Welcome to the third part of my syslog-ng tutorial. Today we cover the various syslog-ng editions (open source, commercial and appliance), and where to get them from. The focus of this tutorial series is the Open Source Edition (OSE), but to avoid confusion, I also briefly introduce the other two.
You can watch the video or read the text below.
The most used syslog-ng version
Last time I asked you which do you think the most used syslog-ng version is. It is a tricky question. I learned by accident that the Amazon Kindle e-book reader runs an ancient version (version 1.6) of syslog-ng. As there are hundreds of millions of Kindle devices, version 1.6 is the most widespread version of syslog-ng.
Syslog-ng editions
Some of our commercial customers might now wonder why I mentioned an accidental discovery and how widely used syslog-ng became due to this single deal. The explanation is simple: syslog-ng also has an open-source version. Actually, syslog-ng started as an open-source project and it kept most of its users. The commercial editions started almost a decade later. There are three syslog-ng editions:
-
Syslog-ng Open Source Edition (OSE) is a command line application used by hundreds of thousands of people knowingly and hundreds of millions of people without knowing about it. OSE is the focus of this tutorial.
-
Syslog-ng Premium Edition (PE) is still a command line application, but with commercial support. This application is not in the focus of this tutorial, but most of this tutorial also applies to PE.
-
Syslog-ng Store Box (SSB) is a commercial appliance. You cannot edit the configuration directly, so this tutorial does not apply to SSB at all.
Syslog-ng Open Source Edition (OSE)
The focus of this tutorial is syslog-ng OSE. Open-source users simply refer to it as “syslog-ng”. Commercial customers and some of my colleagues refer to it as OSE or syslog-ng OSE, this is why the Twitter handle is called @sngose. For the purpose of this tutorial, syslog-ng OSE is called “syslog-ng”.
This is where most of syslog-ng development is done. The source code and the issue tracking system are available on GitHub. It includes quite a few experimental features contributed by users from around the world.
Syslog-ng is part of most Linux distributions and BSD variants and compiles on most other UNIX or UNIX-like platforms as is, or with minimal modifications.
Syslog-ng OSE is supported by the community.
You can learn more about syslog-ng OSE on the syslog-ng website at https://www.syslog-ng.com/products/open-source-log-management/ or on GitHub: https://github.com/syslog-ng/syslog-ng/
Syslog-ng Premium Edition (PE)
Syslog-ng Premium Edition is not in the focus of this tutorial series, but it is also a command line application, and most examples of these tutorials also work with PE. Commercial customers usually call syslog-ng PE as “syslog-ng”. Only those who use both editions tend to use the “syslog-ng PE” name.
Syslog-ng PE is built on top of the syslog-ng OSE source code. However, it only includes well-tested features, and the experimental features are left out. There are also some PE-exclusive features related to cloud and compliance.
Unlike OSE, PE receives enterprise support from One Identity.
You can contact One Identity sales for more information. You can reach them through the syslog-ng website: https://www.syslog-ng.com/products/log-management-software/
Syslog-ng Store Box (SSB)
This tutorial does not apply to the Syslog-ng Store Box at all. It is an appliance, and you cannot edit the configuration directly. Its users often call SSB “syslog-ng appliance”. It is built on top of syslog-ng PE and provides full log lifecycle management using an easy-to-use GUI and powerful search possibilities. Many PE features are implemented in SSB in a simplified manner. What it means is that it does not allow such fine-grained configuration as syslog-ng PE; however, once you turn on the appliance, it is ready to collect log messages within a few minutes.
Just as PE, SSB receives enterprise support from One Identity.
You can contact One Identity sales for more information. You can reach them through the syslog-ng website: https://www.syslog-ng.com/products/log-management-appliance/
Getting syslog-ng (OSE)
Now that we learned about the various editions of syslog-ng, we can switch back to referring to syslog-ng OSE as syslog-ng.
Syslog-ng is part of most Linux distributions and BSD variants. It is also available in various package collections for commercial UNIX variants and it is heading to MacOS Homebrew. However, these packages are often old and their feature set is limited.
Luckily, up-to-date unofficial packages are available for some of the popular Linux distributions. If you want to run syslog-ng in a container, you are also covered, at least in an x86_64 environment.
You can also build syslog-ng from the source yourself. The syslog-ng sources contain a mini build system, which you can use to build the syslog-ng release tarball in a containerized environment, or you can build packages for a few Linux distributions from Git snapshots. This helps you test new features and bug fixes.
Getting the right feature set
Getting the right feature set when installing syslog-ng is not always easy. In most Linux distributions, syslog-ng is packaged in a modular way. There is a base package, which contains only features that do not have extra dependencies, and there are many sub-packages, which contain modules that pull in additional packages. This way, all syslog-ng features can be made available without pulling in hundreds of megabytes of dependencies.
In most RPM distributions, the syslog-ng core package is called syslog-ng. It contains all features and dependencies necessary for the default syslog-ng configuration, so it also includes JSON. Use the package manager on your system to list additional syslog-ng packages for modules. These are called syslog-ng-{modulename}.
In most DEB distributions, the syslog-ng core package is called syslog-ng-core. The syslog-ng package installs all sub-packages and their dependencies. Sub-packages are usually called syslog-ng-mod-{modulename}.
FreeBSD has syslog-ng in the ports collection. There are also ready-to-use binary packages built from ports. These packages are built with JSON and HTTP support, so they can forward logs to Elasticsearch and various cloud services. You can also compile your choice of features when you build syslog-ng yourself from ports.
For the next time
Next time, we will work with syslog-ng, using a very basic configuration. Make sure that you have syslog-ng installed on your choice of operating system. Make sure that JSON and HTTP (curl) support is also installed.
If you have any questions or comments, leave a comment on YouTube, or reach out to me on Twitter / Mastodon.
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.