Hi, It is my pleasure to announce the availability of the latest development release for syslog-ng, and a related library called eventlog. This release is actually usable, and although it is still not recommended to be used on production systems, running it on a spare system with a real log feed would be very useful indeed, to see how it behaves with various real life configurations. The major differences between syslog-ng 1.9.2 and the releases in the 1.6.x branch are outlined in the NEWS file attached to the end of this message. A couple of NEWS News for the 1.9.2 release Mon, 03 Jan 2005 22:03:02 +0100 Well, it's been a long time since the last syslog-ng development release simply because I was involved in too many things in parallel. Good news that the release is actually quite usable, I've been running it on my laptop for a week now and I think it is now time to gather some real life experience. * Fixed a couple of memory leaks. * Fixed SIGHUP support. * Fixed program startup to make sure all important error information is logged. * Fixed program destinations by adding setsid() call after forking. * Fixed flow controlled log path support. * Added the possibility to use braces around macro references (like in '${MSG}\n') * Added macros missing from this branch added to 1.6.x since the last release (PRI and MSGONLY). News for the 1.9.1 release Wed, 22 Jan 2003 12:13:44 +0100 This release is still not intended for production use. It has a good number of new features and a couple of them may not be stable enough. New features: * template declarations, the possibility to define a template once and refer to it * flow controlled log paths work, and they are also configurable * supports RFC3339 timestamps with second fractions and time zones, time zone conversion & source time zone specification * MARK messages are generated * keep alive for connections as well as listeners * the ability to follow log files as they are written to * the possibility to mark parts of a message using standard '(' and ')' regexp operators and refer to matches within templates (either filenames or content) This program is still ALPHA. News for the 1.9.0 release Thu, 9 May 2002 20:01:11 +0200 This release is the first release of the new reimplementation of syslog-ng. I moved to using glib instead of libol, as glib is more mature and provides several nice & easy to use features. Here's a bunch of nice things about 1.9.0: * supports flow controlled log paths (still not possible to configure it, but the code exists in the core) * better support for macros (macro support is moved out of affile, thus any other drivers may use it) * more robust detection of closed destination sockets (a closed channel is immediately detected, not at the first write) This avoids losing a log message when the connection is broken. * supports respawning destination programs (should be used with care to avoid DoS situations). This makes it easier to integrate third party extensions to syslog-ng. (SQL backends, on-line log analysis etc) * performance improvements, instead of using linear lookup in linked lists, I use hashtables everywhere. * the ability to define unparsed sources, makes it easier to integrate things like Apache logs * many internal reorganizations to make it easier to implement things like hashed log files, SSL protected TCP sessions and so on. Things still missing: * there are some new features with no configuration interface * internal messages always go to /dev/stderr * Sun's STREAMS is not yet supported 1.9.0 is currently in an ALPHA state, it's been tested only on my development computer, and not real-life traffic. -- Bazsi
Sorry, I accidentaly sent an incomplete message yesterday. I'm adding the missing comments now. On Mon, 2005-01-03 at 22:20 +0100, Balazs Scheidler wrote:
Hi,
It is my pleasure to announce the availability of the latest development release for syslog-ng, and a related library called eventlog.
This release is actually usable, and although it is still not recommended to be used on production systems, running it on a spare system with a real log feed would be very useful indeed, to see how it behaves with various real life configurations.
The major differences between syslog-ng 1.9.2 and the releases in the 1.6.x branch are outlined in the NEWS file attached to the end of this message.
Well, syslog-ng 1.9.2 is available at the usual location at http://www.balabit.hu/downloads/syslog-ng/1.9/src/ You need to download both eventlog and syslog-ng, compile/install eventlog first and then syslog-ng. Documentation is more or less missing, though the documentation for version 1.6 is still very useful, syslog-ng should be compatible with the old version with some minor exceptions: The following keywords are currently not yet known by this version of syslog-ng, but support for these will be added: @@ -1,9 +1,7 @@ - { "bad_hostname", KW_BAD_HOSTNAME }, - { "check_hostname", KW_CHECK_HOSTNAME }, - { "netmask", KW_NETMASK }, - { "remove_if_older", KW_REMOVE_IF_OLDER }, - { "sanitize-filenames", KW_SANITIZE_FILENAMES }, - { "sanitize_filenames", KW_SANITIZE_FILENAMES }, - { "spoof-source", KW_SPOOF_SOURCE }, - { "spoof_source", KW_SPOOF_SOURCE }, - { "stats", KW_STATS_FREQ }, - { "tcp-keep-alive", KW_TCP_KEEP_ALIVE }, - { "tcp_keep_alive", KW_TCP_KEEP_ALIVE }, The following keywords do not exactly match with their 1.6 counterparts, but this will be fixed: - { "mark", KW_MARK_FREQ }, + { "mark_freq", KW_MARK_FREQ }, - { "sync", KW_SYNC_FREQ }, + { "sync_freq", KW_SYNC_FREQ }, - { "pad_size", KW_PAD_SIZE }, + { "padding", KW_PADDING }, Otherwise the new syslog-ng provides the following nifty features: - flow controlled log paths: it is possible to avoid message drops by not reading incoming messages sources while the output buffer is full. For example: source s_stream { unix-stream("/dev/log"); }; destination d_net { tcp("1.2.3.4" port(2000)); }; log { source(s_stream); destination(d_net); flags(flow-control); }; That's it. This will avoid message drops within syslog-ng, provided the sum of all source window sizes (configurable via log_iw_size) is less than or equal to the output driver's log_fifo_size. Syslog-ng simply reads the incoming sources at the rate of the output drivers. - automatic respawning of program destinations: while it might make the syslog server easily DoSable, syslog-ng now automatically restarts the programs run via the program destination. - following regular files as input, e.g. this actually works: source s_file { file("/var/log/apache/access.log" follow_freq(10)); }; The above will check /var/log/apache/access.log every 10 seconds and read out all new messages since the last check. Although this is a nice feature syslog-ng does not currently preserve the last ofset during restarts. - earlier noticing of TCP connection drops: instead of waiting for a write() syscall to fail, continously check whether the server closed the connection. - the possibility to define templates once and reuse it from file/protocol destinations, e.g: template t_sample { template("$HOUR abcdef ${MSG}\n"); }; destination d_all { file("logs/logfile" template(t_sample)); }; or # use t_sample for file destinations by default options { file_template(t_sample); }; or # use t_sample for protocol destinations by default options { proto_template(t_sample); }; - the ability to use different time stamp formats: options { ts_format(iso); }; will use ISO8661 timestamps everywhere - the ability to work with timezones: support timezone information on incoming messages via the ISO timestamp, support timezone conversion, etc: options { tz_convert(+0100); }; or # for messages without a timestamp containing timezone source s_udp { udp(timezone(+0500)); }; or destination d_net { tcp("1.2.3.4" tz_convert(+0100)); }; - the ability to use unparsed log sources source s_src { unix-stream("/dev/log" flags(no_parse)); }; I think those are the important changes. But which is even more important is that the new codebase is more compact and makes adding new features easier. -- Bazsi
Quoting Balazs Scheidler <bazsi@balabit.hu>:
Sorry, I accidentaly sent an incomplete message yesterday. I'm adding the missing comments now.
On Mon, 2005-01-03 at 22:20 +0100, Balazs Scheidler wrote:
Hi,
It is my pleasure to announce the availability of the latest development release for syslog-ng, and a related library called eventlog.
Great, Thanks Bazsi! I installed glib from blastwave.org on my solaris 8 test box and also pkg-config, but I'm not sure how to get gnome-config without installing the whole gnome environment (not much space on this box). If anyone knows the minumum amount of gnome I can install to build this, I'd appreciate it. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Quoting nate@campin.net:
I installed glib from blastwave.org on my solaris 8 test box and also pkg-config, but I'm not sure how to get gnome-config without installing the whole gnome environment (not much space on this box).
If anyone knows the minumum amount of gnome I can install to build this, I'd appreciate it.
I think it was installing pango that did it, I'm ok now. I can't compile it though: ain.c:278: warning: excess elements in struct initializer main.c:278: warning: (near initialization for `syslog_ng_options[9]') main.c:278: warning: excess elements in struct initializer main.c:278: warning: (near initialization for `syslog_ng_options[9]') main.c:278: warning: excess elements in struct initializer main.c:278: warning: (near initialization for `syslog_ng_options[9]') main.c:279: warning: excess elements in struct initializer main.c:279: warning: (near initialization for `syslog_ng_options[10]') main.c:279: warning: excess elements in struct initializer main.c:279: warning: (near initialization for `syslog_ng_options[10]') main.c:279: warning: excess elements in struct initializer main.c:279: warning: (near initialization for `syslog_ng_options[10]') main.c:279: warning: excess elements in struct initializer main.c:279: warning: (near initialization for `syslog_ng_options[10]') main.c:280: warning: excess elements in struct initializer main.c:280: warning: (near initialization for `syslog_ng_options[11]') main.c:280: warning: excess elements in struct initializer main.c:280: warning: (near initialization for `syslog_ng_options[11]') main.c:280: warning: excess elements in struct initializer main.c:280: warning: (near initialization for `syslog_ng_options[11]') main.c:280: warning: excess elements in struct initializer main.c:280: warning: (near initialization for `syslog_ng_options[11]') main.c:284: warning: excess elements in struct initializer main.c:284: warning: (near initialization for `syslog_ng_options[12]') main.c:284: warning: excess elements in struct initializer main.c:284: warning: (near initialization for `syslog_ng_options[12]') main.c:284: warning: excess elements in struct initializer main.c:284: warning: (near initialization for `syslog_ng_options[12]') main.c:284: warning: excess elements in struct initializer main.c:284: warning: (near initialization for `syslog_ng_options[12]') main.c:267: array size missing in `syslog_ng_options' main.c:267: storage size of `syslog_ng_options' isn't known main.c:290: warning: implicit declaration of function `getopt_long' main.c:267: warning: unused variable `syslog_ng_options' make[2]: *** [main.o] Error 1 make[2]: Leaving directory `/export/home/ncampi/Src/syslog-ng-1.9.2+20050103+2148/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/export/home/ncampi/Src/syslog-ng-1.9.2+20050103+2148' make: *** [all] Error 2 -2-[ncampi@wu720ncdev:~/Src/syslog-ng-1.9.2+20050103+2148]$ gcc -v Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/specs Configured with: ../configure --with-as=/usr/local/bin/as --with-ld=/usr/local/bin/ld --enable-libgcj Thread model: posix gcc version 3.0.3 -0-[ncampi@wu720ncdev:~/Src/syslog-ng-1.9.2+20050103+2148]$ uname -a SunOS wu720ncdev 5.8 Generic_108528-29 sun4u sparc SUNW,Ultra-5_10 Any idea what's going on Bazsi? TIA ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
participants (2)
-
Balazs Scheidler
-
nate@campin.net