[syslog-ng] Insider 2018-08: 3.16 & 3.17; Splunk; IoT security; Telegram; Throttling;

Czanik, Péter peter.czanik at balabit.com
Thu Aug 23 09:58:10 UTC 2018

Dear syslog-ng users,

This is the 68th issue of syslog-ng Insider, a monthly newsletter that
brings you syslog-ng-related news.


syslog-ng 3.16 & 3.17 are released


Version 3.16 & 3.17 of syslog-ng are now available. Support to send
log messages to Telegram was added. You can also use failback mode
when you have failover enabled and send your logs to your primary log
server as soon as it is available again.

For a complete list of changes, check

For binary packages, check https://syslog-ng.com/3rd-party-binaries.

Using the syslog-ng Store Box (SSB) in front of Splunk


The syslog-ng application was used for many years as a log collection
layer in front of Splunk. But why use a full-blown log management
appliance – like SSB – with a graphical user interface instead of a
simple command line application? I learned the answers at Red Hat
Summit while talking to my fellow Balabit engineers and booth


IoT security: logging


Recently SANS published a brand new white paper about the Internet of
Things: “Stopping IoT-based Attacks on Enterprise Networks”. IoT
devices have been around in the networks of enterprises for many
years, just think about network-connected printers. But recently, both
the number and variety of these devices skyrocketed and enterprises
now have to embrace everything from BYOD phones to smart lamps. In
this blog post, I would like to highlight a critical aspect of how you
can protect your organization from potential IoT-based attacks:


Telegram destination in syslog-ng


Getting started with the Telegram destination of syslog-ng is not an
easy and straightforward process, but it is well worth the efforts. If
you do not know Telegram yet, Telegram is a cloud-based messaging
application known for its security and speed. Best of all, it is a
free app without ads. No wonder that Telegram is also used by many
system administrators. With the Telegram destination of syslog-ng
introduced in version 3.16, we intend to help your work as a sysadmin.
As a result, you can now receive critical log messages in real-time on
your mobile or desktop Telegram client.


hook-commands: easy driver setup


The hook-commands() option of syslog-ng makes it easy to execute
external commands when a driver is started or stopped. For example,
you can open a port in the firewall when a network source is started
and close it once syslog-ng is shut down. Or you could also run a
command each time syslog-ng is reloaded. From this blog, you can learn
how to start and stop auditing file system changes using auditctl from
syslog-ng, then collect, parse and filter the results, and finally
send them to Elasticsearch for storage and further analysis.


Throttling log messages


One of the main advantages of syslog-ng is that it is high performance
and low on resource usage. Why throttle the messages then? There are
three main reasons – licensing, performance, and bandwidth – all
outside of syslog-ng. From this blog, you can learn how to identify
use cases for the throttling of log messages, read about a possible
drawback, and finally get a sample configuration.


Your feedback and news, or tips about the next issue are welcome at
documentation at balabit.com. To read this newsletter online, visit:

Peter Czanik (CzP) <peter.czanik at balabit.com>
Balabit / syslog-ng upstream

More information about the syslog-ng mailing list