - The BSD syslog protocol

[edit] References

1. ^ "Changelog 3.0.1". http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.0.1/changelog-en.txt. Retrieved 2009-01-21. 

[edit] External links

• syslog-ng homepage
• Php-syslog-ng - a web interface and reporting tool for syslog-ng data
• syslog-ng FAQ
• LogAnalysis Community website
• Recommendation and analysis of syslog-ng in secure environments
• syslog-ng documentation
• syslog-ng support wiki & forum
• Syslog-ng and vlogger meet, http://www.feweb.net/syslog_and_vlogger.htm