Dear syslog-ng users,
This is the 88th issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news.
NEWS
Finding the real source IP: using the PROXY protocol
Until now collecting logs behind proxies or load balancers needed some compromises. You either trusted the host information included in the log messages or you could only see the proxy as the sender host. Starting with syslog-ng 3.30 there is a third option available: using the PROXY protocol. While not an official Internet standard, it is supported by a number of popular software, like HAProxy. Other software can be extended to use it, like F5 load balancers using iRules. This way crucial information about the original network connection is not lost, but it is forwarded to the server by the proxy.
Parsing sudo JSON logs: building a syslog-ng configuration
The latest version of sudo, version 1.9.4 includes support for JSON formatted logging. Compared to traditional sudo logs, it has the advantage of containing more information in a structured way. While traditional sudo logs are also parsed automatically by syslog-ng, it is worth taking a look at the new JSON formatted logs.
From this blog, you can learn how the new logs look like and also a configuration working with these logs. Instead of just posting a complex configuration, I try to show you how my configuration was built. Creating a new configuration in smaller iterations makes the resulting configurations easier to debug.
Kafka destination improved with template support
The C implementation of the Kafka destination in syslog-ng has been improved in version 3.30. Support for templates in topic names was added as a result of a Google Summer of Code (GSoC) project. The advantage of the new template support feature is that you no longer have to use a static topic name. For example, you can include the name of your host or the application sending the log in the topic name. From this blog you can learn about a minimal Kafka setup, configuring syslog-ng and testing syslog-ng with Kafka.
Syslog-ng PE 7.0.23 released
Version 7.0.23 of syslog-ng PE was released with clustering support for Windows Event Collector (WEC). You can learn more about it from the documentation or from this short video:
https://www.youtube.com/watch?v=bYdIJaM24Z8
WEBINARS
-
You can browse recordings of past webinars at https://www.syslog-ng.com/events/
Your feedback and news, or tips about the next issue are welcome. To read this newsletter online, visit: https://syslog-ng.com/blog/