<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<div data-pjax="true" data-test-selector="body-content" data-view-component="true" class="markdown-body my-3">
<h1>3.36.1</h1>
<h2>Highlights</h2>
<ul>
<li>
<p><code>system()</code> source: added basic support for reading macOS system logs</p>
<p>The current implementation processes the output of the original macOS syslogd:<br>
<code>/var/log/system.log</code>.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3710" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3710/hovercard">#3710</a>)</p>
</li><li>
<p><code>$(values)</code> and <code>$(names)</code>: these new template functions can be used to<br>
query a list of name-value pairs in the current message. The list of name<br>
value pairs queried are specified by a value-pairs expression, just like<br>
with <code>$(format-json)</code>.</p>
<p>Examples:</p>
<p>This expression sets the JSON array <code>values</code> to contain the list of SDATA<br>
values, while the JSON array <code>names</code> would contain the associated names, in<br>
the same order.</p>
<p><code>$(format-json values=list($(values .SDATA.*)) names=list($(names .SDATA.*)))</code></p>
<p>The resulting name-value pairs are always sorted by their key, regardless of<br>
the argument order.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3911" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3911/hovercard">#3911</a>)</p>
</li><li>
<p><code>rename()</code>: added a new rewrite rule, called <code>rename()</code></p>
<p>Example usage:</p>
<div class="snippet-clipboard-content position-relative overflow-auto">
<pre><code>rewrite {
  rename( "renamed-from" "renamed-to" );
};
</code></pre>
</div>
<p>(<a href="https://github.com/syslog-ng/syslog-ng/pull/3841" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3841/hovercard">#3841</a>)</p>
</li></ul>
<h2>Features</h2>
<ul>
<li>
<p><code>network()</code> drivers: added TLS keylog support</p>
<p>syslog-ng dumps TLS secrets for a given source/destination, which can be used for<br>
debugging purposes to decrypt data with, for example, Wireshark.</p>
<p><strong>This should be used for debugging purposes only!</strong></p>
<p>Example usage:</p>
<div class="snippet-clipboard-content position-relative overflow-auto">
<pre><code>source tls_source{
  network(
      port(1234)
      transport("tls"),
      tls(
        key-file("/path/to/server_key.pem"),
        cert-file("/path/to/server_cert.pem"),
        ca-dir("/path/to/ca/")
        keylog-file("/path/to/keylog_file")
      )
  );
};
</code></pre>
</div>
<p>(<a href="https://github.com/syslog-ng/syslog-ng/pull/3792" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3792/hovercard">#3792</a>)</p>
</li><li>
<p><code>tls()</code> block: added option for restricting TLS 1.3 ciphers</p>
<p>The <code>network()</code>, <code>syslog()</code>, and the <code>http()</code> modules now support specifying TLS 1.3 cipher suites,</p>
<p>Example usage:</p>
<div class="snippet-clipboard-content position-relative overflow-auto">
<pre><code>network(
  transport("tls")
  tls(
    pkcs12-file("test.p12")
    cipher-suite(
      tls12-and-older("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"),
      tls13("TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
    )
  )
);
</code></pre>
</div>
<p><code>tls12-and-older()</code> can be used to specify TLS v1.2-and-older ciphers,<br>
<code>tls13()</code> can be used for TLS v1.3 ciphers only.</p>
<p>Note: The old <code>cipher-suite("list:of:ciphers")</code> option restricts only the TLS v1.2-and-older cipher suite<br>
for backward compatibility.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3907" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3907/hovercard">#3907</a>)</p>
</li><li>
<p><code>file()</code> destination: added a new option: <code>symlink-as()</code></p>
<p>This feature allows one to maintain a persistent symlink to a log file when a<br>
template is used (for example: <code>/var/log/cron -> /var/log/cron.${YEAR}${MONTH}</code>).</p>
<p>Example usage:</p>
<div class="snippet-clipboard-content position-relative overflow-auto">
<pre><code>destination d_file_cron {
  file("/var/log/cron.${YEAR}${MONTH}" symlink-as("/var/log/cron"));
};
</code></pre>
</div>
<p>From a functional perspective, the <code>symlink-as</code> file inherits both<br>
<code>create-dirs</code> and file ownership from its file destination (permissions are not<br>
applicable to symlinks, at least on linux).</p>
<p>The symlink is adjusted at the time a new destination file is opened (in the<br>
example above, if <code>${YEAR}</code> or <code>${MONTH}</code> changes).</p>
<p>Although not specific to time macros, that's where the usefulness is. If the<br>
template contains something like <code>${PROGRAM}</code> or <code>${HOST}</code>, the configuration wouldn't<br>
necessarily be invalid, but you'd get an ever-changing symlink of dubious<br>
usefulness.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3855" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3855/hovercard">#3855</a>)</p>
</li><li>
<p><code>flags(no-rfc3164-fallback)</code>: added a new flag to sources that parse<br>
incoming syslog data and operate in RFC5424 mode (e.g. <code>syslog-protocol</code> is<br>
also set). With the new flag the automatic fallback to RFC3164 format<br>
is disabled. In this case if the parsing in RFC5424 fails, the<br>
syslog parser would result in an error message. In the case of<br>
<code>syslog-parser(drop-invalid(yes))</code>, the message would be dropped.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3891" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3891/hovercard">#3891</a>)</p>
</li><li>
<p><code>syslog-format</code>: accept ISO timestamps that incorrectly use a space instead of<br>
a 'T' to delimit the date from the time portion. For example, a<br>
<code>"2021-01-01T12:12:12"</code> timestamp is well formed according to RFC5424 (which<br>
uses a subset of ISO8601, see <a href="https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.3" rel="nofollow">
https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.3</a>).<br>
Some systems simply use a space instead of a 'T'. The same format is<br>
accepted for both RFC3164 (e.g. <code>udp()</code>, <code>tcp()</code> and <code>
network()</code> sources) and<br>
RFC5424 (e.g. <code>syslog()</code> source).<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3893" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3893/hovercard">#3893</a>)</p>
</li><li>
<p><code>transport(text-with-nuls)</code>: added a new transport mechanism for<br>
the <code>network()</code> driver that allows <code>NUL</code> characters within the message.</p>
<p>Note: syslog-ng does not support embedded <code>NUL</code> characters everywhere, so it is<br>
recommended that you also use <code>flags(no-multi-line)</code> that causes <code>
NUL</code><br>
characters to be replaced by space.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3913" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3913/hovercard">#3913</a>)</p>
</li></ul>
<h2>Bugfixes</h2>
<ul>
<li>
<p><code>filter</code>: fixed the <code>not</code> operator in <code>filter</code> expressions (regression in v3.35.1)</p>
<p>Reusing a filter that contains the <code>not</code> operator more than once, or<br>
referencing a complex expression containing <code>not</code> might have caused invalid results<br>
in the previous syslog-ng version (v3.35.1). This has been fixed.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3863" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3863/hovercard">#3863</a>)</p>
</li><li>
<p><code>throttle()</code> filter: support negation<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3863" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3863/hovercard">#3863</a>)</p>
</li><li>
<p><code>disk-buffer()</code>: fixed a crash which could happen in very rare cases, while a corrupted
<code>disk-buffer</code> was getting replaced<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3845" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3845/hovercard">#3845</a>)</p>
</li><li>
<p><code>disk-buffer()</code>: fixed a memory leak issue and inconsistent buffer handling in rare cases<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3887" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3887/hovercard">#3887</a>)</p>
</li><li>
<p><code>disk-buffer()</code>: fixed underflowing <code>queued</code> stats counter<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3887" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3887/hovercard">#3887</a>)</p>
</li><li>
<p><code>disk-buffer()</code>: fixed <code>queued</code> stats were not adjusted when a disk-buffer became corrupt<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3851" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3851/hovercard">#3851</a>)</p>
</li><li>
<p><code>disk-buffer()</code>: fixed a disk-buffer corruption issue</p>
<p>A completely filled and then emptied disk-buffer may have been recognised as corrupt.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3874" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3874/hovercard">#3874</a>)</p>
</li><li>
<p><code>amqp()</code>: fixed a minor error reporting problem.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3869" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3869/hovercard">#3869</a>)</p>
</li><li>
<p><code>amqp()</code>: syslog-ng now drops messages that are too large to send<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3869" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3869/hovercard">#3869</a>)</p>
</li><li>
<p><code>amqp()</code>: fixed a crash, which happened with <code>librabbitmq</code> v0.9.0 or v0.10.0, while using the
<code>tls()</code> block.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3929" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3929/hovercard">#3929</a>)</p>
</li><li>
<p><code>file()</code> source: fixed invalid buffer handling when <code>encoding()</code> is used</p>
<p>A bug has been fixed that - under rare circumstances - could cause message<br>
duplication or partial message loss when non-fixed length or less known<br>
fixed-length encodings are used.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3892" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3892/hovercard">#3892</a>)</p>
</li><li>
<p><code>syslog-ng</code>: fixed a SIGSEGV triggered by an incorrectly formatted "CONFIG"<br>
command, received on the syslog-ng control socket. The only known<br>
implementation of the control protocol is syslog-ng-ctl itself, which always<br>
sends a correct command, but anyone with access to the UNIX domain socket<br>
<code>syslog-ng.ctl</code> (root only by default) can trigger a crash.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3900" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3900/hovercard">#3900</a>)</p>
</li><li>
<p><code>credit-card-mask()</code>: fixed visa, mastercard and jcb card regex pattern<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3853" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3853/hovercard">#3853</a>)</p>
</li><li>
<p><code>cisco-parser()</code>: allow a leading dot in the timestamp (not synced clocks)<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3843" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3843/hovercard">#3843</a>)</p>
</li></ul>
<h2>Notes to developers</h2>
<ul>
<li>
<p>plugins: we have made it easier to implement filter plugins</p>
<p>An example can be found under <code>modules/rate-limit-filter</code>.<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3866" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3866/hovercard">#3866</a>)</p>
</li><li>
<p>dev-utils: various fixes for the plugin skeleton generator script<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3866" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3866/hovercard">#3866</a>)</p>
</li></ul>
<h2>Other changes</h2>
<ul>
<li>The <a href="https://hub.docker.com/r/balabit/syslog-ng/" rel="nofollow">syslog-ng Docker image</a><br>
is now automatically tagged and pushed to Docker Hub after each release<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3870" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3870/hovercard">#3870</a>)</li><li><code>throttle()</code> filter: renamed to <code>rate-limit()</code><br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3866" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3866/hovercard">#3866</a>)</li><li><code>python</code>: support Python 3.10<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3865" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3865/hovercard">#3865</a>)</li><li><code>java</code>: upgraded from old log4j v1.x line to log4j v2.17.2<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3861" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3861/hovercard">#3861</a>)<br>
(<a href="https://github.com/syslog-ng/syslog-ng/pull/3927" data-hovercard-type="pull_request" data-hovercard-url="/syslog-ng/syslog-ng/pull/3927/hovercard">#3927</a>)</li></ul>
<h2>Credits</h2>
<p>syslog-ng is developed as a community project, and as such it relies<br>
on volunteers, to do the work necessarily to produce syslog-ng.</p>
<p>Reporting bugs, testing changes, writing code or simply providing<br>
feedback are all important contributions, so please if you are a user<br>
of syslog-ng, contribute.</p>
<p><br>
</p>
<p>We would like to thank the following people for their contribution:</p>
<p>Andras Mitzki, Andrea Biardi, Attila Szakacs, Balazs Scheidler,<br>
Balázs Barkó, Benedek Cserhati, Gabor Nagy, Janos SZIGETVARI,<br>
Laszlo Budai, Laszlo Szemere, László Várady, Mikel Olasagasti Uranga,<br>
Norbert Takacs, Parrag Szilárd, Peter Kokai, Szilárd Parrag,<br>
Zoltan Pallagi, Stanislav Osipov, Yash Mathne</p>
<p><br>
</p>
<div style="margin-top: 0px; margin-bottom: 0px;">
<h2 dir="auto"><a class="anchor" href="https://github.com/syslog-ng/syslog-ng#installation-from-binaries"><span class="octicon octicon-link" width="16" height="16"></span></a>Installation from binaries</h2>
<a href="https://github.com/syslog-ng/syslog-ng#installation-from-binaries" id="LPNoLPOWALinkPreview">https://github.com/syslog-ng/syslog-ng#installation-from-binaries</a><br>
<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview _EReadonly_1"></div>
<br>
<br>
</div>
</div>
</div>
</body>
</html>