Syslog-ng Premium Edition

[Shawnna Franz]

CurrentlyOneIdentity only provides sources for syslog-ng OSE. Latest sources areavailable on github. On the other hand, most Linux distributions and manyother platforms provide binary syslog-ng packages or easy to compile ports,and the developers of syslog-ng maintain repositories for several popularplatforms.

The syslog-ng Premium Edition application supports several architectures, including x86, x86_64, and SUN SPARC on a variety of operating systems: Linux, BSD, Solaris, AIX, HP-UX, Microsoft Windows (including Windows Server 2016 and Windows 10). See the complete list here.

wildcard-file() sources are using a directory monitor as well to aid detection of changes in the folders of the followed files. The new kqueue-based directory monitor uses far fewer resources than the poll based version on BSD-based systems.

(#5022)

wildcard-file(): Added a dedicated monitor_freq option to control the poll frequency of the change detection in the directories separately when the poll method is selected via the monitor-method() option.

The monitor-method() option controls only the change detection method in the directories, not the following of the file changes, and if poll is the selected method the frequency must not necessarily be the same, e.g. if the (earlier) commonly used follow-freq() is set to 0 for switching to the poll_fd_events method for file content change detection, that also might be meant a directory change poll with zero delays (if monitor-method() was set to poll as well), and that could cause a heavy CPU load unnecessarily.

(#4998)

If a file is written after being deleted (e.g. with an application keeping the file open), or if these events happen concurrently, the file state change poller mechanism might schedule another read cycle even though the file has already been marked as fully read and deleted.

To prevent this re-scheduling between these two checks, the following changes have been made:

Instead of maintaining an internal EOF state in the WildcardFileReader, when a file deletion notification is received, the poller will be signaled to stop after reaching the next EOF. Only after both conditions are set the reader instance will be deleted.

Fixed the file deletion and removal detection when the file-reader uses poll_fd_events to follow file changes, which were mishandled. For example, files that were moved or deleted (such as those rolled by a log-rotator) were read to the end but never read again if they were not touched anymore, therefore switching to the new file never happened.

(#4998)

As the stats prometheus command is intended to be used to forward metrics

to Prometheus or any other time-series database, displaying orphaned metrics

should be avoided in order not to insert new data points when a given metric

is no longer alive.

This option configures the maximal number of in-flight gRPC requests per worker.

Setting this value to the range of 10s or 100s is recommended when there are a

high number of clients sending simultaneously.

syslog-ng no longer returns UNAVAILABLE to the gRPC request, when it cannot forward

the received message because of backpressure. Instead, syslog-ng will block until the

destination can accept more messages.

([#4827]( -ng/syslog-ng/pull/...

NOTE: the persistent OSLog store is not infinite, depending on your system setting usually,

it keeps about 7 days of logs on disk, so it could happen that the above options cannot

operate the way you expect, e.g. if syslog-ng was stopped for about more then a week it

could happen that will not be able to restart from the last saved bookmark position

(as that might not be presented in the persistent log anymore)

This is a wrapper around the OS command line "log stream" command that can provide a live

log stream feed. Unlike in the case of darwin-oslog() the live stream can contain

non-persistent log events too, so take care, there might be a huge number of log events

every second that could put an unusual load on the device running syslog-ng with this source.

Unfortunately, there's no public API to get the same programmatically, so this one is

implemented using a program() source.

In syslog-ng a template can only be resolved on a single message, as the same

template might have different resolutions on different messages. A http batch

consists of multiple messages, so it is not trivial to decide which message should

be used for the resolution.

When batching is enabled and multiple workers are configured it is important to

only batch messages which generate identical URLs. In this scenario one must set

the worker-partition-key() option with a template that contains all the templates

used in the url() option, otherwise messages will be mixed.

$TRANSPORT: this is a new name-value pair that syslog-ng populates

automatically. It indicates the "transport" mechanism used to

retrieve/receive the message. It is up to the source driver to determine

the value. Currently the following values were implemented:

--check-startup: a new command line option for syslog-ng along with the

existing --syntax-only. This new option will do a complete configuration

initialization and then exit with exit code indicating the result. Since

this also initializes things like network listeners, it will probably not

work when there is another syslog-ng instance running in the background. The

recommended use of this option is a dedicated config check container, as

explained in #4592.

(#4646)

Before syslog-ng 4.5.0 if you had embedded template functions, the template-escape(yes) setting

escaped the output of each template function, so the parent template function received an

already escaped string. This was never the intention of the template-escape() option.

Although this is a breaking change, we do not except anyone having a config that is affected.

If you have such a config, make sure to follow-up this change. If you need help with it, feel

free to open an issue or discussion on GitHub, or contact us on the Axoflow Discord server.

(#4666)

It is easily scalable (workers() option), uses built-in application layer acknowledgement,

out of the box supports google service authentication (ADC or ALTS), and gives the possibility

of better load balancing.

Note: The syslog-ng-otlp() source is only an alias to the opentelemetry() source.

This is useful for not needing to open different ports for the syslog-ng messages and other

OpenTelemetry messages. The syslog-ng messages are marked with a @syslog-ng scope name and

the current syslog-ng version as the scope version. Both sources will handle the incoming

syslog-ng messages as syslog-ng messages, and all other messages as simple OpenTelemetry

messages.

(#4564)

Loki requires monotonic timestamps within the same label-set, which makes

it difficult to use the original message timestamp without the possibility

of message loss. In case the monotonic property is violated, Loki discards

the problematic messages with an error. The source of the timestamps can be

configured with the timestamp() option (current, received, msg).

The flush-grace-period() option sets the number of minutes to wait for new messages to arrive to

objects, if the timeout expires the object is finished, and a new message will start a new with

an index appended.

The objects are uploaded with the multipart upload API. Chunks are composed locally. When a chunk

reaches a certain size (by default 5 MiB), the chunk is uploaded. When an object is finished, the

multipart upload gets completed and the chunks are merged by S3.

Added metrics for message delays: a new metric is introduced that measures the

delay the messages accumulate while waiting to be delivered by syslog-ng.

The measurement is sampled, e.g. syslog-ng would take the very first message

in every second and expose its delay as a value of the new metric.

By specifying ignore-hostname-mismatch, you can ignore the subject name of a

certificate during the validation process. This means that syslog-ng will

only check if the certificate itself is trusted by the current set of trust

anchors (e.g. trusted CAs) ignoring the mismatch between the targeted

hostname and the certificate subject.

(#4628)

In patterndb, you can add extra name-value pairs following a match with the tags.

But the actual value of these name-value pairs were never validated against their types,

meaning that an incorrect value could be set using this construct.

(#4621)

syslog-ng has traditionally performed processing of log messages arriving

from a single connection sequentially. This was done to ensure message ordering

as well as most efficient use of CPU on a per message basis. This mode of

operation is performing well as long as we have a relatively large number

of parallel connections, in which case syslog-ng would use all the CPU cores

available in the system.

With the new parallelization feature, syslog-ng gained the ability to

re-partition a stream of incoming messages into a set of partitions, each of

which is to be processed by multiple threads in parallel. This does away

with ordering guarantees and adds an extra per-message overhead. In exchange

it will be able to scale the incoming load to all CPUs in the system, even

if coming from a single, chatty sender.

The config above will take all messages emitted by the tcp() source and push

the work to 4 parallel threads of execution, regardless of how many

connections were in use to deliver the stream of messages to the tcp()

driver.

The incoming fields are not available through syslog-ng log message name-value pairs for the user by default.

This is useful for forwarding functionality (the opentelemetry() destination can access and format them).

If such functionality is required, you can configure the opentelemetry() parser, which maps all the fields

with some limitations.

3a8082e126