The syslog-ng 3.0 Administrator Guide

Support for the new IETF syslog protocol standard — see Section 2.18.2, “IETF-syslog messages”, Section 3.3.5, “Collecting messages using the IETF syslog protocol” and Section 3.4.6, “Sending messages to a remote logserver using the IETF-syslog protocol”.

Parsing and segmenting log messages — see Section 3.8, “Parsing messages”.

Rewriting log messages — see Section 3.10, “Rewriting messages”.

Storing log messages in encrypted, timestamped logfiles — see Section 2.8, “Secure storage of log messages” and Section 3.4.2, “Storing messages in encrypted files”.

Complex, embedded log paths — see Section 2.2.1, “Embedded log statements” and Section 3.5.1, “Using embedded log statements”.

File sources with wildcards in their filename or path — see Section 3.3.2, “Collecting messages from text files”.

The syslog-ng application can receive messages directly from external applications using the new program() source driver that listens for log messages on the standard output (stdout) — see Section 8.1.4, “program()”.

On Linux, the syslog-ng application can support capabilities and run as a non-root user if compiled with the --enable-linux-caps option.

The syslog-ng application automatically generates a unique sequence ID for every new local message (but not for relayed messages). This ID number is included in outgoing messages that use the IETF-syslog format, and can be included in legacy messages using the $SEQNUM macro.

On-demand log statistics can be requested from syslog-ng via a unix-domain socket. See Section 3.3.1.1, “Log statistics”.

Starting with syslog-ng Open Source Edition 3.0.2, the precompiled binary packages are available for free for the supported Linux and BSD platforms at http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/upgrades/.

The tcp, tcp6, udp, udp6, unix-stream, and unix-dgram destination drivers support the keep-alive option, enabling them to keep connections open during a HUP and saving the output queue between restarts — see Section 8.2.7, “tcp(), tcp6(), udp(), and udp6(),” and Section 8.2.8, “unix-stream() & unix-dgram()”.

The log-prefix() option has been deprecated. Use the new program-override() and host-override() options instead — see Section 8.2.7, “tcp(), tcp6(), udp(), and udp6(),” and Section 8.2.8, “unix-stream() & unix-dgram()”.

The keep_hostname, keep_timestamp, use_dns, and use_fqdn options can be set individually for every source.

Legacy destination drivers like tcp and file can output log messages in the new IETF-syslog format if the flags(syslog-protocol) option is enabled for the destination. Similarly, legacy sources can receive such messages using this option.

If syslog-ng is compiled with PCRE support, Perl Compatible Regular Expressions can be used using the type(pcre) option.

You can set the part of the message where the match() filter searches for the specified string using macros (e.g., match("example" value(PROGRAM))).

The default value of the follow_freq option has been changed to 1.

The default value of the chain_hostnames option has been changed to 0 (no).

The default value of the template_escape option has been changed to 0 (no).

NL characters are not removed by default, to remove these characters, use the flags(no-multi-line) option of the destination.

The installation packages for syslog-ng 3.0 PE are .run binaries that include every dependency to simplify the installation process.