Bazsi's blog

I’ve just uploaded the first release in the upcoming 3.4.x series. This is an incremental step over 3.3.x, continuing to enhance syslog-ng with features that allows more in-depth processing of messages.

I consider the most important one the ability to freely combine different kind of processing elements (parser & rewrite rules and filters) with sources and/or destinations and handle the combination as a single object. This is listed “junctions & channels” below, but you can also read more details in this blog post.

Certainly, this release is not meant to be used in production, however it also helps if you try to run your production configuration, and report back on the results. The syslog-ng configuration parser was heavily modified in this release, as little as this can also help to improve syslog-ng. I hope that binaries for the experimental repositories of various distributions will show up shortly, until then you can always clone the git tree.

Here’s a excerpt of the NEWS entry that describes the changes compared to 3.3.x:

Features:

• Support for junctions & channels were added, which improve the flexibility of the syslog-ng configuration language. This allows combining sources with their closely tied processing functionality (like parser, rewrite and filter statements).Read this blog post for more information: http://bazsi.blogs.balabit.com/2012/01/syslog-ng-flexibility-improvements/

  In the final form of the functionality the “log” keyword as described in the blog post above was replaced with “channel”.

• The functionality to query and manipulate sets of name-value pairs (often referenced as value-pairs and used in the mongodb() destination driver and the $(format-json) template function). got significantly improved. It is now possible to change the name of the keys when creating the output. See this commit for more information:https://github.com/bazsi/syslog-ng-3.4/commit/ddc7c2539bd66fa35e8df441e4baf58e87b6708d
• Plugins & modules are now demand-loaded automatically if the “autoload-compiled-modules” global variable is set to 1, which is the default. Any shared libraries found on the module search path is considered for loading if the configuration file contains a reference to a functionality it provides.To disable this functionality simply set the referenced variable to 0 with a “@define” statement and load modules explicitly via”@module” statements.

  To list the available plugins & modules, use the –module-registry command line option for syslog-ng, which results in a detailed listing.

• Added a new parser named json-parser() to parse incoming JSON formatted messages. See this commit for more information:https://github.com/bazsi/syslog-ng-3.4/commit/e5569687bba2551c89a78faee55bcf8b4944066f

   

• Added a number of template functions:

       $(length ARG)               – length of a template expression
$(substr ARG START [LEN])   – substring of a string
$(strip ARG)                – remove white space from the start and end
$(sanitize ARG1 ARG2)       – join args to form a filename while removing special characters like ‘/’
$(+), $(-), $(*), $(/), $(%) – perform numeric operations

• Added support for replicasets to the mongodb() destination driver:https://github.com/bazsi/syslog-ng-3.4/commit/a980b9d268efa54879d3deeb4a53fa5a281629ba

• Added support for safe-mode() to the mongodb() destination driver that ensures inserts were properly executed at the cost of some performance penalties.https://github.com/bazsi/syslog-ng-3.4/commit/768f0c6ec8eba2ad51531f2331fb5635fe12c063

• Added support for SMTP destination to send out emails triggered by log messages.https://github.com/bazsi/syslog-ng-3.4/commit/404ceb959efe9715ce7437d7dcdc28ababbac590

• Added support for generating UUIDs via the $(uuid) template function:https://github.com/bazsi/syslog-ng-3.4/commit/a16798c653c057239236945034114d8abf320e44

• Added the @SET@ parser to db-parser().https://github.com/bazsi/syslog-ng-3.4/commit/ab08c84abbeda5a200b8150a6af7b02c64d84994

• Added support for dbd-option() in the sql() destination driver that makes it possible to supply driver specific options to the DBI driver.https://github.com/bazsi/syslog-ng-3.4/commit/9254fe9e6236746bf1f955f0cac1274634b1beda

• Reload of the configuration can now be triggered using “syslog-ng-ctl reload”.
• A new macro named $LOGHOST was added, which expands to the local hostname running syslog-ng.
• A set of time macros were added prefixed with “C_” that use the current time instead of the reception time (prefixed R_) and and the time that was included in the message (prefixed S_).  This means that C_DATE expands to the current date, whereas R_DATE would expand to the date the current message was received at.https://github.com/bazsi/syslog-ng-3.4/commit/c2d17009e2ce14960acb519750fe2537b05e6f46

• Improved error reporting by including the configuration-file location of the object associated with the error. This makes it easier to diagnose errors even in the case of otherwise unnamed objects.
• This release also includes all fixes of the 3.3 branch, which are not listed here for brevity’s sake. The merged commit ID is: bf742b0, which is a couple of patches ahead of “3.3.4″.

Credits:

syslog-ng is developed as a community project, and as such it relies on volunteers to do the work necessarily to produce syslog-ng.

Reporting bugs, testing changes, writing code or simply providing feedback are all important contributions, so please if you are a user of syslog-ng, contribute.

These people have helped in this release:

• Andreas Piesk
• Balazs Scheidler (BalaBit)
• Balint Kovacs (BalaBit)
• Evan Rempel (University of Victoria)
• Gergely Nagy (BalaBit)
• Heiko Gerstung
• Hendrik Völker (Verizon)
• Jakub Jankowski (superhost.pl)
• Martin Grauel (BalaBit)
• Matthias Runge (Fedora)
• Patrick Hemmer
• Russ Milne (Seccuris)

Dear syslog-ng users,

I’m happy to announce that an important milestone towards the new syslog-ng release has been reached.

syslog-ng OSE 3.2beta1 has been uploaded to our website. It contains a lot of important new functionality compared to 3.2alpha2 and also some care has been taken to shake out release-critical bugs.

As of know I don’t know about any Release Critical issues, but I do now that a number of such bugs have been fixed since alpha2. So if you had issues with the alpha release and didn’t report the issues, it still is probable that this release fixes them.

I think this beta is good enough for everyone to try out, so if you like the new features, I’d appreciate if you could report with either negative or positive feedback to the syslog-ng mailing list.

If you haven’t tracked 3.2 development so far, I’d recommend to read the 3.2alpha2 and 3.2beta1 announcements for a sumary of new features coming in 3.2.

You can find these here:

http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.2beta1/changelog-en.txt

http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.2alpha2/changelog-en.txt

This time in addition to the source code, I also release syslog-ng binaries for Linux/i386 and Linux/amd64. The binaries are not thouroughly tested and will probably never be. The canonical release format for syslog-ng is the source code. Anyway, if you feel there are problems with the installer/binaries, feedback is welcome, we’re willing to fix them.

Here’s the NEWS entry for the 3.2beta1 release:

3.2beta1

 Mon, 11 Oct 2010 12:25:07 +0200

 Changes and new features destined to the syslog-ng 3.2 release are

 complete, and starting with this release, only bugfixes and minor

 changes are possible. There's only one exception to this: the

 correllation framework in db-parser() is still considered

 experimental and is recommended for early adopters only.

 This beta has gone through some testing and initial blocker problems

 were fixed before the release. Right now I'm not aware of any

 serious issues, but as always, testing is appreciated.

 New features since 3.2alpha2:

 * Added support for message correllation in db-parser. See the

 relevant blog posts for more information:

 http://bazsi.blogs.balabit.com/2010/10/syslog-ng-correllation-updated/

 http://bazsi.blogs.balabit.com/2010/09/syslog-ng-correllation/

 * Added "pdbtool patternize", which implements automatic patterndb

 generation from a sample log file.

 http://gyp.blogs.balabit.com/2010/01/introducing-pdbtool-patternize/

 * Added template functions framework and some initial functions:

 http://bazsi.blogs.balabit.com/2010/09/introducing-template-functions/

 The new functions are: $(echo), $(grep) and $(if)

 * Added support to process native syslog.conf file using the

 syslogconf SCL plugin.

 http://bazsi.blogs.balabit.com/2010/09/syslog-ng-now-supports-the-syslog-conf-file-format/

 * Added support for comparison operators in filter expressions, e.g.

 it is now possible to use "$FACILITY_NUM" < "5". String and

 numeric operators are also provided, the same way as in perl.

 * syslog-ng now automatically detects if an incoming message is in

 RFC3164 or RFC5424 format. This means that the syslog driver can

 be used to process both.

 * Added pdbtool validation support, using the "pdbtool test --validate".

 Requires an installed xmllint program.

 * pdbtool is now able to merge patterndb XML files recursively in

 order to make it easy to use the results of the patterndb project.

 * db-parser() automatically assigns class-specific tags to messages,

 this means that a message classified "system" will get a

 ".classifier.system" tag in addition to storing the class in a

 name-value pair named ${.classifier.class}

 * It is now possible to use multiple program name patterns for a

 single ruleset in patterndb.

 * Added $(ipv4-to-int) template function to convert an IP address to

 its numeric representation.

 Bugfixes since 3.2alpha2:

 * Fixed a possible infinite loop in "pdbtool test" in case

 program/message was missing from the sample message.

 * SQL: revert don't require the current CVS version of libdbi

 * Don't report "this config file version is too old" multiple times.

 * Underscore and dash are assumed to be equivalent in plugin names.

 * Various memory leaks were plugged.

 Removed functions:

 * Removed the use_time_recvd() global and per-destination option,

 deprecated since 3.0. Can be substituted with $R_ prefix in macro

 names.

 Other changes:

 * Restructured the source tree in order to make compilations of

 independent plugins easier and faster. Modules go to modules/

 subdirectory, the core lives under lib/ and the main executables

 go into syslog-ng/

 * SCL paths are determined relative to ${datadir} instead of

 ${prefix} to make distribution packaging easier.

 * Pass -avoid-version when linking modules.

 * syslog-ng now requires bison 2.4, this is also checked by the

 configure script.

Credits:

I’d like to thank the following people who made this release possible.People in no particular order:

• Péter Gyöngyösi for his patternize work
• Márton Illés for pdbtool test
• Róbert Fekete for his feedback on various functions/ideas
• Csaba Major for listening to my stupid ideas
• Martin Grauel for giving a talk on syslog-ng 3.2 and for his number of useful comments
• Bálint Kovács for trying patternize, giving me bugreports and for his patternize related ideas
• Péter Czanik for asking distributor maintainers to package syslog-ng 3.2 and to return feedback on the build process
• Matthew Hall, Martin Holste, Patrick H. for his patterndbfeedback and their support on the mailing that gave me time towork on syslog-ng instead of doing syslog-ng related mailing

Hopefully I haven’t forgotten anyone. I’d like to open the 3.3 branch of syslog-ng now and I’d appreciate if distributions would start adopting the 3.2 package. It comes with big build changes, so maintainers
please expect some more time with this release.

I’m trying to fix bugs fast as they appear to get a stable 3.2 by the end of this year.

Happy logging!

As posted on the mailing list already, I’m planning to turn syslog-ng into a fully-multi-threaded application in order to improve performance on multi-core systems. Since I don’t want to start destaibilizing 3.2 (rather to push dub that as stable soon), this will become part of OSE 3.3.

During my holidays I’ve worked a little on this to get some actual numbers how much it improves performance. Thus I’ve added the bare-bones of threading to all input/output state machines, which were previously all running in the same “main” thread.

The code is _very_ experimental, it wouldn’t work with more than a single client, but this already shows that using a single client and a single destination file, it gives us about 50% performance boost. On my development laptop with X and every desktop shinyness running, it increased performance of syslog-ng from about 65k/sec to 100k/sec with flow control disabled and 90k/sec with flow control enabled. (the extra 10k was probably dropped without flow control because the output thread was probably slower writing out the stuff to disk, but I’m not sure).

If anyone wants to see what I’ve done so far, here is the commit:

http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=shortlog;h=multi-thread

This was first posted as a comment under an article on lwn.net, but I thought it was important enough to post it here for others not reading lwn. Please go ahead and read the original article which is about the “Open Core” business model and its problems from the Free Software community point of view.

A commenter thought that syslog-ng was an example, which only exists as a marketing tool for the company’s commercial offering. Anyway, here’s my post:

First of all, I want to make it clear that I’m biased on the syslog-ng case, but still wanted to express my opinion here. I’m biased as I’m the primary author of syslog-ng.

I think syslog-ng is a completely different case from the one described by Neary. The GPL version is not crippleware, it was never published for marketing purposes only and for the majority of syslog-ng’s existence only the Open Source stuff existed. The Premium Edition is only about 3 years old and syslog-ng started in 1998.

We never removed features from the OSE version, the Premium Edition only included _additional_ features, and a lot of those are already available in the OSE.

Some examples:
* TLS support (became available in 3.0, almost 2 years ago)
* SQL destination (became available in 2.1, 2.5 years ago)
* performance improvements (3.0)
* etc.

In the other direction, we usually receive bugfixes and it is a pure technical reason that we used to require copyright assignment: I wanted to keep the two branches as close as possible (which if not done is the reason #1 why Open Core products become crippleware fast). _And_ since we heavily invested in automatic testing and our customers report bugs directly to us, we fix way more bugs in the OSE version than the community.

But anyway, I didn’t think that the dual license model was so problematic at the time we made this decision 3 years ago. Our efforts have never been “Rotten to the Open Core”. If you don’t believe that, check out the git repository or read the mailing list archive and see it yourself.

And this whole mess is the past, OSE 3.2 has been relicensed, and it is true that we’re going to publish non-free plugins, but anyone else is welcome to join and do the same.

I’ve just uploaded syslog-ng 3.2alpha2 to the release directory. The last alpha release didn’t compile on all supported platforms and the automatic test-suite was disabled, because it only worked if syslog-ng got installed first.

These obstacles have been overcome and together with some fixes and a couple of new features, 3.2alpha2 is now available. I’ve also forward ported all bugfixes from syslog-ng 3.1.2.

For those who are starting to experiment with the 3.2 branch, here’s the list of new features compared to 3.1. Those who tried 3.2alpha1, the list of changes compared to 3.2alpha1 is at the end of this post.

Since the documentation of syslog-ng is not yet up-to-date with the new features introduced, I’ve tried to also include URLs for the best known descriptions. The references may not be 100% accurate, but should give anyone interested an idea how to start experimenting.

Also, please note that although this is an alpha release, the bulk of the changes are in the configuration parser, so once your configuration was parsed properly and syslog-ng starts up, an almost unchanged code is processing it. This means that this release should be good enough to start playing with. And feedback about what kind of syslog-ng.conf parsing errors you encounter on real-life configuration files is more than welcome.

Code quality & functionality wise, this could be a beta release, I only expect “procedural” changes, like cleaning up the plugin names, which wouldn’t be nice to do in a beta release (though not unheard of

New features in 3.2:

• Plugins: the new architecture replaces the old monolithic one, all syslog-ng functionality is loaded from external plugins when needed. It is possible to write plugins to extend syslog-ng functionality in the following areas: sources, destinations, filter expression, parsers, rewrite ops, message format.

• The framework for a “syslog-ng configuration library” (aka SCL) a collection of configuration snippets installed along syslog-ng, simplifying the authoring of syslog-ng configuration files.

• pdbtool match is now able to read a file containing syslog messages and apply patterndb and a filter expression on the contents.

• pdbtool test is now able to perform pattern testing automatically based on the supplied example log message.

• Persistent state containing the current file position for file sources is now continously updated during runtime, instead of updating it only at exit, which makes it much more reliable in case syslog-ng doesn’t terminate normally.

• Better syntax error reporting in the configuration file.

• Support for reusable configuration snippets, similar to macros with parameters, named “blocks”.

• Added a confgen plugin that includes the output of a program into the configuration file, making it possible to generate configuration file snippets dynamically.

• Support for BSD-style process accounting logs via the pacct() source driver defined in by SCL and the underlying pacctformat plugin.

• Support for explicit COMMITs in the SQL driver, this speeds up SQL INSERT rate significantly if flush_lines() is non-zero.

• It is now possible to supply a filter to rewrite expressions and only apply the rewrite rule in case the filter matches.

• It is now possible to use multiple parser expressions in a single parser object, similar to rewrite rules.
• Added support for using the include statement from anywhere in the configuration file, instead of only at top-level. Also introduced syslog-ng “global values” that can be defined and the substituted anywhere in the configuration file.

• Default configuration file supplied as part of SCL.

Incompatible changes:

• syslog-ng traditionally expected an optional hostname field even when a syslog message is received on a local transport (e.g. /dev/log). However no UNIX version is known to include this field. This caused problems when the application creating the log message has a space in its program name field. This behaviour has been changed for the unix-stream/unix-dgram/pipe drivers if the config version is 3.2 and can be restored by using an explicit ‘expect-hostname’ flag for the specific source.

Changes since 3.2alpha1:

• Now compiles on all platforms and the unit/functional tests also run. (tested: AIX, HP-UX, Solaris, FreeBSD, Linux, Tru64)
• Fixed pdbtool match –debug-pattern output for ESTRING parsers.
• Fixed a possible memory leak in the lexer, which would accumulate in case SIGHUPs.
• Fixed Solaris STREAMS device support.
• For
  ward ported all bugfixes from syslog-ng OSE 3.0 & 3.1
• Disable process accounting module by default as it doesn’t compile on non-Linux platforms.
• Added “pdbtool match –file” option to read and parse an existing logfile.
• Added “pdbtool test” to check the log samples in the patterndb file.
• Added “dont-create-tables” flag for the SQL destination to inhibit automatic table creation.
• Added “condition()” support for rewrite expressions, which makes it possible to skip rewrite rules that do not match a filter expression.
• Added “–module-path” command line option to control where modules are loaded from from the command line.

Happy logging!

Starting with syslog-ng OSE 3.2, syslog-ng became plugin based, which has some consequences that even experienced syslog-ng users may stumble into.

The most obvious one, is that syslog-ng now produces a series of .so files loaded at runtime, instead of being a monolithic executable. If a given .so is not not or not loaded, some of the functionality may be missing. This usually manifests itself by a syntax error when parsing the configuration file.

Second: if you compile syslog-ng from source, the unit/functional test programs also want to load plugins, and they try to do that from the install directory. This means that you first have to install syslog-ng using “make install” before running the testsuite. This is not an ideal solution, but should work for now.

Plugins are loaded from $prefix/lib/syslog-ng by default, however this can be changed using the `module-path` global, which contains the list of directories where syslog-ng should look for modules. You can change this using the syntax:

@define module-path `module-path`:/usr/local/lib/syslog-ng-plugins

I think that’s it for now.