syslog-ng at SCALE 2018

It is the fourth year that syslog-ng has participated at Southern California Linux Expo or, as better known to many, SCALE ‒ the largest Linux event in the USA. In many ways, it is similar to FOSDEM in Europe, however, SCALE also focuses on users and administrators, not just developers. It was a pretty busy four days for me.

The conference

The weather in always sunny California was far from perfect this time but I didn’t mind. I spent all my time at the conference and I loved every minute of it. The Expo was great – as always – with most of my favorite open source projects collected in a single location. I bought a nice “Release is coming” t-shirt at the openSUSE booth, many stickers at Fedora, and the Containers coloring book at Red Hat. And of course also some FreeBSD goodies. Next to ARM and x86 hardware, this year a POWER9 machine from Raptor Engineering was also on display.

 

I had to make some tough choices when it came to visiting talks as there were many interesting tracks: community, embedded, monitoring (including logging), security, and others. I do not want to list all the talks I visited (check my twitter feed if you are interested), so I just pick one: Marketing your open source product by Deirdre Straughan. Being part of the documentation team at Balabit, I was very happy to hear her emphasis on the key importance of good documentation. 🙂

Logging Docker using syslog-ng

As the syslog-ng image on the Docker Hub reached almost two million pulls recently, the topic of my talk this year was Logging Docker using syslog-ng. As usual, I started my talk with an overview of logging and syslog-ng functionality, followed by a quick introduction to the syslog-ng configuration language.

When I arrived at containers, I went from easy to progressively more difficult topics. Migrating your central log server into a container is really easy, even if you only know the basics of containerization. Collecting logs from the host machine when syslog-ng is running in a container needs a bit more preparations though: you need to map a few extra directories from the host system and use extra formatting or a NoSQL database if you do not want to lose important information. And reading log messages from other containers needs even more prior design. Best of all: all the previously listed methods can be freely combined, so possibilities are practically endless.

Before finishing my talk, I showed a few interesting uses of syslog-ng:

  • In the age of PCI-DSS and GDPR, the capability to remove sensitive information from log messages can come in handy. syslog-ng enables you to do that. What’s more, there is an option in syslog-ng to replace the sensitive part with a hash (instead of simply overwriting it with a constant). That facilitates analyzing sessions in log data without leaking sensitive information.
  • Parsing messages also helps you to find interesting data easier, like listing the number of SSH connections from clients on the network.
  • Using the key-value and GeoIP parsers on your firewall logs, you can easily display the location of your intruders on a map using Kibana.

I measure the success of my talks not by the number of listeners, rather by the number of questions. The SCALE audience is always fantastic from this point of view: I was answering questions for about forty minutes after my presentation.

I briefly discussed Atomic Host – a specialized container host – during my talk without knowing that the track was organized by the Red Hat container team. I learned about it only after my session was over, when I received one of my favorite speakers gift: a box of sweets (or rather sours :-)).

Further reading

My talk was recorded and hopefully will be posted in the coming weeks. If you want to read more in-depth information about containers, there is a white paper on this topic, created from my related blog posts. You can access it on the Balabit website (note: it requires registration): https://pages.balabit.com/logging-in-docker-using-syslog-ng.html