Whenever I present syslog-ng at a conference or I stand next to a booth, people often ask me why should they use syslog-ng instead of one of its competitors. So let me summarize what the users and developers of syslog-ng typically consider as its most important values. Documentation Yes, I know, this is not syslog-ng itself. However, talking to some of our most active and loyal users, one common feedback was that they had chosen syslog-ng because of the quality of its documentation.| peter.czanik.hu
The August syslog-ng newsletter is now on-line: Deprecating Java-based drivers from syslog-ng: Is HDFS next? Your first steps configuring syslog-ng Prometheus exporter in syslog-ng It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2025-08-hdfs-configuration-prometheus syslog-ng logo| peter.czanik.hu
Recently, several people have asked me about the syslog-ng project’s view on Artificial intelligence. In short, there is cautious optimism: we embrace AI, but it does not take over any critical tasks from humans. But what does this mean for syslog-ng? Read more at https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-development-and-ai syslog-ng logo| Random thoughts of Peter 'CzP' Czanik
There are multiple syslog protocols with multiple variants. The new transport(auto) option of the syslog() source in syslog-ng allows you to support all TCP-based variants with a single source driver. When it comes to syslog, there are many transport options. RFC3164 describes the “legacy” or “BSD” syslog protocol, while RFC5424 refers to the “new” syslog protocol (which is also more than a decade old now… :-) ). RFC5424-formatted messages normally come with framing or octet cou...| Random thoughts of Peter 'CzP' Czanik
Last year, I wrote a small configuration snippet for syslog-ng: FreeBSD audit source. I published it in a previous blog, and based on feedback, it is already used in production. And soon, it will be available also as part of a syslog-ng release. As an active FreeBSD user and co-maintainer of the sysutils/syslog-ng port for FreeBSD, I am always happy to share FreeBSD-related news. Last year, we improved directory monitoring and file reading on FreeBSD and MacOS.| peter.czanik.hu
The June syslog-ng newsletter is now on-line: Installing nightly syslog-ng arm64 packages on a Raspberry Pi Working with One Identity Cloud PAM Linux agent logs in syslog-ng Testing the new syslog-ng wildcard-file() source options on Linux It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2025-06-arm64-pam-testing syslog-ng logo| peter.czanik.hu
While most Java-based drivers have been deprecated in syslog-ng years ago, we have recently removed all of them in preparation to syslog-ng 4.9.0. Right now, the only Java-based driver remaining is HDFS, so we want to ask the syslog-ng community if the HDFS destination is still needed for them. Read more at https://www.syslog-ng.com/community/b/blog/posts/deprecating-java-based-drivers-from-syslog-ng-is-hdfs-next syslog-ng logo| Random thoughts of Peter 'CzP' Czanik
Last year, syslog-ng 4.8.0 improved the wildcard-file() source on FreeBSD and MacOS. Version 4.9.0 will do the same for Linux by using inotify for file and directory monitoring, resulting in faster performance while using significantly less resources. This blog is a call for testing the new wildcard-file() source options before release. Read more at https://www.syslog-ng.com/community/b/blog/posts/testing-the-new-syslog-ng-wildcard-file-source-options-on-linux syslog-ng logo| peter.czanik.hu
One Identity Cloud PAM is one of the latest security products by One Identity. It provides asset management as well as secure and monitored remote access for One Identity Cloud users to hosts on their local network. Last year, I showed you how collect One Identity Cloud PAM Network Agent log messages on Windows and create alerts when somebody connects to a host on your local network using PAM Essentials. This time, I will show you how to work with the Linux version of the Network Agent.| Random thoughts of Peter 'CzP' Czanik
Finally, a new syslog-ng release! As you can see from its version number, this is a bug fix release. It took a bit longer than expected, as we wanted to release it in sync with syslog-ng PE, the commercial variant of syslog-ng. 4.8.2 serves not just as the foundation of the new syslog-ng PE release, but also provides fixes to 4.8.1, which is included in major Linux distributions. This update ensures that all our recent bug fixes reach the majority of our users.| peter.czanik.hu
While no dates are set to stone yet, we expect a couple of syslog-ng releases in the near future. As version 4.8.1 is used in major Linux distributions and has a couple of known bugs, we will release 4.8.2 to address those. However, we are also working on 4.9.0, which will bring many changes. Read more at https://www.syslog-ng.com/community/b/blog/posts/a-call-for-testing-the-upcoming-syslog-ng-releases syslog-ng logo| peter.czanik.hu
From my previous Active Roles blogs, you could learn how to forward regular Active Roles logs from Windows Event Log to a central syslog-ng server, where it parses, filters, stores and forwards the logs. In this blog, I show you how to work with Active Roles debug logs, that is reading them using syslog-ng Agent for Windows and forwarding them to a central syslog-ng server for long(er) term storage. Debug logs are typically huge and the Active Roles debug logs are no exceptions, so you must m...| Random thoughts of Peter 'CzP' Czanik
The April syslog-ng newsletter is now on-line: Testing Elasticsearch 9.0.0 beta1 with syslog-ng Working with parsed Active Roles logs in syslog-ng Running syslog-ng PE in RHEL UBI It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2025-04-elasticsearch-beta-active-roles-rhel-ubi syslog-ng logo| peter.czanik.hu
Last week, I posted about running nightly syslog-ng container images on arm64. However, you can also install syslog-ng directly on the host (in my case, a Raspberry Pi 3), running the latest Raspberry OS. Read more at https://www.syslog-ng.com/community/b/blog/posts/installing-nightly-syslog-ng-arm64-packages-on-a-raspberry-pi syslog-ng logo| Random thoughts of Peter 'CzP' Czanik
Recently we enabled nightly syslog-ng builds and container builds for arm64. It means that from now on, you can run the latest syslog-ng on 64bit ARM platforms. For this test, I used a Raspberry Pi 3 running the latest Raspberry Pi OS. As I use Podman everywhere else (I am an openSUSE / Fedora guy), I also installed it here for container management. Read more at https://www.syslog-ng.com/community/b/blog/posts/nightly-arm64-syslog-ng-container-builds-are-now-available syslog-ng logo| peter.czanik.hu
For many years, the development of syslog-ng happened on the master branch in Git. However, if you follow that branch, you might have noticed that there has not been much activity on it lately. That is because we introduced a new branch in git called “develop”. https://www.syslog-ng.com/community/b/blog/posts/introducing-the-develop-branch-of-the-syslog-ng-git-repo syslog-ng logo| peter.czanik.hu
The March syslog-ng newsletter is now on-line: Test syslog-ng on EPEL 10! Collecting Active Roles logs centrally using the syslog-ng Windows Agent syslog-ng OSE 4.8.1 is now in EPEL 10, quick fix for Elasticsearch It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2025-03-epel-10-elasticsearch-active-roles syslog-ng logo| peter.czanik.hu
In my previous OneIdentity Active Roles blog, you learned how to forward Active Roles logs to a central syslog-ng server to parse and store the logs. In this blog, I’ll show you how to: Work with parsed Active Roles logs. Store logs to various document stores. Prepare long-term storage. Send alerts for some critical events. Even if this blog about commercial software, the name-value pairs concept I describe in this blog in depth is the same in the open source syslog-ng.| peter.czanik.hu
One Identity Active Roles allows you to easily and securely manage Active Directory (AD), Entra ID and M365 Identity objects. While Active Roles stores its log messages into Windows Event Log, most log management and log analytics applications expect to receive log messages over the syslog protocol. This is where syslog-ng Premium Edition (PE) can help you. The syslog-ng Windows Agent can collect and forward Active Roles log messages from Windows Event Log, while the syslog-ng server can coll...| peter.czanik.hu
The December syslog-ng newsletter is now on-line: A syslog-ng container image based on Alpine Linux Call for testing: syslog-ng in openSUSE Leap 16.0 Experimental syslog-ng container image based on Alma Linux It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2025-01-alpine-linux-leap-16-0-alma-linux syslog-ng logo| peter.czanik.hu
Last December, I added support for EPEL 10 in my unofficial syslog-ng Git snapshot repository. This week, I call for testing the official syslog-ng EPEL 10 package. Once I saw in my unofficial syslog-ng repo that syslog-ng compiles fine on EPEL 10, I also started to work on the official package. I hit a roadblock immediately: ivykis (a mandatory dependency of syslog-ng) was missing from EPEL 10. So, right before the Christmas holidays, I submitted two missing dependencies I maintain (ivykis a...| peter.czanik.hu
CentOS Stream 10 and EPEL 10 just became available, and as usual, I tried to build syslog-ng as soon as possible. For now it is available in my git snapshot repository, but I am also planning to make it available in EPEL 10 soon. Read more at https://www.syslog-ng.com/community/b/blog/posts/test-syslog-ng-on-epel-10 syslog-ng logo| peter.czanik.hu
The December syslog-ng newsletter is now on-line: FreeBSD audit source for syslog-ng Version 4.8.1 of syslog-ng is now available Where should I present syslog-ng and sudo? It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2024-12-freebsd-audit-4-8-1-conferences syslog-ng logo| peter.czanik.hu
Last week I introduced you to my latest project: a syslog-ng container based on Alma Linux. This week I added a syslog-ng Prometheus exporter to the container, so you can also monitor syslog-ng, if you enable it. syslog-ng logo| peter.czanik.hu
The official syslog-ng container image is based on Debian Stable. However, we’ve been getting requests for an RPM-based image for many years. So, I made an initial version available based on Alma Linux and now I need your feedback about it! This image uses the “init” variant of Alma Linux 9 containers as a base image. What does this mean? Well, it uses systemd service management inside, making it possible to run multiple services from a single container.| peter.czanik.hu
The November syslog-ng newsletter is now on-line: A call for syslog-ng testing Working with Quickwit Huge improvements for syslog-ng in MacPorts It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2024-11-testing-quickwit-macports syslog-ng logo| peter.czanik.hu
Last week, I submitted syslog-ng to openSUSE Leap 16.0. While the distro is still in a pre-alpha stage, everything already works for me as expected. Well, except for syslog-ng, where I found a number of smaller problems. As such, this blog is a call for testing, both for syslog-ng on openSUSE Leap 16.0 and also for the distribution itself. Read the rest at https://www.syslog-ng.com/community/b/blog/posts/call-for-testing-syslog-ng-in-opensuse-leap-16-0 syslog-ng logo| peter.czanik.hu
Recently, someone suggested I should check out Alpine Linux and prepare a syslog-ng container image based on it. While not supported by the syslog-ng project, an Alpine-based syslog-ng container image already exist as part of the Linuxserver project. Read more at https://www.syslog-ng.com/community/b/blog/posts/a-syslog-ng-container-image-based-on-alpine-linux syslog-ng logo| peter.czanik.hu
Recently I was asked the same question both at my workplace and at EuroBSDCon, the conference where I was presenting: where do you talk next? I had no definite answer. Of course, I am looking forward to the FOSDEM CfP, but I am also looking for new conferences to present syslog-ng and sudo. Do you have any recommendations? You can read the rest of my blog at https://www.syslog-ng.com/community/b/blog/posts/where-should-i-present-syslog-ng-and-sudo syslog-ng logo Sudo logo| peter.czanik.hu
The September syslog-ng newsletter is now available: Improved FreeBSD and MacOS support in 4.8.0 Setting the version number in the syslog-ng configuration Switching containers from Debian Testing to Stable You can read it at: https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2024-10-4-8-0-release-version-number-debian-stable syslog-ng logo| peter.czanik.hu
Version 4.8.1 of syslog-ng was released last week. It is a bugfix release, and it contains fixes for problems also reported by members of the Fedora community. The Fedora 41 release is near, so package updates now need some additional testing, and “karma” in Bodhi. You can find information on how to install syslog-ng 4.8.1 from a testing repo on Fedora 41 beta at https://bodhi.fedoraproject.org/updates/FEDORA-2024-4e812b8a23. This is also the place where you can provide feedback and karma.| peter.czanik.hu
Two weeks ago, I was at EuroBSDcon and received a feature request for syslog-ng. The user wanted to collect FreeBSD audit logs together with other logs using syslog-ng. Writing a native driver in C is time consuming. However, creating an integration based on the program() source of syslog-ng is not that difficult. This blog shows you the current state of the FreeBSD audit source, how it works, and its limitations. It is also a request for feedback.| peter.czanik.hu
Last week I wrote about a campaign that we started to resolve issues on GitHub. Some of the fixes are coming from our enthusiastic community. Thanks to this, there is a new syslog-ng-devel port in MacPorts, where you can enable almost all syslog-ng features even for older MacOS versions and PowerPC hardware. Some of the freshly enabled modules include support for Kafka, GeoIP or OpenTelemetry. From this blog entry, you can learn how to install a legacy or an up-to-date syslog-ng version from ...| peter.czanik.hu
Sudo 1.9.16 is now out, containing mostly bug fixes. However, there are also some new features, like the json_compact option I wrote about a while ago. The other major change is, secure_path is now enabled by default in the sudoers file, and there is a new option to fine-tune its content. Read more at https://www.sudo.ws/posts/2024/09/why-sudo-1.9.16-enables-secure_path-by-default/ Sudo logo| peter.czanik.hu
The September syslog-ng newsletter is now on-line: You can also contribute to the syslog-ng OSE documentation The $TRANSPORT macro of syslog-ng Rolling RPM platforms added to the syslog-ng package build system It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2024-09-documentation-transport-macro-rolling-rpms syslog-ng logo| peter.czanik.hu
Last time we looked at how syslog-ng can send logs to Quickwit using its Elasticsearch compatible API. This time we are going to look at how to use the OpenTelemetry protocol to send logs to Quickwit with syslog-ng. Read more at https://www.syslog-ng.com/community/b/blog/posts/sending-logs-to-quickwit-using-the-opentelemetry-destination-of-syslog-ng syslog-ng logo| peter.czanik.hu
We are always looking for new ways to store log messages. Quickwit is a new contender, designed for log storage, and among others, it also provides an Elasticsearch-compatible API. From this blog, you can learn about Quickwit, and how to forward log messages from syslog-ng to it using the Elasticsearch-compatible API. Read more at https://www.syslog-ng.com/community/b/blog/posts/first-steps-with-quickwit-and-syslog-ng syslog-ng logo| peter.czanik.hu
For many years, the official syslog-ng container and development containers were based on Debian Testing. We are switching to Debian Stable now. Learn about the history and the reasons for the change now. Read more at https://www.syslog-ng.com/community/b/blog/posts/we-are-switching-syslog-ng-containers-from-debian-testing-to-stable syslog-ng logo| peter.czanik.hu
The August syslog-ng newsletter is now on-line: Version 4.8.0 of syslog-ng improves FreeBSD and MacOS support syslog-ng Prometheus exporter Experimental syslog-ng packages for Amazon Linux 2023 It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2024-08-4-8-0-release-prometheus-amazon-linux syslog-ng logo| peter.czanik.hu