[syslog-ng] Insider 2021-02: proxy protocol; sudo JSON; Kafka;

Thu Feb 11 10:56:29 UTC 2021

Dear syslog-ng users,

This is the 88th issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news.

NEWS

Finding the real source IP: using the PROXY protocol
----------------------------------------------------
Until now collecting logs behind proxies or load balancers needed some compromises. You either trusted the host information included in the log messages or you could only see the proxy as the sender host. Starting with syslog-ng 3.30 there is a third option available: using the PROXY protocol. While not an official Internet standard, it is supported by a number of popular software, like HAProxy. Other software can be extended to use it, like F5 load balancers using iRules. This way crucial information about the original network connection is not lost, but it is forwarded to the server by the proxy.
https://www.syslog-ng.com/community/b/blog/posts/finding-the-real-source-ip-using-the-proxy-protocol-with-syslog-ng

Parsing sudo JSON logs: building a syslog-ng configuration
----------------------------------------------------------
The latest version of sudo, version 1.9.4 includes support for JSON formatted logging. Compared to traditional sudo logs, it has the advantage of containing more information in a structured way. While traditional sudo logs are also parsed automatically by syslog-ng, it is worth taking a look at the new JSON formatted logs.
>From this blog, you can learn how the new logs look like and also a configuration working with these logs. Instead of just posting a complex configuration, I try to show you how my configuration was built. Creating a new configuration in smaller iterations makes the resulting configurations easier to debug.
https://www.syslog-ng.com/community/b/blog/posts/parsing-sudo-json-logs-building-a-syslog-ng-configuration

Kafka destination improved with template support
------------------------------------------------
The C implementation of the Kafka destination in syslog-ng has been improved in version 3.30. Support for templates in topic names was added as a result of a Google Summer of Code (GSoC) project. The advantage of the new template support feature is that you no longer have to use a static topic name. For example, you can include the name of your host or the application sending the log in the topic name. From this blog you can learn about a minimal Kafka setup, configuring syslog-ng and testing syslog-ng with Kafka.
https://www.syslog-ng.com/community/b/blog/posts/kafka-destination-improved-with-template-support-in-syslog-ng

Syslog-ng PE 7.0.23 released
----------------------------
Version 7.0.23 of syslog-ng PE was released with clustering support for Windows Event Collector (WEC). You can learn more about it from the documentation or from this short video:
https://www.youtube.com/watch?v=bYdIJaM24Z8

WEBINARS

* You can browse recordings of past webinars at https://www.syslog-ng.com/events/

Your feedback and news, or tips about the next issue are welcome. To read this newsletter online, visit: https://syslog-ng.com/blog/

Peter Czanik (CzP) <peter.czanik at oneidentity.com>
Balabit (a OneIdentity company) / syslog-ng upstream
https://syslog-ng.com/community/
https://twitter.com/PCzanik