syslog-ng Open Source Edition 3.2: real-time log message correlation in the syslog daemon
The latest version of syslog-ng Open Source Edition (OSE), a replacement for the syslog logging daemon, improves its message classification and identification engine and enables system administrators to correlate log messages in real-time.
By: Róbert Fekete
Another addition to the message classification is the possibility to trigger new messages for identified or correlated messages, creating a base for a flexible alerting framework.
To ease the task of creating message patterns to identify log messages, syslog-ng provides a separate application called pdbtool that uses clustering techniques to group identical events and automatically recognize the changing parts (for example, IP addresses) of the log messages. With the pdbtool application it is also possible to process existing log files to classify and correlate the already stored log messages, and extract and format relevant information from them, which can be real handy for example in forensic situations.
Perhaps the most important, albeit less technical change in syslog-ng OSE 3.2 is its new licensing model. In the recent years, syslog-ng has been licensed under a dual license â€“ the Open Source Edition published under GPL, while a commercial version called Premium Edition was available under a proprietary license. This model hindered community contributions to syslog-ng, because required a contributory agreement from developers working on the syslog-ng codebase. To make syslog-ng more open and accessible to developers and contributors, syslog-ng OSE 3.2 is licensed under an LGPL+GPL combo, with the core of syslog-ng being LGPL, and its main functionality released as plugins under GPL.
Another effort is to be able to collect nonstandard and non-syslog messages centrally like normal log messages. As a first step of this development, syslog-ng Open Source Edition 3.2 can collect the process accounting (pacct) logs of Linux systems.
Version 3.2 of syslog-ng also offers refinements and improvements of several existing features, including the ability to modify a log message when a certain condition is met, to dynamically create its own configuration files to adapt to a particular environment, or the improved performance when storing log messages in SQL databases.
"This version has the largest list of features ever since the syslog-ng project was born. But the development of syslog-ng does not stop here, we have already started work on 3.3, which will focus on improved support for multicore and multithreaded operations to further increase the performance of syslog-ng." - says Balazs Scheidler, lead developer of syslog-ng and CEO of BalaBit.
* BalaBit IT Security Ltd. - http://www.balabit.com/
* The syslog-ng homepage - http://www.balabit.com/
* The syslog-ng Open Source Edition 3.2 Administrator Guide - http://www.balabit.com/
* Download syslog-ng - http://www.balabit.com/
* Changelog of syslog-ng Open Source Edition 3.2 - http://www.balabit.com/
# # #
BalaBit IT Security is a developer of unique network security solutions like:
- the syslog-ng system logging software,
- and the BalaBit Shell Control Box, an appliance that can transparently control, audit, and replay SSH, RDP, and Telnet traffic.