
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

<div data-pjax="true" data-test-selector="body-content" data-view-component="true" class="markdown-body my-3">

<h1>3.36.1</h1>

<h2>Highlights</h2>

<ul>

<li>

<p><code>system()</code> source: added basic support for reading macOS system logs</p>

<p>The current implementation processes the output of the original macOS syslogd:<br>

<code>/var/log/system.log</code>.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3710" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3710/hovercard">#3710</a>)</p>

</li><li>

<p><code>$(values)</code> and <code>$(names)</code>: these new template functions can be used to<br>

query a list of name-value pairs in the current message. The list of name<br>

value pairs queried are specified by a value-pairs expression, just like<br>

with <code>$(format-json)</code>.</p>

<p>Examples:</p>

<p>This expression sets the JSON array <code>values</code> to contain the list of SDATA<br>

values, while the JSON array <code>names</code> would contain the associated names, in<br>

the same order.</p>

<p><code>$(format-json values=list($(values .SDATA.*)) names=list($(names .SDATA.*)))</code></p>

<p>The resulting name-value pairs are always sorted by their key, regardless of<br>

the argument order.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3911" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3911/hovercard">#3911</a>)</p>

</li><li>

<p><code>rename()</code>: added a new rewrite rule, called <code>rename()</code></p>

<p>Example usage:</p>

<div class="snippet-clipboard-content position-relative overflow-auto">

<pre><code>rewrite {

  rename( "renamed-from" "renamed-to" );

};

</code></pre>

</div>

<p>(<a href="https://github.com/syslog-ng/syslog-ng/pull/3841" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3841/hovercard">#3841</a>)</p>

</li></ul>

<h2>Features</h2>

<ul>

<li>

<p><code>network()</code> drivers: added TLS keylog support</p>

<p>syslog-ng dumps TLS secrets for a given source/destination, which can be used for<br>

debugging purposes to decrypt data with, for example, Wireshark.</p>

<p><strong>This should be used for debugging purposes only!</strong></p>

<p>Example usage:</p>

<div class="snippet-clipboard-content position-relative overflow-auto">

<pre><code>source tls_source{

  network(

      port(1234)

      transport("tls"),

      tls(

        key-file("/path/to/server_key.pem"),

        cert-file("/path/to/server_cert.pem"),

        ca-dir("/path/to/ca/")

        keylog-file("/path/to/keylog_file")

      )

  );

};

</code></pre>

</div>

<p>(<a href="https://github.com/syslog-ng/syslog-ng/pull/3792" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3792/hovercard">#3792</a>)</p>

</li><li>

<p><code>tls()</code> block: added option for restricting TLS 1.3 ciphers</p>

<p>The <code>network()</code>, <code>syslog()</code>, and the <code>http()</code> modules now support specifying TLS 1.3 cipher suites,</p>

<p>Example usage:</p>

<div class="snippet-clipboard-content position-relative overflow-auto">

<pre><code>network(

  transport("tls")

  tls(

    pkcs12-file("test.p12")

    cipher-suite(

      tls12-and-older("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"),

      tls13("TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")

    )

  )

);

</code></pre>

</div>

<p><code>tls12-and-older()</code> can be used to specify TLS v1.2-and-older ciphers,<br>

<code>tls13()</code> can be used for TLS v1.3 ciphers only.</p>

<p>Note: The old <code>cipher-suite("list:of:ciphers")</code> option restricts only the TLS v1.2-and-older cipher suite<br>

for backward compatibility.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3907" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3907/hovercard">#3907</a>)</p>

</li><li>

<p><code>file()</code> destination: added a new option: <code>symlink-as()</code></p>

<p>This feature allows one to maintain a persistent symlink to a log file when a<br>

template is used (for example: <code>/var/log/cron -> /var/log/cron.${YEAR}${MONTH}</code>).</p>

<p>Example usage:</p>

<div class="snippet-clipboard-content position-relative overflow-auto">

<pre><code>destination d_file_cron {

  file("/var/log/cron.${YEAR}${MONTH}" symlink-as("/var/log/cron"));

};

</code></pre>

</div>

<p>From a functional perspective, the <code>symlink-as</code> file inherits both<br>

<code>create-dirs</code> and file ownership from its file destination (permissions are not<br>

applicable to symlinks, at least on linux).</p>

<p>The symlink is adjusted at the time a new destination file is opened (in the<br>

example above, if <code>${YEAR}</code> or <code>${MONTH}</code> changes).</p>

<p>Although not specific to time macros, that's where the usefulness is. If the<br>

template contains something like <code>${PROGRAM}</code> or <code>${HOST}</code>, the configuration wouldn't<br>

necessarily be invalid, but you'd get an ever-changing symlink of dubious<br>

usefulness.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3855" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3855/hovercard">#3855</a>)</p>

</li><li>

<p><code>flags(no-rfc3164-fallback)</code>: added a new flag to sources that parse<br>

incoming syslog data and operate in RFC5424 mode (e.g. <code>syslog-protocol</code> is<br>

also set). With the new flag the automatic fallback to RFC3164 format<br>

is disabled. In this case if the parsing in RFC5424 fails, the<br>

syslog parser would result in an error message. In the case of<br>

<code>syslog-parser(drop-invalid(yes))</code>, the message would be dropped.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3891" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3891/hovercard">#3891</a>)</p>

</li><li>

<p><code>syslog-format</code>: accept ISO timestamps that incorrectly use a space instead of<br>

a 'T' to delimit the date from the time portion. For example, a<br>

<code>"2021-01-01T12:12:12"</code> timestamp is well formed according to RFC5424 (which<br>

uses a subset of ISO8601, see <a href="https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.3" rel="nofollow">

https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.3</a>).<br>

Some systems simply use a space instead of a 'T'. The same format is<br>

accepted for both RFC3164 (e.g. <code>udp()</code>, <code>tcp()</code> and <code>

network()</code> sources) and<br>

RFC5424 (e.g. <code>syslog()</code> source).<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3893" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3893/hovercard">#3893</a>)</p>

</li><li>

<p><code>transport(text-with-nuls)</code>: added a new transport mechanism for<br>

the <code>network()</code> driver that allows <code>NUL</code> characters within the message.</p>

<p>Note: syslog-ng does not support embedded <code>NUL</code> characters everywhere, so it is<br>

recommended that you also use <code>flags(no-multi-line)</code> that causes <code>

NUL</code><br>

characters to be replaced by space.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3913" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3913/hovercard">#3913</a>)</p>

</li></ul>

<h2>Bugfixes</h2>

<ul>

<li>

<p><code>filter</code>: fixed the <code>not</code> operator in <code>filter</code> expressions (regression in v3.35.1)</p>

<p>Reusing a filter that contains the <code>not</code> operator more than once, or<br>

referencing a complex expression containing <code>not</code> might have caused invalid results<br>

in the previous syslog-ng version (v3.35.1). This has been fixed.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3863" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3863/hovercard">#3863</a>)</p>

</li><li>

<p><code>throttle()</code> filter: support negation<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3863" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3863/hovercard">#3863</a>)</p>

</li><li>

<p><code>disk-buffer()</code>: fixed a crash which could happen in very rare cases, while a corrupted

<code>disk-buffer</code> was getting replaced<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3845" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3845/hovercard">#3845</a>)</p>

</li><li>

<p><code>disk-buffer()</code>: fixed a memory leak issue and inconsistent buffer handling in rare cases<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3887" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3887/hovercard">#3887</a>)</p>

</li><li>

<p><code>disk-buffer()</code>: fixed underflowing <code>queued</code> stats counter<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3887" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3887/hovercard">#3887</a>)</p>

</li><li>

<p><code>disk-buffer()</code>: fixed <code>queued</code> stats were not adjusted when a disk-buffer became corrupt<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3851" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3851/hovercard">#3851</a>)</p>

</li><li>

<p><code>disk-buffer()</code>: fixed a disk-buffer corruption issue</p>

<p>A completely filled and then emptied disk-buffer may have been recognised as corrupt.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3874" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3874/hovercard">#3874</a>)</p>

</li><li>

<p><code>amqp()</code>: fixed a minor error reporting problem.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3869" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3869/hovercard">#3869</a>)</p>

</li><li>

<p><code>amqp()</code>: syslog-ng now drops messages that are too large to send<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3869" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3869/hovercard">#3869</a>)</p>

</li><li>

<p><code>amqp()</code>: fixed a crash, which happened with <code>librabbitmq</code> v0.9.0 or v0.10.0, while using the

<code>tls()</code> block.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3929" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3929/hovercard">#3929</a>)</p>

</li><li>

<p><code>file()</code> source: fixed invalid buffer handling when <code>encoding()</code> is used</p>

<p>A bug has been fixed that - under rare circumstances - could cause message<br>

duplication or partial message loss when non-fixed length or less known<br>

fixed-length encodings are used.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3892" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3892/hovercard">#3892</a>)</p>

</li><li>

<p><code>syslog-ng</code>: fixed a SIGSEGV triggered by an incorrectly formatted "CONFIG"<br>

command, received on the syslog-ng control socket. The only known<br>

implementation of the control protocol is syslog-ng-ctl itself, which always<br>

sends a correct command, but anyone with access to the UNIX domain socket<br>

<code>syslog-ng.ctl</code> (root only by default) can trigger a crash.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3900" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3900/hovercard">#3900</a>)</p>

</li><li>

<p><code>credit-card-mask()</code>: fixed visa, mastercard and jcb card regex pattern<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3853" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3853/hovercard">#3853</a>)</p>

</li><li>

<p><code>cisco-parser()</code>: allow a leading dot in the timestamp (not synced clocks)<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3843" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3843/hovercard">#3843</a>)</p>

</li></ul>

<h2>Notes to developers</h2>

<ul>

<li>

<p>plugins: we have made it easier to implement filter plugins</p>

<p>An example can be found under <code>modules/rate-limit-filter</code>.<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3866" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3866/hovercard">#3866</a>)</p>

</li><li>

<p>dev-utils: various fixes for the plugin skeleton generator script<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3866" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3866/hovercard">#3866</a>)</p>

</li></ul>

<h2>Other changes</h2>

<ul>

<li>The <a href="https://hub.docker.com/r/balabit/syslog-ng/" rel="nofollow">syslog-ng Docker image</a><br>

is now automatically tagged and pushed to Docker Hub after each release<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3870" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3870/hovercard">#3870</a>)</li><li><code>throttle()</code> filter: renamed to <code>rate-limit()</code><br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3866" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3866/hovercard">#3866</a>)</li><li><code>python</code>: support Python 3.10<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3865" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3865/hovercard">#3865</a>)</li><li><code>java</code>: upgraded from old log4j v1.x line to log4j v2.17.2<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3861" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3861/hovercard">#3861</a>)<br>

(<a href="https://github.com/syslog-ng/syslog-ng/pull/3927" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3927/hovercard">#3927</a>)</li></ul>

<h2>Credits</h2>

<p>syslog-ng is developed as a community project, and as such it relies<br>

on volunteers, to do the work necessarily to produce syslog-ng.</p>

<p>Reporting bugs, testing changes, writing code or simply providing<br>

feedback are all important contributions, so please if you are a user<br>

of syslog-ng, contribute.</p>

<p><br>

</p>

<p>We would like to thank the following people for their contribution:</p>

<p>Andras Mitzki, Andrea Biardi, Attila Szakacs, Balazs Scheidler,<br>

Bal�zs Bark�, Benedek Cserhati, Gabor Nagy, Janos SZIGETVARI,<br>

Laszlo Budai, Laszlo Szemere, L�szl� V�rady, Mikel Olasagasti Uranga,<br>

Norbert Takacs, Parrag Szil�rd, Peter Kokai, Szil�rd Parrag,<br>

Zoltan Pallagi, Stanislav Osipov, Yash Mathne</p>

<p><br>

</p>

<div style="margin-top: 0px; margin-bottom: 0px;">

<h2 dir="auto"><a class="anchor" href="https://github.com/syslog-ng/syslog-ng#installation-from-binaries"><span class="octicon octicon-link" width="16" height="16"></span></a>Installation from binaries</h2>

<a href="https://github.com/syslog-ng/syslog-ng#installation-from-binaries" id="LPNoLPOWALinkPreview">https://github.com/syslog-ng/syslog-ng#installation-from-binaries</a><br>

<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview _EReadonly_1"></div>

<br>

<br>

</div>

</div>

</div>

</body>

</html>