axosyslog-charts-0.12.0

AxoSyslog for Kubernetes

axosyslog-4.9.0

4.9.0

AxoSyslog is binary-compatible with syslog-ng [1] and serves as a drop-in replacement.

Explore and learn more about the new features in our release announcement blog post.

We provide cloud-ready container images and Helm charts.

Packages are available for Debian and Ubuntu from our APT repository.
RPM packages are available in the Assets section (we’re working on an RPM repository as well, and hope to have it up and running for the next release).

FilterX (AxoSyslog's advanced parsing and filtering language) became a publicly available feature in AxoSyslog after the 4.8 release.
As it is currently under heavy development, FilterX related news entries can be found in separate sections.
Please note that although its syntax approaches its final form, it may break in subsequent releases.

Check out the AxoSyslog documentation for all the details.

Highlights

Sending data to ClickHouse

The new clickhouse() destination uses ClickHouse's gRPC
interface to insert logs.

Please note, that as of today, ClickHouse Cloud does not support
the gRPC interface. The clickhouse() destination is currently
only useful for self hosted ClickHouse servers.

If you would like to send logs to ClickHouse Cloud, gRPC support
can be requested from the ClickHouse Cloud team or a HTTP based
driver can be implemented in AxoSyslog.

Example config:

clickhouse(
  database("default")
  table("my_first_table")
  user("default")
  password("pw")
  schema(
    "user_id" UInt32 => $R_MSEC,
    "message" String => "$MSG",
    "timestamp" DateTime => "$R_UNIXTIME",
    "metric" Float32 => 3.14
  )
  workers(4)
  batch-lines(1000)
  batch-timeout(1000)
);

(#354)

Features

• opentelemetry(), loki() destination: Added support for templated header() values.
  (#334)

• opentelemetry(), axosyslog-otlp(): Added keep-alive() options.

  Keepalive can be configured with the time(), timeout()
  and max-pings-without-data() options of the keep-alive() block.

  opentelemetry(
      ...
      keep-alive(time(20000) timeout(10000) max-pings-without-data(0))
  );
  

  (#276)

• bigquery(): Added auth() options.

  Similarly to other gRPC based destination drivers, the bigquery()
  destination now accepts different authentication methods, like
  adc(), alts(), insecure() and tls().

  bigquery (
      ...
      auth(
          tls(
              ca-file("/path/to/ca.pem")
              key-file("/path/to/key.pem")
              cert-file("/path/to/cert.pem")
          )
      )
  );
  

  (#276)

• loki(): Added batch-bytes() and compression() options.
  (#276)

• socket based sources: Added a new option called idle-timeout().

  Setting this option makes AxoSyslog close the client connection
  if no data is received for the set amount of seconds.
  (#355)

• socket based sources: Added new flag, called exit-on-eof.

  Setting this flag to a source makes AxoSyslog stop,
  when EOF is received.
  (#351)

• syslog-ng-ctl: Added attach subcommand.

  With attach, it is possible to attach to the
  standard IO of the syslog-ng proccess.

  Example usage:

  # takes the stdio fds for 10 seconds and displays syslog-ng output in that time period
  $ syslog-ng-ctl attach stdio --seconds 10
  

  # steal trace level log messages for 10 seconds
  $ syslog-ng-ctl attach logs --seconds 10 --log-level trace
  

  (#326)

Bugfixes

• Config @version: Fixed compat-mode inconsistencies when @version
  was not specified at the top of the configuration file or was not specified at all.
  (#312)

• s3(): Eliminated indefinite memory usage increase for each reload.

  The increased memory usage is caused by the botocore library, which
  caches the session information. We only need the Session object, if
  role() is set. The increased memory usage still happens with that set,
  currently we only fixed the unset case.
  (#318)

• opentelemetry(), axosyslog-otlp() sources: Fixed source hang-up on flow-controlled paths.
  (#314)

• opentelemetry(), axosyslog-otlp() sources: Fixed a crash when workers() is set to > 1.
  (#310)

• file(), wildcard-file(): Fixed a crash and persist name collision issues.

  If multiple wildcard-file() sources or a wildcard-file() and a file() source were
  reading the same input file, it could result in log loss, log duplication, and various crashes.
  (#291)

• wildcard-file(): Fixed a crash that occurs after config reload when the source is flow-controlled.
  (#293)

• file(), stdout(): Fixed log sources getting stuck.

  Due to an acknowledgment bug in the file() and stdout() destinations,
  sources routed to those destinations may have gotten stuck as they were
  flow-controlled incorrectly.

  This issue occured only in extremely rare cases with regular files, but it
  occured frequently with /dev/stderr and other slow pseudo-devices.
  (#303)

• metrics: syslog-ng-ctl --reset will no longer reset Prometheus metrics
  (#370)

• stats: Fixed free_window counters.
  (#296)

FilterX features

• Added new filterx code flow controls.

  • drop: Drops the currently processed message and returns success.
  • done: Stops the processing and returns success.
    (#269)

• update_metric(): Added a new function similar to metrics-probe parser.

  Example usage:

  update_metric("filterx_metric", labels={"msg": $MSG, "foo": "foovalue"}, level=1, increment=$INCREMENT);
  

  (#220)

• startswith(), endswith(), includes(): Added string matching functions.

  • First argument is the string that is being matched.
  • Second argument is either a single substring or a list of substrings.
  • Optionally the ignorecase argument can be set to configure case sensitivity
    • default: false

  Example usage:

  startswith(string, prefix, ignorecase=false);
  startswith(string, [prefix_1, prefix_2], ignorecase=true);
  
  endswith(string, suffix, ignorecase=false);
  endswith(string, [suffix_1, suffix_2], ignorecase=true);
  
  includes(string, substring, ignorecase=false);
  includes(string, [substring_1, substring_2], ignorecase=true);
  

  (#297)

• parse_xml(): Added new function to parse XMLs.

  Example usage:

  my_structured_data = parse_xml(raw_xml);
  

  Converting XML to a dict is not standardized.

  Our intention is to create the most compact dict as possible,
  which means certain nodes will have different types and
  structures based on a number of different qualities of the
  input XML element.

  The following points will demonstrate the choices we made in our parser.
  In the examples we will use the JSON dict implementation.

  1. Empty XML elements become empty strings.

    XML:  <foo></foo>
    JSON: {"foo": ""}
  

  2. Attributions are stored in @attr key-value pairs,
     similarly to some other converters (e.g.: python xmltodict).

    XML:  <foo bar="123" baz="bad"/>
    JSON: {"foo": {"@bar": "123", "@baz": "bad"}}
  

  3. If an XML element has both attributes and a value,
     we need to store them in a dict, and the value needs a key.
     We store the text value under the #text key.

    XML:  <foo bar="123">baz</foo>
    JSON: {"foo": {"@bar": "123", "#text": "baz"}}
  

  4. An XML element can have both a value and inner elements.
     We use the #text key here, too.

    XML:  <foo>bar<baz>123</baz></foo>
    JSON: {"foo": {"#text": "bar", "baz": "123"}}
  

  5. An XML element can have multiple values separated by inner elements.
     In that case we concatenate the values.

    XML:  <foo>bar<a></a>baz</foo>
    JSON: {"foo": {"#text": "barbaz", "a": ""}}
  

  (#251)

• parse_windows_eventlog_xml(): Added a new function to parse Windows EventLog XMLs.

  This parser is really similar to parse_xml() with
  a couple of small differences:

  1. There is a quick schema validation.
  2. The Event->EventData field automatically handles named Data elements.
     (#282)

• parse_cef(), `parse_le...

axosyslog-charts-0.11.0

AxoSyslog for Kubernetes

axosyslog-charts-0.10.1

AxoSyslog for Kubernetes

axosyslog-4.8.1

4.8.1

This is a bugfix release of AxoSyslog.

AxoSyslog is binary-compatible with syslog-ng [1] and serves as a drop-in replacement.

Explore and learn more about the new features in our release announcement blog post.

We provide cloud-ready container images and Helm charts.

Packages are available for Debian and Ubuntu from our APT repository.
RPM packages are available in the Assets section (we’re working on an RPM repository as well, and hope to have it up and running for the next release).

Check out the AxoSyslog documentation for all the details.

Bugfixes

• Fixed crash around wildard @include configuration pragmas when compiled with musl libc

  The AxoSyslog container image, for example, was affected by this bug.

  (#261)

• metrics-probe(): fix disappearing metrics from stats prometheus output

  metrics-probe() metrics became orphaned and disappeared from the syslog-ng-ctl stats prometheus output
  whenever an ivykis worker stopped (after 10 seconds of inactivity).
  (#243)

• syslog-ng-ctl: fix escaping of stats prometheus

  Metric labels (for example, the ones produced by metrics-probe()) may contain control characters, invalid UTF-8 or \
  characters. In those specific rare cases, the escaping of the stats prometheus output was incorrect.
  (#224)

• Fixed potential null pointer deref issues

  (#216)

Other changes

• tls(): expose the key fingerprint of the peer in ${.tls.x509_fp} if
  trusted-keys() is used to retain the actual peer identity in received
  messages.
  (#136)

• network(), syslog() sources and syslog-parser(): add no-piggyback-errors flag

  With the no-piggyback-errors flag of syslog-parser(), the message will not be attributed to AxoSyslog in
  case of errors. Actually it retains everything that was present at the time of the parse error,
  potentially things that were already extracted.

  So $MSG remains that was set (potentially the raw message), $HOST may or may not be extracted,
  likewise for $PROGRAM, $PID, $MSGID, etc.

  The error is still indicated via $MSGFORMAT set to "syslog:error".

  (#245)

Discord

For a bit more interactive discussion, join our Discord server:

Credits

AxoSyslog is developed as a community project, and as such it relies
on volunteers, to do the work necessary to produce AxoSyslog.

Reporting bugs, testing changes, writing code or simply providing
feedback is an important contribution, so please if you are a user
of AxoSyslog, contribute.

We would like to thank the following people for their contribution:

Andras Mitzki, Attila Szakacs, Balazs Scheidler, Dmitry Levin, Hofi,
László Várady, Szilárd Parrag, shifter

axosyslog-charts-0.10.0

AxoSyslog for Kubernetes

axosyslog-4.8.0

4.8.0

We are excited to announce the first independent release of AxoSyslog.

AxoSyslog is binary-compatible with syslog-ng [1] and serves as a drop-in replacement.

Explore and learn more about the new features in our release announcement blog post.

Packages are available for Debian and Ubuntu from our APT repository.
RPM packages are available in the Assets section (we’re working on an RPM repository as well, and hope to have it up and running for the next release).

Check out the AxoSyslog documentation for all the details.

Highlights

Send log messages to Elasticsearch data stream

The elasticsearch-datastream() destination can be used to feed Elasticsearch data streams.

Example config:

elasticsearch-datastream(
  url("https://elastic-endpoint:9200/my-data-stream/_bulk")
  user("elastic")
  password("ba3DI8u5qX61We7EP748V8RZ")
);

(#178)

Features

• s3(): Introduced server side encryption related options

  server-side-encryption() and kms-key() can be used to configure encryption.

  Currently only server-side-encryption("aws:kms") is supported.
  The kms-key() should be:

  • an ID of a key
  • an alias of a key, but in that case you have to add the alias/prefix
  • an ARN of a key

  To be able to use the aws:kms encryption the AWS Role or User has to have the following
  permissions on the given key:

  • kms:Decrypt
  • kms:Encrypt
  • kms:GenerateDataKey

  Check this page on why the kms:Decrypt is mandatory.

  Example config:

  destination d_s3 {
    s3(
      bucket("log-archive-bucket")
      object-key("logs/syslog")
      server-side-encryption("aws:kms")
      kms-key("alias/log-archive")
    );
  };
  

  See the S3 documentation for more details.
  (#127)

• opentelemetry(), loki(), bigquery() destination: Added headers() option

  With this option you can add gRPC headers to each RPC call.

  Example config:

  opentelemetry(
    ...
    headers(
      "organization" => "Axoflow"
      "stream-name" => "axo-stream"
    )
  );
  

  (#192)

Bugfixes

• csv-parser(): fix escape-backslash-with-sequences dialect on ARM
  (#4947)

• csv-parser() produced invalid output on platforms where char is an unsigned type.
  (#4947)

• rate-limit(): Fixed a crash which occured on a config parse failure.
  (#169)

• macros: Fixed a bug which always set certain macros to string type

  The affected macros are $PROGRAM, $HOST and $MESSAGE.
  (#162)

• wildcard-file(): fix crash when a deleted file is concurrently written
  (#160)

• disk-buffer(): fix crash when pipeline initialization fails

  log_queue_disk_free_method: assertion failed: (!qdisk_started(self->qdisk))
  (#128)

• syslog-ng-ctl query: fix showing Prometheus metrics as unnamed values

  none.value=726685
  (#129)

• syslog-ng-ctl query: show timestamps and fix g_pattern_spec_match_string assert
  (#129)

Other changes

• packages/dbld: add support for Ubuntu 24.04 (Noble Numbat)
  (#4925)

• syslog-ng-ctl: do not show orphan metrics for stats prometheus

  As the stats prometheus command is intended to be used to forward metrics
  to Prometheus or any other time-series database, displaying orphaned metrics
  should be avoided in order not to insert new data points when a given metric
  is no longer alive.

  In case you are interested in the last known value of orphaned counters, use
  the stats or query subcommands.
  (#4921)

• bigquery(), loki(), opentelemetry(), cloud-auth(): C++ modules can be compiled with clang

  Compiling and using these C++ modules are now easier on FreeBSD and macOS.
  (#4933)

• s3(): new metric syslogng_output_event_bytes_total
  (#4958)

[1] syslog-ng is a trademark of One Identity.

Discord

For a bit more interactive discussion, join our Discord server:

Credits

AxoSyslog is developed as a community project, and as such it relies
on volunteers, to do the work necessary to produce AxoSyslog.

Reporting bugs, testing changes, writing code or simply providing
feedback is an important contribution, so please if you are a user
of AxoSyslog, contribute.

We would like to thank the following people for their contribution:

Arpad Kunszt, Attila Szakacs, Balazs Scheidler, Dmitry Levin,
Ferenc HERNADI, Gabor Kozma, Hofi, Ilya Kheifets, Kristof Gyuracz,
László Várady, Máté Őry, Robert Fekete, Szilard Parrag, Wolfram Joost,
shifter

axosyslog-charts-0.9.1

AxoSyslog for Kubernetes

axosyslog-4.7.1

4.7.1

This is the combination of the news entries of 4.7.0 and 4.7.1.
4.7.1 hotfixed two crashes related to configuration reload.

Read Axoflow's blog post for more details.
You can read more about the new features in the AxoSyslog documentation.

Highlights

Collecting Jellyfin logs

The new jellyfin() source, reads Jellyfin logs from its log file output.

Example minimal config:

source s_jellyfin {
  jellyfin(
    base-dir("/path/to/my/jellyfin/root/log/dir")
    filename-pattern("log_*.log")
  );
};

For more details about Jellyfin logging, see:

• https://jellyfin.org/docs/general/administration/configuration/#main-configuration
• https://jellyfin.org/docs/general/administration/configuration/#log-directory

As the jellyfin() source is based on a wildcard-file() source, all of the
wildcard-file() source options are applicable, too.
(#4802)

Collecting *arr logs

Use the newly added *arr() sources to read various *arr logs:

• lidarr()
• prowlarr()
• radarr()
• readarr()
• sonarr()
• whisparr()

Example minimal config:

source s_radarr {
  radarr(
    dir("/path/to/my/radarr/log/dir")
  );
};

The logging module is stored in the <prefix><module> name-value pair,
for example: .radarr.module => ImportListSyncService.
The prefix can be modified with the prefix() option.
(#4803)

Features

• opentelemetry(), syslog-ng-otlp() source: Added concurrent-requests() option.

  This option configures the maximal number of in-flight gRPC requests per worker.
  Setting this value to the range of 10s or 100s is recommended when there are a
  high number of clients sending simultaneously.

  Ideally, workers() * concurrent-requests() should be greater or equal to
  the number of clients, but this can increase the memory usage.
  (#4827)

• loki(): Support multi-tenancy with the new tenant-id() option
  (#4812)

• s3(): Added support for authentication from environment.

  The access-key() and secret-key() options are now optional,
  which makes it possible to use authentication methods originated
  from the environment, e.g. AWS_... environment variables or
  credentials files from the ~/.aws/ directory.

  For more info, see:
  https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html
  (#4881)

• gRPC based drivers: Added channel-args() option.

  Affected drivers are:

  • bigquery() destination
  • loki() destination
  • opentelemetry() source and destination
  • syslog-ng-otlp() source and destination

  The channel-args() option accepts name-value pairs and sets channel arguments
  defined in https://grpc.github.io/grpc/core/group__grpc__arg__keys.html

  Example config:

    opentelemetry(
      channel-args(
        "grpc.loadreporting" => 1
        "grpc.minimal_stack" => 0
      )
    );
  

  (#4827)

• ${TRANSPORT} macro: Added support for locally created logs.

  New values are:

  • "local+unix-stream"
  • "local+unix-dgram"
  • "local+file"
  • "local+pipe"
  • "local+program"
  • "local+devkmsg"
  • "local+journal"
  • "local+afstreams"
  • "local+openbsd"
    (#4777)

• tags: Added new built-in tags that help identifying parse errors.

  New tags are:

  • "message.utf8_sanitized"
  • "message.parse_error"
  • "syslog.missing_pri"
  • "syslog.missing_timestamp"
  • "syslog.invalid_hostname"
  • "syslog.unexpected_framing"
  • "syslog.rfc3164_missing_header"
  • "syslog.rfc5424_unquoted_sdata_value"
    (#4804)

• mqtt() source: Added ${MQTT_TOPIC} name-value pair.

  It is useful for the cases where topic() contains wildcards.

  Example config:

  log {
    source { mqtt(topic("#")); };
    destination { stdout(template("${MQTT_TOPIC} - ${MESSAGE}\n")); };
  };
  

  (#4824)

• template(): Added a new template function: $(tags-head)

  This template function accepts multiple tag names, and returns the
  first one that is set.

  Example config:

  # resolves to "bar" if "bar" tag is set, but "foo" is not
  template("$(tags-head foo bar baz)")
  

  (#4804)

• s3(): Use default AWS URL if url() is not set.
  (#4813)

• opentelemetry(), syslog-ng-otlp() source: Added log-fetch-limit() option.

  This option can be used to fine tune the performance. To minimize locking while
  moving messages between source and destination side queues, syslog-ng can move
  messages in batches. The log-fetch-limit() option sets the maximal size of
  the batch moved by a worker. By default it is equal to log-iw-size() / workers().
  (#4827)

• dqtool: add option for truncating (compacting) abandoned disk-buffers
  (#4875)

Bugfixes

• opentelemetry(): fix crash when an invalid configuration needs to be reverted
  (#4910)

• gRPC drivers: fixed a crash when gRPC drivers were used and syslog-ng was reloaded
  (#4909)

• opentelemetry(), syslog-ng-otlp() source: Fixed a crash.

  It occurred with multiple workers() during high load.
  (#4827)

• rename(): Fixed a bug, which always converted the renamed NV pair to string type.
  (#4847)

• With IPv6 disabled, there were linking errors
  (#4880)

Metrics

• http(): Added a new counter for HTTP requests.

  It is activated on stats(level(1));.

  Example metrics:

  syslogng_output_http_requests_total{url="http://localhost:8888/bar",response_code="200",driver="http",id="#anon-destination0#0"} 16
  syslogng_output_http_requests_total{url="http://localhost:8888/bar",response_code="401",driver="http",id="#anon-destination0#0"} 2
  syslogng_output_http_requests_total{url="http://localhost:8888/bar",response_code="502",driver="http",id="#anon-destination0#0"} 1
  syslogng_output_http_requests_total{url="http://localhost:8888/foo",response_code="200",driver="http",id="#anon-destination0#0"} 24
  

  (#4805)

• gRPC based destination drivers: Added gRPC request related metrics.

  Affected drivers:

  • opentelemetry()
  • syslog-ng-otlp()
  • bigquery()
  • loki()

  Example metrics:

  syslogng_output_grpc_requests_total{driver="syslog-ng-otlp",url="localhost:12345",response_code="ok"} 49
  syslogng_output_grpc_requests_total{driver="syslog-ng-otlp",url="localhost:12345",response_code="unavailable"} 11
  

  (#4811)

• New metric to monitor destination reachability

  syslogng_output_unreachable is a bool-like metric, which shows whether a
  destination is reachable or not.

  sum() can be used to count all unreachable outputs, hence the negated name.

  It is currently available for the network(), syslog(), unix-*()
  destinations, and threaded destinations (http(), opentelemetry(), redis(),
  mongodb(), python(), etc.).
  (#4876)

• destinations: Added "syslogng_output_event_retries_total" counter.

  This counter is available for the following destination drivers:

  • amqp()
  • bigquery()
  • http() and all http based drivers
  • java()
  • kafka()
  • loki()
  • mongodb()
  • mqtt()
  • opentelemetry()
  • python() and all python based drivers
  • redis()
  • riemann()
  • smtp()
  • snmp()
  • sql()
  • stomp()
  • syslog-ng-otlp()

  Example metrics:

  syslogng_output_event_retries_total{driver="http",url="http://localhost:8888/${path}",id="#anon-destination0#0"} 5
  

  (#4807)

• syslogng_memory_queue_capacity

  Shows the capacity (maximum possible size) of each queue.
  Note that this metric publishes log-fifo-size(), which only limits non-flow-controlled messages.
  Messages coming from flow-controlled paths are not limited by log-fifo-size(), their corresponding
  source log-iw-size() is the upper limit.
  (#4831)

Other changes

• opentelemetry(), syslog-ng-otlp() source: Changed the backpressure behavior.

  syslog-ng no longer returns UNAVAILABLE to the gRPC request, when it cannot forward
  the received message because of backpressure. Instead, syslog-ng will block until the
  destination can accept more messages.
  ([#4827](https://github.com/syslog-ng/syslog-ng/pull/...

axosyslog-charts-0.9.1

AxoSyslog for Kubernetes