Insider 2017-08: 3.11 released; wildcard-file; docker; SCL; RMLL/LSM;

Dear syslog-ng users,

This is the 60th issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news.


syslog-ng 3.11 released

The latest version of syslog-ng, 3.11 is now available. The most important new feature is the GeoIP2 parser which builds on libmaxminddb providing both better performance and more detailed geographical information about IP addresses. AMQP destination now supports SSL. There are many more smaller features and bug fixes. For a complete list check the release announcement.

Reading multiple files: wildcard file source

Starting with version 3.10, syslog-ng can collect messages from multiple text files. You do not have to specify file names one by one, just use a wildcard to select which files to read. This is especially useful when you do not know the file names by the time syslog-ng is started. This is often the case with web servers with multiple virtual hosts.

Collecting Docker infrastructure logs

Why use syslog-ng for collecting Docker logs? Docker already provides many drivers for logging, even for central log collection. On the other hand remote logging drivers arrive with a minimalist feature set and you are not able to use the “docker logs” command any more. To have the best of both worlds, you can use journald logging driver in Docker and use syslog-ng to read Docker logs from journald and forward log messages to your central log server or other destinations. You can even run syslog-ng itself in a Docker container, so you can use it on dedicated Docker host environments as well where it is not possible to install additional applications.

The power of SCL

The syslog-ng configuration library (SCL) can help you to configure syslog-ng a lot more easily. These configuration snippets can hide away the complexity of collecting, parsing or storing log messages. From this blog you can learn how to parse web server logs and store the results at a Logging as a Service (LaaS) provider in a structured form. You will use SCL both for message parsing and the LaaS destination, and also utilize the wildcard-file() source introduced in syslog-ng 3.10.

RMLL / Libre Software Meeting 2017

This year I participated again in the security track of the largest French open source conference, Libre Software Meeting (RMLL). “Participated” as I did not only give a talk on syslog-ng there, but also sat in to most of the presentations and had very good discussions both with visitors and fellow speakers. The organizers brought together talks from diverse IT security related fields, a very good opportunity for cross-pollination of ideas.


The next event where you can learn about syslog-ng:

Your feedback and news tips about the next issue is welcome at documentation(at)

Leave a Reply