insider 2013-04: syslog-ng presentation at LOADays; New maintenance releases; Comment the Adminguide online

Dear syslog-ng users,

This is the 23th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.

FEATURED NEWS

syslog-ng presentation at LOADays

Peter Czanik of BalaBit gave a presentation at LOADays, a conference focusing on system administrators. It was about the major new features of the syslog-ng 3.X series including a few short demos of these features. Participants were most interested in patterndb, correlation and AMQP and asked about upcoming features.
The conference page is available at: http://loadays.org/
Blog about the event: http://czanik.blogs.balabit.com/2013/04/czp-loadays/

New maintenance releases

While most people are interested in new features, the syslog-ng team is also working on maintenance releases which fix problems in already released software. A
new maintenance version was released for the 3.3 series
a few days ago and an other one is expected to arrive soon for the 3.4 series.

Comment the Adminguide online!

As you might know, we publish The syslog-ng Open Source Edition Administrator guide in three format: PDF, single-page HTML, and many-page HTML. The many-page HTML version of the OSE 3.3 and 3.4 guides have a new feature: online commenting. That means that you can easily give us feedback on any section of the adminguide. For example, you did not understand how X feature works? Let us know! You have found a typo? Please add a comment at the bottom of the page so we can correct it! You have a better, real-life configuration example instead of the one in the guide? Add it as a comment! Or even worse, there are no examples where it would be needed? If you already got a working example, please share it with us!
Try it at https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html/ch01s01.html

BOOK OFFERING:

Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management

Effectively analyzing large volumes of diverse logs can pose many challenges. The recently published Logging and Log Management book helps to simplify this complex process using practical guidance and real-world examples. Packed with information you need to know for system, network and security logging. Log management and log analysis methods are covered in detail, including approaches to creating useful logs on systems and applications, log searching and log review.
Chapter 5 describes you what is syslog-ng, and you also find some useful examples for deployment and configuration.
http://www.amazon.com/Logging-Log-Management-Authoritative-Understanding/dp/1597496359

SHORT NEWS

NEW RELEASES

Your feedback and news tips about the next issue is welcome at documentation(at)balabit.com.

ARCHIVE

http://insider.blogs.balabit.com/

syslog-ng Insider – March 2013

Dear syslog-ng users,

This is the 22th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at documentation(at)balabit.com

FEATURED NEWS

Video: networking scenarios and filters

There is a video series in the work to introduce the basics of syslog-ng. The third video is online now, which explains networking scenarios and filters. You can watch it at

Masking credit card numbers in log messages with syslog-ng

Compliance with different regulations is becoming more and more important recently also in logging. One of these, PCI-DSS requires credit card numbers to be masked in logs. Our CTO describes, how it can be achieved using the freshly released syslog-ng 3.4 at http://marci.blogs.balabit.com/2013/02/masking-credit-card-numbers-in-log-messages-with-syslog-ng/.

Brand new syslog-ng Superhero T-shirt available

The syslog-ng Superhero T-shirt was designed for open source fan geeks. Can’t wait more to get one? Simply tell us which version of syslog-ng (OSE, PE or SSB) you use, and be our public syslog-ng reference. Please send an email to Peter Czanik for more information and don’t forget to include your t-shirt size. 😉

SHORT NEW

  • openS– USE 12.3 was released yesterday and is the first Linux distribution to include syslog-ng 3.4.1

NEW RELEASES

ARCHIVE

http://insider.blogs.balabit.com/

syslog-ng Insider – February 2013

Dear syslog-ng users,

This is the 21th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at documentation(at)balabit.com

FEATURED NEWS

Video: Basic building blocks of syslog-ng.conf

There is a video series in the work to introduce the basics of syslog-ng. The second video is online now, which explains the basic building blocks of syslog-ng.conf. You can watch it.

New videos will be published on the same Youtube channel. You are very welcome to subscribe to receive notifications about further syslog-ng videos and other interesting content.

syslog-ng 3.4.1 is released

Version 3.4.1 was released at the end of January. Compared to the RC2 release, it only has some minor bugfixes. This version brings many major new features to syslog-ng: junctions and channels to make syslog-ng configuration even more flexible, a community contributed AMQP destination, improved JSON support including a parser and many value pairs related improvements. For more details, check Algernon’s blog.

At the time of this writing there are v3.4.1 packages for openS– USE and SLES, not only as 3rd party packages but also as part of the openS– USE 12.3 release. It’s also available for FreeBSD in the sysutils/syslog-ng-devel port, and already in Fedora Rawhide. Packages for various Debian and Ubuntu releases are available in algernon’s repo.

syslog-ng at conferences: FOSDEM and Brno

The syslog-ng team is actively participating in the life of the open source community. Last weekend CzP gave a talk at FOSDEM and participated a two day long brainstorming session about logging and monitoring in Antwerp. He met many interesting people from the syslog-ng community. You can read about his experiences. We will also participate http://devconf.cz/ and the systemd hackfest the day before the conference. If you are also there and want to talk about syslog-ng, we are more than happy to meet you!

SHORT NEW

NEW RELEASES

ARCHIVE

http://insider.blogs.balabit.com/

syslog-ng Insider – January 2013

Dear syslog-ng users,

This is the 20th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at documentation(at)balabit.com

FEATURED NEWS

Video: a short introduction to syslog-ng

There is a video series in the work to introduce the basics of syslog-ng. The first video is online now, you can watch it.

New videos will be published on the same Youtube channel. You are very welcome to subscribe to receive notifications about further syslog-ng videos and other interesting content.

syslog-ng OSE configurator

syslog-ng OSE configurator is a web application, which can generate a syslog-ng OSE configuration with only a few mouse clicks. Right now it can only deal with global options, sources, destinations and of course with logpath. There are plans to add filters and templates in the future.
For more information and links to sources and the configurator, check the authors blog

syslog-ng 3.4 RC2 is released

Version 3.4 RC2 was released today. Compared to the RC1 release, it has some minor bugfixes, mainly related to fixing compile problems of different features and platforms. This also involves an update to the bundled ivykis library from version 0.30 to 0.36.
For a summary about what’s new in the 3.4 releases, check Bazsi’s blog at http://bazsi.blogs.balabit.com/2012/12/syslog-ng-3-4beta1-released/.

At the time of this writing there are RC1 packages for Debian, openS– USE, Ubuntu, FreeBSD ports are updated and there is a Fedora source rpm. These should be updated to RC2 in the coming days.
OpenS– USE Factory already features syslog-ng 3.4 RC1 and will be updated to RC2 after openS– USE 12.3beta1 is out.

SHORT NEW

NEW RELEASES

ARCHIVE

http://insider.blogs.balabit.com/

syslog-ng Insider – December 2012

Dear syslog-ng users,

This is the 19th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at documentation(at)balabit.com

FEATURED NEWS

syslog-ng 3.4 beta1 is released

Version 3.4 beta1 was released this week, right before the Christmas holidays. It has many new features and bug fixes even since the last alpha release, most notably a new AMQP destination a JSON parser and a reworked syslog parser and network configuration, which makes configuring syslog-ng even more simple and flexible.

balabit.logstore 0.1.0 is released

The second version of the balabit.logstore project was announced last week. It is a library written in Clojure, that tries to provide a convenient API to read syslog-ng PE LogStore files. Development is still in its early phases, but it can already read unencrypted logstore files, search in them and print many useful information about them. Compared to the previous version, this has a Java API.
For more details, check the announcement.

NEW RELEASES

ARCHIVE

http://insider.blogs.balabit.com/

syslog-ng Insider – October 2012

Dear syslog-ng users,

This is the 17th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at documentation(at)balabit.com

FEATURED NEWS

New AMQP destination driver

An important milestone in syslog-ng’s history is the AMQP destination driver, which is the first complete module contributed by a third party, and was not originated from within BalaBit! The destination allows syslog-ng to publish messages (using various exchange types) to an AMQP server such as RabbitMQ using an intuitive method: sending the headers selected by value-pairs() as headers, thereby solving the problem of how to serialize the payload: don’t.

Vote for syslog-ng Store Box to become the Best Computer Forensics Tool

We’re proud to announce we entered our syslog-ng Store Box appliance into the SC Awards US for the Best Computer Forensic Tool. Voting is now open until Oct 26. (requires registration or subscription to SC Magazine) so we kindly ask you visit https://www.bigpulse.com/m20086/ intro to vote for us. We appreciate your help.

syslog-ng 3.3.7RC2 is released

Version 3.3.7 is scheduled to arrive at the end of October, and a second release candidate was released for it (called version 3.3.6.91). It has many fixes for FreeBSD, so it should compile with the bundled ivykis on FreeBSD 8 and 9. Patches to compile it on FreeBSD 7 are included in the updated sysutils/syslog-ng-rc port.

OTHER SHORT NEWS

NEW RELEASES

ARCHIVE

http://insider.blogs.balabit.com/

syslog-ng Insider – September 2012

Dear syslog-ng users,

This is the 16th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at documentation(at)balabit.com

FEATURED NEWS

syslog-ng 3.3.6 is released

There was a new release for the syslog-ng stable line: version 3.3.6 There are mostly bugfixes in this release but also some smaller but long waited features:

  • the @include statement now accepts globs
  • upstream ivykis is used
  • better systemd support

The change to upstream ivykis introduced a bug on FreeBSD and some other problems were also discovered. Version 3.3.7 is scheduled to arrive at the end of October, and there is now a 3.3.6.90, aka 3.3.7RC available for testing.

syslog-ng 3.4 news

Although there aren’t any new alpha releases yet, there are already plenty of news for the development branch aswell!

  • The MongoDB destination received a major speed boost, and work is underway to make it even more performant.
  • The $(format-json) function now supports nested structures.
  • There’s a MAC address parser available for patterndb.
  • A couple of new template functions were introduced, $(md5), $(sha1) and others.
  • The unit tests were improved upon greatly, and many many bugs were squashed aswell.

For the complete list of changes, you can browse the commit messages.
And while there, check out the sources and give it a try, feedback is appreciated, help us make syslog-ng even better!

SSB 3 LTS: wildcard search in logspaces

The third important new feature in SSB 3 LTS is the ability to search within log messages using wildcard characters. It is indeed a small and simple change on the surface, but brings a lot of new possibilities.
Read about the details at http://gyp.blogs.balabit.com/2012/07/new-features-in-ssb-3-lts-wildcard-search-in-logspaces/

OTHER SHORT NEWS

NEW RELEASES

CASE STUDY

ARCHIVE

http://insider.blogs.balabit.com/

syslog-ng Insider – July 2012

Dear syslog-ng users,

This is the 15th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at
documentation(at)balabit.com

FEATURED NEWS

What’s next for syslog-ng

Sources for some previously Premium Edition-only features have been available for a while now, but have not been merged into the Open Source Edition yet. As we want to release OSE 3.4 soon, we are unlikely to have the necessary resources to merge all of these. We would like to ask Your opinion on which of these features would you like to see in the upcoming release.
Please vote and share your reasoning in the BalaBit community forum.

syslog-ng 3.4 alpha3 is released

Summer is here, when usually not much is happening. This is not the case with syslog-ng, where the third alpha of the upcoming version was released. Changes since the previous alpha version include new tag related rewrite rules, a marker option for the JSON parser to ease implementing CEE and many smaller features, like support for Cisco extended timestamp format, ported over from the Premium Edition. Of course there were also many smaller fixes, some of them merged from the 3.3 version. For a complete list, check the announcement.

As the changes since v3.3 are less drastic, than were between 3.2 and 3.3, we hope that more people will install it on their test or non critical systems. We hope to gather some feedback, how existing configurations work with syslog-ng 3.4 (so no existing feature was broken), and experiences with the new features..

syslog-ng 3.3.6 is coming

This release is a bug-fix release mostly, with a few minor – yet useful – feature enhancements. The most important one is that the patched ivykis syslog-ng 3.3 shipped with until now is no more. We build against upstream ivykis now (still included for convenience, though). Other highlights include much improved systemd support, and an enhancement to the @include feature, and many bugfixes.
It will be available in the coming days from https://www.balabit.com/downloads/files?path=/syslog-ng/open-source-edition/3.3.6

LogZilla 4.0 is released

A new major version of LogZilla, previously known as php-syslog-ng, was released last month. Next to its outstanding Cisco network device support, the new release features easier, even unattended installation, enhanced access control and search possibilities. Detailed information about the new release is available at http://www.logzilla.pro/news/releases/4.0

OTHER SHORT NEWS

NEW RELEASES

ARCHIVE

http://insider.blogs.balabit.com/

syslog-ng Insider – June 2012

Dear syslog-ng users,

This is the 14th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at
documentation(at)balabit.com

FEATURED NEWS

New features in syslog-ng 3.4

The CEE/Lumberjack project might be very silent recently, but is still a good excuse to demonstrate some of the new features of syslog-ng 3.4. These make implementing structured logging (and this way CEE) possible by adding a JSON parser, marker detection, channels and junctions and a flexible use of blocks, so complex configurations can be combined in a block and easily reused in many configs. For details and examples check: http://bazsi.blogs.balabit.com/2012/05/cee-prototype-and-a-show-case-for-the-new-3-4-features/
Version 3.4 also merges many features from syslog-ng PE, which can be followed in git commit messages. These include the SYSUPTIME macro, AM/PM related macros, test cases, support for Cisco sequence numbers, etc.

Message rate alerting in SSB

Even though syslog-ng Store Box neither is nor aims to be a full-blown SIEM solution, it can be and is indeed often used to detect anomalies, identify possible threats, and find problems within an organization’s IT infrastructure. One important thing to note is that it is not only the contents of log messages that carry information about what happens in the network but their volume too.

Read how message rate alerting works in SSB.

syslog-ng 3.3 has a new maintainer

As Bazsi, lead developer of syslog-ng announced on the syslog-ng mailing list, the stable version has now a new maintainer. He is Gergely Nagy, or better known as Algernon, who coded some interesting new features for syslog-ng, including a MongoDB destination, and a JSON output and parser (for 3.4). This change will leave Bazsi more time for 3.4 developments and also speed up merging bugfixes to the 3.3 line.
Announcement: https://lists.balabit.hu/pipermail/syslog-ng/2012-May/018885.html
Algernon’s plans: http://algernon.blogs.balabit.com/2012/05/hats-and-sticks/

syslog-ng community forum

For those, who prefer to use web based forums instead of mailing lists, BalaBit provides now a community forum. Right now there are over forty users and their number is growing every day. If you want to read about interesting topics, or could help fellow users using a forum instead of the mailing list, please visit the forum.

OTHER SHORT NEWS

NEW RELEASES

ARCHIVE

http://insider.blogs.balabit.com/

syslog-ng Insider – May 2012

Dear syslog-ng users,

This is the 13th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at
documentation(at)balabit.com

FEATURED NEWS

Have you tried to add custom information to log messages, fix mis-formatted logs or anonymize logs?

The next long-time-supported release of SSB version 3 LTS is about to be released. This release includes a switch to 64-bit architecture, a huge performance improvement in the indexing/searching feature for a large number of message and search patterns and a couple of new features, too. The following post plans to introduce those new features to you. The updated User’s Manual will contain a detailed description of them — this post is written more to serve as teaser and to highlight some of the use cases we had in mind when we’d planned the features, and, of course, to ask for your feedback about them.

syslog-ng participates in GSoC

This year syslog-ng participates in GSoC under the umbrella of openS– USE. We have one student accepted, who will work on syslog-ng’s mongodb destination.

MongoDB howto

One of the major reasons to update to 3.3 other than threading is MongoDB. It allows great flexibility when using patterns and storing parsed data from logs. The syslog-ng documentation covers most information necessary to use MongoDB, but this HowTo compiles all these into a single document and extends it with features from the upcoming syslog-ng 3.4 version.

OTHER SHORT NEWS

NEW RELEASES

ARCHIVE

http://insider.blogs.balabit.com/