Recently, I was looking for some new hybrid / crossover music, and someone recommended me to check out Hidden Orchestra. Listening to their album, “Creaks” was an instant love. As I learned later, it’s the music of a game. I’m not a gamer, but once seeing that it’s on sale on Humble Bundle I bought it immediately. You can listen to the whole album here: You can also find it on Bandcamp.

In version 4 of syslog-ng, the role of Python became even more important. Previously, all parts of syslog-ng could be extended using Python code, but no actual Python code was provided with syslog-ng. Version 4.0 added a Kubernetes module implemented in Python, while version 4.2 added support for Hypr. But how can we ensure that all Python dependencies are met? In my latest blog I describe the current situation and ask you for feedback!

The May syslog-ng newsletter is now on-line: Learning syslog-ng, the easier way Why syslog over UDP loses messages and how to avoid that Upgrade problems from syslog-ng 3 to 4 It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2023-05-learning-udp-upgrading syslog-ng logo

Version 4 of syslog-ng was released last December. Quite a few people use it already in production. How can you install it for a test drive? It might be already available in your Linux distribution. There are also several unofficial repositories with the latest syslog-ng. From this blog, you can learn how to check your syslog-ng version, where to check if it is not yet installed, and a few additional resources, if you want to install the latest version from unofficial repositories.

Version 4 of syslog-ng works perfectly well in version 3 compatibility mode. However, if you want to use the syslog-ng 4 features, you need to be aware of some significant changes. If you have a simple configuration, like those in Linux distributions, then simply rewriting the version string is most likely enough. However, if you use PatternDB or JSON parsing, any Python code, or an Elasticsearch, or MongoDB destination, you have to be aware of the changes.

The April syslog-ng newsletter is now on-line: Installing a syslog-ng 4 development snapshot on FreeBSD Getting data to Splunk Streaming deduplication in syslog-ng It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2023-04-freebsd-splunk-deduplication syslog-ng logo

Last year, one of the returning questions I received was how to learn syslog-ng. My answer was that read the first few chapters of the documentation, read my blogs related to your use case, and then read a few relevant parts from the rest of the documentation. Our documentation is praised by users, but it is still a reference documentation. I was asked if a less detailed, more to the point, preferably video tutorial is available.

Version 4 of syslog-ng is now available. The good news is that it is fully backwards compatible. If the version string in your configuration is set to a 3.X version, it will work as expected even after updating to version 4. Of course you might run into corner cases, but I had no problems even with complex configurations. Today, we learn about updating syslog-ng, and some of the new features of syslog-ng 4.

One of the most popular destinations in syslog-ng is Elasticsearch (and OpenSearch, Zinc, Humio, etc.). The 12th part of my syslog-ng #tutorial shows you how to send log messages to Elasticsearch. You can watch the video on YouTube: and the complete playlist at https://www.youtube.com/playlist?list=PLoBNbOHNb0i5Pags2JY6-6wH2noLaSiTb Or you can read the rest the tutorial as a blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-12-elasticsearch-and-opensearch-zinc-humio-etc syslog-ng logo

Recently I found that quite a few of my Twitter and Mastodon followers are working in high-performance computing (HPC). At first I was surprised because I’m not a HPC person, even if I love high performance computers. Then I realized that there are quite few overlaps, and one of my best friends is also deeply involved in HPC. My work, logging, is also a fundamental part of HPC environments. Let’s start with a direct connection to HPC: one of my best friends, Gabor Samu, is working in HPC.

This is the eleventh part of my syslog-ng tutorial. Last time, we learned about message parsing using syslog-ng. Today, we learn about enriching log messages. You can watch the video on YouTube: and the complete playlist at https://www.youtube.com/playlist?list=PLoBNbOHNb0i5Pags2JY6-6wH2noLaSiTb Or you can read the rest the tutorial as a blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-11-enriching-log-messages syslog-ng logo

Where should I begin. I bought a 4K Blu-Ray player last Autumn. I did not plan to use it for movies: this was the cheapest way of buying a player for all of my various discs. For a couple of months I really only listened to my CD/DVD-Audio/SACD collection on it. While listening to TIDAL, I realized that there is a new David Attenborough series out there (the soundtrack was recommended to me by TIDAL).

This is the tenth part of my syslog-ng tutorial. Last time, we learned about syslog-ng filters. Today, we learn about message parsing using syslog-ng. You can watch the video on YouTube: and the complete playlist at https://www.youtube.com/playlist?list=PLoBNbOHNb0i5Pags2JY6-6wH2noLaSiTb Or you can read the rest the tutorial as a blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-10-parsing syslog-ng logo

This is the ninth part of my syslog-ng tutorial. Last time, we learned about macros and templates. Today, we learn about syslog-ng filters. At the end of the session, we will see a more complex filter and a template function. You can watch the video on YouTube: and the complete playlist at https://www.youtube.com/playlist?list=PLoBNbOHNb0i5Pags2JY6-6wH2noLaSiTb Or you can read the rest the tutorial as a blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-9-filters syslog-ng logo

Unless there is a serious problem, FreeBSD ports usually contains the latest stable syslog-ng release. However, sometimes people want to compile a git snapshot to test a new feature or bugfix. To do that, one way is to generate a syslog-ng release tgz on FreeBSD and edit the syslog-ng port files yourself. However, this needs some practice. As such, an easier solution is to use my weekly development snapshots. Learn how from my latest blog at: https://www.

This is the eighth part of my syslog-ng tutorial. Last time, we learned about network logging. Today, we learn about syslog-ng macros and templates. At the end of the session, we will know how to do a simple log rotation using macros. You can watch the video on YouTube: and the complete playlist at https://www.youtube.com/playlist?list=PLoBNbOHNb0i5Pags2JY6-6wH2noLaSiTb Or you can read the rest the tutorial as a blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-8-macros-and-templates syslog-ng logo

This is the seventh part of my syslog-ng tutorial. Last time, we learned about syslog-ng destinations and the log path. Today, we learn about syslog-ng network logging. At the end of the session, we will send test messages to a syslog-ng network source. You can watch the video on YouTube: Or you can read the rest the tutorial as a blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-7-networking syslog-ng logo

Version 4.0.1 of syslog-ng was released a month ago. Unfortunately, the new release does not compile on FreeBSD. It was a temporary problem in the environment generating the source tgz. The next release is still almost a month away, but you can compile syslog-ng 4.0.1 yourself from my unofficial ports Makefile. Learn how from my latest blog at https://www.syslog-ng.com/community/b/blog/posts/installing-syslog-ng-4-0-1-on-freebsd syslog-ng logo

This is the sixth part of my syslog-ng tutorial. Last time, we learned about syslog-ng source definitions and how to check the syslog-ng version. Today, we learn about syslog-ng destinations and the log path. At the end of the session, we will also perform a quick syntax check. You can watch the video on YouTube: Or you can read the rest the tutorial as a blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-6-destinations-and-log-path syslog-ng logo

This is the fifth part of my syslog-ng tutorial. Last time we had an overview of the syslog-ng configuration and had our first steps working with syslog-ng. Today we learn about syslog-ng source definitions and how to check the syslog-ng version and its enabled features. You can watch the video on YouTube: Or you can read the rest the tutorial as a blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-5-sources syslog-ng logo

This is the fourth part of my syslog-ng tutorial. I hope that since the previous part of my tutorial, you successfully installed syslog-ng. In this part we will finally work with syslog-ng, not just learn about the theoretical background. We will do basic configuration and testing. You can watch the video on YouTube: Or you can read the rest the tutorial as a blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-4-configuration-and-testing syslog-ng logo

Installing syslog-ng on Mac is easy, if you use Homebrew for 3rd party packages. Previously, you had to install dependencies and then compile syslog-ng from source. Now, a single command takes care of everything! homebrew logo Read the rest of my blog at https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-is-now-available-in-homebrew syslog-ng logo

Welcome to the third part of my syslog-ng tutorial. Today we cover the various syslog-ng editions (open source, commercial and appliance), and where to get them from. The focus of this tutorial series is the Open Source Edition (OSE), but to avoid confusion, I also briefly introduce the other two. You can watch the video on YouTube: Or you can read the rest of my blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-3-syslog-ng-editions-and-where-to-get-them-from This is a boring, but important part, do not skip it!

Welcome to the second part of my syslog-ng tutorial series. In this part, we cover some of the basic concepts behind syslog-ng. Last time we defined syslog-ng as an enhanced logging daemon with a strong focus on portability and high-performance central log collection. Let us pull this sentence apart, as all words are here for a reason. The original syslog implementation was pretty simple: it collected log messages from applications and sorted them to various files.

Welcome to the first part of my syslog-ng tutorial series. In this part, I give you a quick introduction what to expect from this series and try to define what syslog-ng is. I plan to release parts of my tutorial around every week. Of course, the Christmas holidays and the upcoming conference season may cause some delays. Each part will be released as a blog accompanied by a video. It is up to you, which version you follow.

The November syslog_ng newsletter is now on-line: Testing syslog-ng 4.0 syslog-ng Store Box federated single sign-on support via OpenID Connect (OIDC) Nightly syslog-ng container images Type support: working with sudo logs in syslog-ng 4.0 It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2022-11-4-0-oidc-nightly-sudo syslog-ng logo

From now on, as I want to reach as many as possible, you can also read sudo and syslog-ng news from me on Mastodon. You can find my account at: https://fosstodon.org/@PCzanik Mastodon is a decentralized network of servers. I chose a server called “Fosstodon” as it is focused on open source software. Some of the projects I participate in are already there: BastilleBSD and openSUSE. As usual, next to my usual syslog-ng and sudo posts, you will also sometimes hear from me about OpenPOWER and ARM with some occasional photos from my hiking trips :-)

Each new MacOS release brings some surprises when it comes to compiling syslog-ng. MacOS Ventura has been released recently, while Homebrew has also been updated. So here are some updated instructions for MacOS Ventura (and also for the last MacOS minor release before Ventura). https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-on-macos-ventura syslog-ng logo

Once upon a time I started taking photos with a Lubitel, which is an old, very basic, and completely manual camera. In 2000 I switched from film to digital and everything could be automated. This was the time when I finally realized that having a good camera is not everything. A perfect exposure with a good camera can still result in an ugly and boring photo. Lubitel 2 When I had a fully manual film camera, I quickly learned how to do perfectly exposed photos without any tools to measure light or distance.

Once upon a time I made some time-lapse videos, but I gave up quickly. Recently I have watched yet another Attenborough nature series: The Green Planet. It was full of beautiful time-lapse recordings, and suddenly I felt the urge again to give this genre another try :-) I visited my favorite recreational area in the Pest side of Budapest: Lake Naplás. It’s an artificial lake close to the border of Budapest, which quickly turned into an important bird nesting place and a protected nature area.

One of the recurring questions at conferences was whether there is a way to check cached sudo credentials without updating them. Version 1.9.12 of sudo introduces the -N option which makes this possible, and also allows running any commands without updating the cached credentials. You can learn more about the new -N option in my latest sudo blog at https://www.sudo.ws/posts/2022/10/running-sudo-without-updating-cached-credentials/ Sudo logo

Last weekend, I visited a special audio event in Budapest. Two local companies demonstrated their products built into a single audio system. The music was played from TIDAL using an audio PC and DAC made by Bodor Audio and a pair of speakers by NCS Audio. If you read one of my earlier blogs, you know that I listen to a pair of Heed Enigma 5 speakers. It was a love at first sight during my university years.

How to get started with syslog-ng? There are two main resources: the syslog-ng documentation and the syslog-ng blogs. You should learn the concepts and basics from the documentation. The blogs document use cases and you can use the docs as a reference. syslog-ng logo Read the rest of my blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-how-to-get-started-with-learning-syslog-ng

Last weekend I was in Vienna for EuroBSDcon, an event where BSD users are gathering from Europe (and all around the world). And while you could follow the event online, to me, the greatest value of the conference was not in the talks themselves (not to lessen their value of course, as they were fantastic) but rather in meeting people during the hallway session. The line-up consisted of sudo and syslog-ng users, BSD users and developers, and even some people from history books :-)

I worked from home all my life, or at least that’s what I thought. Recently I learned that what do is actually called “hybrid” work. I do most of my work from home, however I also regularly visit the office. I can work a lot more efficiently at home, so, I work from there. Once a week I’m at the office where I do not progress that well with my tasks.

The syslog-ng team started publishing container images many years ago. For quite a while, it was a manual process, however, a few releases ago, publishing a container image became part of the release process. Recently, nightly container images have also become available, so you can test the latest features and bug fixes easily. The syslog-ng images are still available under the Balabit namespace on the Docker hub. Balabit was bought by One Identity almost five years ago, and we stopped using the old company name years ago.

The September syslog-ng newsletter is now on-line: 3.38.1 released, 4.0 almost feature complete syslog-ng Store Box SQL source Why is my syslog-ng disk-buffer file so huge even when it is empty? Nightly syslog-ng builds for Debian and Ubuntu It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2022-09-3-38-sql-disk-buffer-nightly syslog-ng logo

The first week of the COVID lockdown, back in March 2020, a journalist friend of mine started a Hungarian Facebook group to share work from home experiences. As I have worked from home all my life (except for two weeks), I wrote a long post about my experiences and thoughts. 2.5 years later, my post still receives some occasional likes, and someone even quoted from it – without naming the source :/ You can read the English version of my original Facebook post below.

The 31st birthday of the Linux #kernel was yesterday. For this occasion some opensource.com contributors (including me) shared how we got started with Linux. Lots of nice memories :-) The article is available at https://opensource.com/article/22/8/linux-birthday-origin-stories flower

Whether attending conferences or reading blogs, I often hear several misconceptions about sudo. Most of these misconceptions focus on security, flexibility, and central management. In this article, I will debunk some of these myths. Many misconceptions likely arise because users know only the basic functionality of sudo. The sudoers file, by default, has only two rules: The root user, and members of the administrative wheel group, can do practically anything using sudo.

“Jeff Wayne’s Musical Version of The War of the Worlds” has been a turning point in my life in many ways. It was one of the first non-classical albums I listened to. It was the starting point in my ability to understand spoken English. The first steps from classical My parents only listen to classical music. Even Bartók is too modern for them. In my household growing up, I was only exposed to classical music.

Version 4.0 of syslog-ng is right around the corner. It hasn’tyet been released; however, you can already try some of its features. The largest and most interesting change is type support. Right now, name-value pairs within syslog-ng are represented as text, even if the PatternDB or JSON parsers could see the actual type of the incoming data. This does not change, but starting with 4.0, syslog-ng will keep the type information, and use it correctly on the destination side.

Last week I became a Discogs user. Why? I have been browsing the site for years to find information on albums. Recently I also needed a solution to create an easy to access database of my CD/DVD collection. Right now I am not interested in the marketplace function of Discogs, but that might change in the long term :-) Information overload For many years when I searched for an album, the first few hits were from YouTube and Wikipedia.

The July syslog-ng newsletter is now on-line: RHEL 9 syslog-ng news How does the syslog-ng disk-buffer work? Installing syslog-ng on Microsoft Linux It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2022-06-rhel-9-disk-buffer-microsoft-linux syslog-ng logo

“Pass the SALT” (PTS) is a small IT security conference in Lille, France. It has less participants than speakers at the RSA conference. I gave talks at both events. RSA is a lot more prestigious event, but I still prefer PTS. Why? Small Is Beautiful As you could guess from my introduction, PTS is a small event. It is run by volunteers. It is also a free event thanks to sponsors.

A three parts blog series: The syslog-ng disk buffer is one of the most often used syslog-ng options to ensure message delivery. However, it is not always necessary and using the safest variant has serious performance impacts. If you utilize disk-buffer in your syslog-ng configuration, it is worth to make sure that you use a recent syslog-ng version. From this blog, you can learn when to use the disk-buffer option, the main differences between reliable and non-reliable disk-buffer, and why is it worth to use the latest syslog-ng version.

Yes, Microsoft has its own Linux distribution, called CBL-Mariner. It is an internal Linux distribution by Microsoft used for cloud infrastructure and edge products and services. And even if it is not installed in the OS by default, CBL-Mariner also includes syslog-ng. Read the rest of my blog at https://www.syslog-ng.com/community/b/blog/posts/installing-syslog-ng-on-microsoft-linux to learn how to install syslog-ng on it and what features are available. syslog-ng logo

Most people I talked to about buying expensive products are aware of “the law of diminishing returns”. When you buy a product, the more you pay for it the less extra quality you get for the extra spending. However, not many people recognize that the same can be said of most human activities. It is a lie that “just a little more effort” will lift you from above average to the top, as the law of diminishing returns hits even harder.

Red Hat Enterprise Linux 9 became generally available recently. Version 3.35 of syslog-ng has been part of EPEL 9 (the semi-official extra software repo for RHEL maintained by Fedora packagers) for a while and now I enabled a few more destination drivers. I also enabled RHEL 9 support in my unofficial Git snapshot packages, so I can support RHEL 9 together with other RHEL and Fedora versions on the next syslog-ng release.

There are situations where you cannot avoid giving a user full shell access through sudo. A shell with administrative privileges gives complete control over your hosts. Until recently, sudo could only log the start of the shell, not the commands executed within it. You could record sessions with sudo, but watching recordings is boring, time consuming and can still be subverted. Version 1.9.8 introduced logging of sub-commands, but that is not yet available on many systems.

This week I am talking to Timothy Pearson of Raptor Engineering. He is behind the Talos II and Blackbird boards for IBM POWER9 CPUs. His major claim is creating the first fully owner controlled general purpose computer in a long while. My view of the Talos II and Blackbird systems is that these boards helped to revitalize the open source ecosystem around POWER more than any other efforts (See also: https://peter.

I’m not superstitious, so I never really cared about black cats, Friday the 13th, and other signs of (imagined) trouble. Last Friday (which was the 13th) I had an article printed in a leading computer magazine in Hungary, and I gave my first IRL talk at a conference in well over two years. Best of all, I also met many people, some for the first time in real life. Free Software Conference: sudo talk Last Friday, I gave a talk at the Free Software Conference in Szeged.

Recently, I started my own blog, and as Google Analytics seems to miss a good part of visitors, I wanted to analyze my web server logs myself. I use syslog-ng to read Apache logs, process them, and store them to Elasticsearch. Along the way, I resolve the IP address using a Python parser, analyze the Agent field of the logs, and also use GeoIP to locate the user on the map.

Sudo had many features to help blue teams in their daily job even before 1.9 was released. Session recordings, plugins and others made sure that most administrative access could be controlled and problems easily detected. Version 1.9 introduced Python support, new APIs, centralized session recordings, however some blind spots still remained. Learn how some of the latest sudo features can help you to better control and log administrative access to your hosts.

What hardware to use for a syslog-ng server? It is a frequent question with no definite answer. It depends on many factors: the number and type of sources, the number of logs, the way logs are processed, and so on. My experience is that for the majority users even a Raspberry Pi would be enough. But of course, not for everyone. You can read the rest of my blog at https://www.

The first time I heard about 21unity was when I read the announcement: 21unity Joins OpenPOWER Foundation. I immediately became interested in the company, as it combines two things I am interested in: POWER and open source. Among others 21unity has its own cloud based on the POWER platform and provides Nextcloud as a service. I tried to refresh my German knowledge and read their website, but the more I read the more interesting it got and the more questions I had.

How can you make Windows easy? Install the Windows Subsystem for Linux, or WSL in short. Well, probably this is not true for everyone. However, as a Linux user, I definitely love WSL. When not using a browser or text editor, I spend my time on the command line. With WSL, you can have the familiar Linux command line environment from openSUSE also under Windows. Why Windows? Die hard Linux users might ask: why do I use Windows?

After 30 years of using the Internet and trying many communication formats, e-mail is still my favorite. However, e-mail has many problems. Spam is just annoying, but phishing and especially, spear phishing attacks can also be dangerous. A recent security training, and a Twitter thread I started about it, changed my mind completely about how I treat these harmful e-mails. phishing (fishing :-) ) The old way While most spam and some phishing can easily be filtered, spear phishing messages are unique by their nature.

This year the syslog-ng project will participate in the Google Summer of Code (GSoC) as a mentor organization again. If you are a university student or otherwise eligible to participate in the GSoC program, you can choose to develop a new feature for syslog-ng. Read my blog to learn why to choose syslog-ng and how to get started: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-in-gsoc-2022 syslog-ng logo

For many years, you could use the match() filter of syslog-ng to parse log messages with regular expressions. However, the primary function of match() is filtering. Recent syslog-ng versions now have a dedicated regular expression parser, the regexp-parser(). So, you should use match() only if your primary use case is filtering. Otherwise, use the regexp-parser for parsing, as it is a lot more flexible. You can read the rest of my blog at https://www.

I’m considered to be a server guy. I had access to some really awesome server machines. Still, when computers come up in discussions, we are almost exclusively talk about workstations. Even if servers are an important part of my life, that’s “just” work. I loved the SGI workstations I had access to during my university years. Many of my friends still occasionally boot their 30 years old Amiga boxes. The cult of Amiga One would say that the Amiga was popular in the eighties and early nineties.

The latest pull request to syslog-ng adds a really useful feature: the flip-parser(): https://github.com/syslog-ng/syslog-ng/pull/3971 It allows you to flip the message text, reverse it, or both. As I also reported a couple of minor problems related to UTF-8 character handling, this PR most likely will not be merged today. However, you can compile it yourself, or if you use openSUSE Tumbleweed, use my packages from the openSUSE Build Service. You can read the rest of my blog at https://www.

My favorite and most used service for developers is the openSUSE Build Service (OBS). This is where I build syslog-ng packages first, before anywhere else. OBS is open source, highly flexible software to build software packages, and the instance at https://build.opensuse.org/ is free to use for anyone to build open source software. Best of all, it supports multiple architectures, including POWER. Open Build Service Actually the OBS acronym stands for two things.

Session recording has been available in sudo for many years, however not many people are aware of it. Even less well-known is that you can save not just the terminal output, but also what the user types. That way you can analyze what the user is doing within a shell session. Recordings may also include user passwords, which is not always desirable. Version 1.9.10 of sudo allows you to hide passwords in session recordings if it recognizes a password entry.

There are multiple ways in syslog-ng to limit message rate. The throttle() option of syslog-ng destinations tries to make sure that all messages are delivered without exceeding a specified message rate. The rate-limit() filter introduced in syslog-ng 3.36 drops surplus log messages, making sure that a processing pipeline or destination is not overloaded with log messages. Read the rest of my blog at https://www.syslog-ng.com/community/b/blog/posts/the-difference-between-throttle-and-rate-limit-in-syslog-ng syslog-ng logo

Quite a few people asked me recently how I deal with anxiety. I seem to be less anxious than people around me. First of all: I also have anxiety, just like anybody else. The recent company acquisition & reorganization, the COVID-19 pandemic, the upcoming general elections, or the Russian attack all make sure that once a problem is over, there is a new problem already to worry about. However, sport, music and spending less time reading the news all help to keep my anxiety at bay.

Most of syslog-ng works perfectly well on MacOS; however, there is no native driver to collect local log messages. Due to this, in the past, the system() source did not work on MacOS, thus the default syslog-ng configuration failed to start. Version 3.36 of syslog-ng includes a workaround: it follows /var/log/system.log. You can read the rest of my blog at https://www.syslog-ng.com/community/b/blog/posts/the-system-source-of-syslog-ng-now-also-works-on-macos syslog-ng logo

The March syslog-ng newsletter is now on-line: syslog-ng future: the path to syslog-ng 4 MQTT source Another use for the syslog-ng elasticsearch-http destination: Zinc Sending logs to Elastic Cloud using syslog-ng syslog-ng 3.36 is now available It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2022-03-syslog-ng-4-mqtt-source-zinc-elastic-cloud-3-36 syslog-ng logo

I’m happy to announce that I became an IBM Power Champion for the year 2022. This blog is long overdue, however with the conflict raging in our neighbor country, Ukraine, I just did not feel the strength to write about anything. In this blog I try to introduce myself and share my plans for this year. But before doing so, let me share my new badge with you: IBM Champion 2022 badge My background My title at work is “Open Source Evangelist” and Power does not appear anywhere in my job description.

As explained in my previous post, we do have some features already in mind for syslog-ng 4, even though the work on creating a long term set of objectives for the syslog-ng project is not finished yet. One of the themes that I have working code for already, is typing. syslog-ng traditionally assumes that log data, even if it comes in a structured form (like RFC5424 structured data or JSON) is primarily textual in nature.

It has been possible to use wildcards in the sudoers file for many years. This can make configuration easier and more flexible, but it also introduces problems of its own. Regular expressions, introduced in in sudo 1.9.10, allow you to create more fine grained rules. From this blog you will learn about some of the problems when you use wildcards in your sudoers file, and how using regular expressions can resolve those problems.

Version 3.36 of syslog-ng brings us many interesting new features. There is now basic support for system() source on MacOS, TLS 1.3 ciphers can now be restricted, TLS keylog support was added, symlink creation to the latest file, and there are many new possibilities in syslog parsing. From this blog, you can learn about some of the new 3.36 features, and we will test symlink creation, which is a community-contributed feature.

Last week, the ivykis library, the most important core dependency of syslog-ng landed in EPEL 9 successfully. There are still plenty of dependencies missing, but this way, I could submit a slightly cut down version of syslog-ng to EPEL 9. Hopefully the rest of the dependencies will arrive in EPEL 9 as well. I plan to update the syslog-ng package as soon as the dependencies arrive. Luckily, these are only needed to enable some less frequently used syslog-ng destination drivers, no core functionality is affected.

Recently I got some complaints that it is difficult to figure out how to contact the syslog-ng team to get help or report problems. Most of this information is available both on the syslog-ng website and at the syslog-ng repository on GitHub, but collecting here all information might be still useful for some people. Read the rest of my blog at https://www.syslog-ng.com/community/b/blog/posts/contacting-the-syslog-ng-team-reporting-problems-asking-questions syslog-ng logo

General availability of Elasticsearch 8 was announced last week. There were quite a few rumors that it will break compatibility with third party tools. I tested it as soon as I had a little time: I am happy to share that anything I tested with the elasticsearch-http() destination of syslog-ng still seems to work perfectly well with the latest version of Elasticsearch. You can read the rest of my blog at https://www.

Those who follow me on LinkedIn might have seen an automatic post about my work anniversary. Well, almost nothing of that post is true, but I still consider it to be my real starting date. However, the official date is also impressive: 11.5 years, almost three times the industry average spent at the same workplace. So, why do I say that the LinkedIn post is not true? Well, because all its major facts are wrong.

The February syslog-ng newsletter is now on-line: syslog-ng relaunch Sequence – making PatternDB creation for syslog-ng easier Syslog-ng on MacOS Monterey Installing syslog-ng on CentOS Stream 9 It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2022-01-reboot-sequence-monterey-centos-9 syslog-ng logo

I spent my last weekend in Brussels at FOSDEM. Well, not really: while I had a couple of Belgian beers, the conference itself was a virtual event and I was at home in Budapest. It’s the second year that FOSDEM is virtual, and yet again I can state that it’s the best virtual event of the year. I had two talks this year. After my second talk, I got some questions during the Q & A session which I could not answer, so I will try to answer them.

Seemingly a boring topic, Balázs Scheidler finds open source licensing fascinating. It allows him to work on syslog-ng even though Balabit was acquired. He writes: “I mentioned in the previous post that I would like to focus on syslog-ng and put it more into the spotlight. I also mentioned that Balabit, the company I was a founder of and the commercial sponsor behind syslog-ng, was acquired by One Identity ~4 years ago.

We learned in my previous sudo blog that cvtsudoers is not just for LDAP. Version 1.9.9 of sudo extends the querying possibilities of cvtsudoers further and adds a brand new feature: merging multiple sudoers files into one. Both are especially useful when you have complex configurations. Querying lets you to better understand what the various rules allow in your sudoers file. Merging helps you to combine multiple configurations into one, so you do not have to maintain a separate sudoers file on each of your hosts.

This weekend I am going to give a talk about sudo in the security track of FOSDEM. I will talk a few words about logging at each major point I mention, but I cannot go into too much detail there. So, consider this blog both as a teaser and an extension to my FOSDEM talk. You will learn how to work with JSON formatted logs in syslog-ng and also about new sudo features along the way.

Balázs Scheidler, founder of the syslog-ng project, started a new blog where he details why and how he started to work on syslog-ng even more actively. He also asks for your feedback! “syslog-ng has been around for decades: I started coding the first version of syslog-ng in September 1998, circa 24 years ago. The adoption of syslog-ng skyrocketed soon after that: people installed it in place of the traditional syslogd across the globe.

The Elastic Cloud is a service by Elastic providing Elasticsearch and related services in an easy-to-use package. Last year someone reported an issue that it does not work properly with syslog-ng. I did not have time to investigate at that time. Now I started a free trial and soon my log messages from syslog-ng started to appear in Kibana in Elastic Cloud. From this blog you can learn how to configure syslog-ng for the Elastic Cloud.

I’m not a POWER (or recently: Power) expert, only an enthusiastic user and advocate. Still, in the past couple of weeks a number of people from around the world asked my opinion how the POWER architecture could be kept relevant. This blog is really just an opinion, as I do not have the financial means to go ahead. It is full of compromises some people are not willing to make. However, I think this is the safest and fastest way forward.

There is a new drop-in replacement for Elasticsearch, at least if you don’t mind the limitations and the alpha status. However, it definitely lives up to the promise that it provides an Elasticsearch-compatible API for data ingestion. I tested it with the elasticsearch-http() destination of syslog-ng, and it worked perfectly after I modified the URL in the configuration example I found. So, what is Zinc? It is a search engine written in Go that provides an Elasticsearch-compatible API for data ingestion.

The syslog-ng application is part of all major Linux distributions, and you can usually install syslog-ng from the official repositories. If you use just the core functionality of syslog-ng, use the package in your distribution repository (apt-get install syslog-ng), and you can stop reading here. However, if you want to use the features of newer syslog-ng versions (for example, send log messages to MQTT or Apache Kafka), you have to either compile the syslog-ng from source, or install it from unofficial repositories.

Recently, I have posted blogs and articles about three operating systems (or rather OS families) I use, and now people ask which one is my “true” love. It’s not easy, but I guess, the best way to describe it is that both FreeBSD and openSUSE are true ones, and Fedora & Co. is a workplace affair :-) This is why I’m writing that it is a polyamorous relationship. Let me explain!

For the past few days, the IT news has been abuzz with announcements from CES. As usual, I’m following them on Engadget. I must admit, that there were just a very few announcements which really caught my attention. And my favorite announcement is the most boring of them all :-) Foldable tablet by ASUS: I still use my Google Pixel C tablet almost every day. It’s almost six years old and waiting for replacement.

If you are a longtime FreeBSD user, you probably know everything I have to say, and, what’s more, you can probably add a few more points. But hopefully, there will be some Linux or even Windows users among readers who might learn something new! FreeBSD is not just a kernel but a complete operating system. It has everything to boot and use the system: networking utilities, text editors, development tools and more.

Version 3.35.1 of syslog-ng introduced an MQTT source. Just for some fun in the last syslog-ng blog post of the year, I created an endless loop using syslog-ng and the Mosquitto MQTT broker. Of course, it does not have much practical value other than possibly a bit of stress testing, but hopefully provides a fun introduction to MQTT-related technologies in syslog-ng. Read my blog at https://www.syslog-ng.com/community/b/blog/posts/creating-an-endless-loop-using-mqtt-and-syslog-ng syslog-ng logo

I wish I had BastilleBSD twenty years ago. I had a part-time sysadmin job - running web servers. PHP started to become popular by the turn of the century. Using jails on FreeBSD seemed to be a safe environment to run PHP-enabled web servers. However, there were no tools yet to work with jails. I had to write many scripts to build and update jails. A bit of history At first, I had a single server.

The December syslog-ng newsletter is now on-line: Sending logs to Panther using syslog-ng Reducing the complexity of log management Sending logs to Humio using the elasticsearch-http() destination of syslog-ng It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2021-12-humio-log-management-panther syslog-ng logo

Let me share my Fedora story with you. Hopefully, it helps you to understand, why I am also promoting AlmaLinux and Rocky Linux, even if I am an active Fedora and CentOS community member and contributor. Before the beginnings Someone suggested me to try Red Hat Linux in 1995 and replace Slackware Linux with it on my university server. I installed it, but I did not become a fan. And when I found the print out of the password file of my server on the wall of the Russian students’ computer lab (see: https://peter.

CentOS Stream 9 has been around for a while, but it was officially announced just a few days ago. I already tested some earlier snapshots and they had some rough edges. The current version installed without random crashes, has networking and runs smoothly. EPEL – the semi-official repository by Fedora maintainers – is already there, but practically empty, syslog-ng or it’s dependencies are not yet there. As someone asked about syslog-ng support, I had a first try at building it.

It is easy to over-complicate log management. Almost all departments in a company need to log messages for their daily activities. However, installing several different log management and analysis systems in parallel is a nightmare both from a security and an operations perspective and wastes many resources. You cannot always reduce the number of log analysis systems, but you can reduce the complexity of log management. Let me show you, how.

When I like a song and learn that it is actually a soundtrack of a movie, I usually look it up on IMDB. Often it belongs to a romantic movie, a super hero movie from Marvel or a TV show. In these cases I do not look any further. But sometimes I get curious while reading the plot or watching the trailer. I’ve found many good movies based on the soundtrack.

Each new MacOS release brings some surprises when it comes to compiling syslog-ng. Just a couple of months ago, I provided you with a couple of pointers on how to compile syslog-ng on MacOS. Since then, MacOS Monterey was released and Homebrew was updated. So, here are some updated instructions for MacOS Monterey. You can read my blog at https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-on-macos-monterey syslog-ng logo

Version 1.9 of sudo was released almost two years ago. One of the major new features was support for Python plugins. Previously, you could only extend sudo by coding in C to better suit your environment, which is not the easiest task to manage. Python makes both coding and distributing the results easier. Starting with Safeguard for Sudo 7.2, Python support is also available in a commercial sudo management solution.

Better late than never I just put online the November syslog-ng newsletter. Topics include: syslog-ng version 3.35.1 is now available Sending logs from syslog-ng store box to Splunk MacOS support Syslog-ng 3.34: MQTT destination with TLS and WebSocket support It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2021-11-3-35-ssb-macos-mqtt-destination-updates

I love photography. I started taking photos four decades ago using a camera called Lubitel, a cheap Russian knock off of Rolleiflex. I switched from film to digital photography back in 2000, which was quite a bit earlier than most. I always treated mobile photography with strong skepticism (small sensor, too much processing, etc.) and have a dedicated camera with me everywhere. Well, the problem is with the words “always” and “everywhere”.

One of the most popular applications to feed Splunk with syslog messages is syslog-ng. However not everyone is happy to work on the command line anymore. This is where syslog-ng store box (SSB), an appliance built around syslog-ng, can help. The SSB GUI provides you not only with an easyto-use interface to configure most syslog-ng features, but also a search interface and complete log life cycle management. It can forward log messages to several destinations, recently also to Splunk’s HTTP Event Collector (HEC).

Can you hear the difference between a CD and an MP3 file? Most people cannot. But even if only one in ten can hear something, that means hundreds of millions of people. However, even if you can hear the difference, there is a good chance that the recording you love is not available in better than CD quality. Still, this problem is not as big as you first think. Let me show you why!

Celebrating 30 years of Linux - is 2021 finally the year of the Linux desktop? My favorite Linux insider joke is that “The year of the Linux desktop is always next year”. Each year there is a new technology which is expected to achieve breakthroughs. I was asked almost a decade ago to give a talk about this topic. I proved to my audience that the year of the Linux desktop is already here, just not the way most Linux users expect it.

Sequence – making PatternDB creation for syslog-ng easier We are well into the 21st century, but most of the log messages still arrive in an unstructured format. For well over a decade, syslog-ng had a solution to turn unstructured messages into name-value pairs, called PatternDB. However, creating a pattern database for PatternDB from scratch is a source of major pain. Or rather, it was: sequence-rtg – a fork of the sequence log analyzer – provides a new hope!

Most people know me as a Linux and/or FreeBSD guy, and they are right. I use openSUSE and FreeBSD most of my time. However, I am not a fanatic who tries to solve everything using a single OS and I am curious as well. Most other operating systems I use are running in virtual machines, but I also have two computers: a Windows desktop and an old MacBook Pro. Both received a major software upgrade during the weekend.

Last week I participated the OpenPower Summit. I enjoyed it, even if I was on sick leave with a fever. There were many interesting talks, ranging from open source and education through Power10 to instruction development. All sessions were recorded. Hopefully recordings will also be shared, as I did not have the strength to visit all the sessions I wanted. And, as usual, some of the interesting talks were given in parallel.

As you might have already noticed from my blogs, I am a music maniac. One of the factors influencing your music listening experience is what speakers you use. I was lucky right from the beginning, my parents are music maniacs as well. In this blog I introduce you to the speakers I listened while living at my parents, and three pairs of speakers I bought myself. I must admit that I never did a really thorough research about speakers and acoustics.

I love conferences. Now, that most conferences are either virtual or hybrid (both virtual and on-premises), people often say that it must be heaven for me. I can visit many more conferences and give many more talks. Well, it is not just this simple. Virtual conferences are a love-hate relationship for me. Of course, there are some advantages, but also disadvantages. Giving virtual talks Yes, I could give more talks. Even overlapping conferences are not a problem any more: I can give a talk at a European conference in the morning, and give another talk at a US conference in the evening.

One of the most popular syslog-ng destinations is Elasticsearch. Humio, a log management provider, supports a broad range of ingest options and interfaces, including an Elasticsearch-compatible API. Last week, Humio announced Humio Community Edition, which provides the full Humio experience for free, with some limitations on daily ingestion and retention time. I tested the Community Edition, and it works perfectly well with syslog-ng. If you come from the Humio side, you might wonder what syslog-ng is.

Ever since I started this personal blog site, I was curious if people actually read what I write. Luckily, based on the responses I received on Twitter, LinkedIn and in private, there is no problem with that. Next I wanted to see numbers. I was told, that Google Analytics is the gold standard of measurement. Well… Google Analytics Lets start it with the basic problem: even my own visits are not counted.

Panther is an open-source log management system, which is also available as a service for a time-limited trial. It is still in beta phase, but it looks promising. You can see the “beta” sign on its opening page: https://app.panther.support/ I tested the time-limited cloud service version, but you can also install it locally, either from Dockerhub, or you can build the containers locally from the source. Even if it is still in beta phase, Panther comes with detailed documentation.

A month ago, when sudo 1.9.8 was still under development, we checked out the new log_subcmds option. It allows you log all commands (with some limitations) that are executed by a command started through sudo. For example, you can see if a shell was started through a text editor. The intercept option brings this one step further: you can prevent sub-commands from even running. Read the rest of my blog at https://blog.

Qwant is a European search engine that respects your privacy. I learned about it from a Twitter thread. The European Processor Initiative announced last week that their first RiscV test chip samples were delivered and booted successfully. I tweeted that I would be happy to see not just European CPUs but also European software services, alternatives to Google, Facebook, LinkedIn and others. Someone responded that a search engine is already available: https://www.

Version 3.33 of syslog-ng arrived with basic MQTT support. Version 3.34 has added many important features to it: user authentication, TLS support and WebSocket support. These features give you both security and flexibility while sending log messages to an MQTT broker. This blog helps you to make your first steps securing your MQTT connection: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-3-34-mqtt-destination-with-tls-and-websocket-support

Whenever I talked to people about POWER, someone asked if I am an IBM Power Champion. My response was that I do not even know what it is, and I am not affiliated with IBM in any way. Recently I came across a blog by Torbjörn Appehl which describes what is an IBM Power Champion and lists the European champions: https://builtonpower.com/2021/09/the-2021-ibm-power-champions-in-europe/. Finally I know what an IBM Power Champion is, and I feel honored to be mistaken to be one of them :-) Normally I do not care much about titles: I have seen too many empty people with well sounding titles, and fantastic people without any titles.

The promise of “boring” ARM hardware has been with us for almost a decade. And a couple of years ago it really arrived: easy to use, standards compliant ARM hardware is now available on the market. However, not for everyone. When it comes to buying ARM hardware you still need to decide if it is “boring” or it is affordable. There was one notable exception, the SoftIron OverDrive 1000. It had its limitations, but it was standards compliant right from day one, affordable, and easily available not just for large companies.

Dear syslog-ng users, This is the 94th issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news. Topics include: Version 3.34.1 of syslog-ng available Syslog-ng updated in OpenBSD ports OpenSearch and syslog-ng Creating a new http()-based syslog-ng destination: Seq It is available at: https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2021-09-3-34-openbsd-opensearch-http-destination

When I published my blog about openSUSE a couple of weeks ago, most questions I received in private were about the Russian students I mentioned. In that blog I quickly described how my interest in information security started, about 25 years ago. This blog gives you a bit of historical background and a few more details. Historical background It was 1995. I was studying at a university, but I was already running one of the servers of the faculty.

A couple of weeks ago editors of https://opensource.com/ sent a question to contributors: What was your first programming language? Thinking about the question brought back some nice memories about the beginnings. You can read my answer below: What was your first programming language? My first ever programming language was BASIC in the early eighties. One of my relatives bought a C64 for their kids to get started with learning computers. They only used it for gaming, and I was also invited.

Better late than never I just put online the July syslog-ng newsletter. Topics include: Sending alerts to Discord and others from syslog-ng using Apprise: blocks and Python templates Rocky Linux, AlmaLinux, CentOS & syslog-ng MongoDB support improved in syslog-ng 3.32 It is available at https://www.syslog-ng.com/community/b/blog/posts/insider-2021-07-alerting-centos-alternatives-mongodb

For the past couple of months, Yash Mathne has been working on testing syslog-ng on MacOS as a GSoC (Google Summer of Code) student. He worked both on x86 and on the freshly released ARM hardware. And we have some good news here to share: while there is still room for improvement, most of syslog-ng works perfectly well on MacOS. Read my blog for some historical background and the GSoC report: https://www.

Sudo development is at version 1.9.8 beta 3. There are two major new features: sudo can intercept sub-commands and log sub-commands. In this quick teaser I introduce you to log_subcmds. I hope it is interesting enough for you to test it out and provide feedback. So, what is log_subcmds good for? There are many UNIX tools that can spawn external applications. You only see vi in the logs, but can you be sure without session recording that your admin only edits what he is supposed to?

Collecting process accounting logs on Linux with syslog-ng Process accounting logs are collected into binary log files on Linux. You can turn them into human readable format locally, using various tools. You can also use syslog-ng to read those files. Lean how syslog-ng can parse those binary logs, create name-value pairs from them and store the results from my latest blog: https://www.syslog-ng.com/community/b/blog/posts/collecting-process-accounting-logs-on-linux-with-syslog-ng

Most people only know that I work in IT. Some even call me a hacker – which I really appreciate :-) However, by university degree I am an environmental engineer (and English - Hungarian translator). Even if I never worked in my field, except for some student jobs, I still follow any news related to the environment closely. This is why I was very happy to learn, that my home city, Budapest, introduced bee pastures in the city.

Securing the sudo to sudo_logsrvd connection Using sudo_logsrvd to centrally collect sudo session recordings from your network is a huge step forward in security: users cannot delete or modify session recordings locally. However, by default, transmission of recordings is not encrypted, making it open to modifications and eavesdropping. Encrypting the connection between sudo and sudo_logsrvd can eliminate these problems. Larger environments usually either have in-house PKI tooling in place, or colleagues who know all openssl options off the top of their heads.

I love listening to music. And while I am lazy (which is the popular term for considering if something is worth the effort before doing it), I still prefer listening to it in a realistic sound quality. Which sounds like a contradiction, isn’t it? Well, yes, but only if you are not ready for compromises. In this blog, I focus on technologies and software problems, and the compromises I made to keep listening to music simple but still enjoy it.

Recently connect.opensuse.org, the openSUSE member directory and social site was shut down. You can read more about the reasons on openSUSE News. I also had my profile on the site, listing many of the things I worked on during the past two and a half decades. Reading it was quite a trip down the memory lane. It also reminded me, how the name changed over the years. Did you know that SUSE was originally an acronym for Software- und System-Entwicklung?

One of the most popular destinations in syslog-ng is Elasticsearch. Due to the license change of the Elastic stack, some people changed quickly to Grafana/Loki and other technologies. However, most syslog-ng users decided to wait and see. Version 1.0.0 of OpenSearch, a fork of the Elastic code base from before the license change is now available. Elastic also published a new release last week. For this blog, I tested the latest and greatest from both product lines and I’m sharing my experiences.

Yes, it’s a syslog-ng blog from me, and it’s not on https://syslog-ng.com/ :-) The reason is simple: this is not a technical blog. This is my story about how I found the Turris Omnia Linux router and how this lead to working together with the Turris guys. The beginnings When I ordered my Turris Omnia, I did not know that it ran syslog-ng. All I knew that it was an ARM device and that it ran Linux.

I got my Google Pixel C tablet in early 2016, well over five years ago. I use it ever since almost every day. A big part of it is that I also have the Pixel C keyboard accessory. I prefer touch typing and funnily enough that does not work on a touch screen. It needs a real keyboard. And that keyboard died today. My Pixel C can still recognize the attached keyboard, but it does not work any more.

Syslog-ng 3.33: the MQTT destination Version 3.33 of syslog-ng introduced an MQTT destination. It uses the paho-c client library to send log messages to an MQTT broker. The current implementation supports version 3.1 and 3.1.1 of the protocol over non-encrypted connections, but this is only a first step. From this blog, you can learn how to configure and test the mqtt() destination in syslog-ng. Read my blog at https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-3-33-the-mqtt-destination

Why? Last week, when the latest version of Bastille, a jail (container) management system for FreeBSD was released, it also included experimental Linux support. Its author needed Ubuntu, so that was implemented. I prefer openSUSE, so with some ugly hacks I could get openSUSE up and running in Bastille. I was asked to document it in a blog. This topic does not fit the sudo or syslog-ng blogs, where I regularly contribute.