bluebenben | 29 Oct 02:16 2014

How can I disable SSLv3 in syslog-ng 3.3.2 client config to sovle CVE-2014-3566(SSLv3 Fallback Vulnerabilit)?

Hi guys

In my project I am using syslog-ng as syslog client and send log via TLS.
We all know that recently there is one new security flaw which is Poodle(CVE-2014-3566 - SSLv3 Fallback Vulnerability)
This requires disabling SSLv3
I have checked admin guide of syslog-ng 3.3.2 but I am able to find the option
Could you please let me know the way?

Alternatively  I think I may achieve the object by disable SSLv3 ciphers used by syslog-ng client
original ciphers used by us is
I may change it to
Bug this will make syslog-ng only supports TLS1.2 and cause negative impact to interoperability



Member info:

Davide Alberani | 27 Oct 17:39 2014

improving SQLite writing performances (WAS: Re: inserts into a sqlite3 database are not delayed)

On Wed, Oct 15, 2014 at 10:56 AM, Balazs Scheidler <bazsi77 <at>> wrote:
> It immediately runs the query, flush_lines() controls the transaction size,
> which can be enabled using
> flags(explicit-commits).

Ok, I see and I can confirm noticeable improvements on a system
under heavy I/O and CPU load using explicit-commits (or better: I see
it gets a lot worse disabling it, since I already had it on ;))

Plus, I'm seeing minor improvements with session_statements set
to "PRAGMA synchronous=OFF; PRAGMA count_changes=OFF;"

Beside this, has anyone found other ways to improve writing performances
using syslog-ng with sqlite?

On (physical) systems with high load, I've noticed that the system is much more
responsive if the elevator is set to noop or deadline instead of cfq.
But I guess this is highly dependent on the specific circumstances of
the system.



Davide Alberani <davide.alberani <at>>  [PGP KeyID: 0x465BFD47]
Member info:

Russell Fulton | 24 Oct 01:31 2014

errors running configure for incubator on Ubuntu 12.04

rful011 <at> secmontst01:~/src/syslog-ng-incubator$ ./configure 
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane… yes

[ snip ]

checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking for inline... inline
./configure: line 4534: syntax error near unexpected token `shared'
./configure: line 4534: `LT_INIT(shared dlopen)’

I have looked at configure and config.log to try and figure out what it is actually checking for. 
‘inline’ is to generic to google for :(

any ideas what is wrong?


Member info:

Russell Fulton | 23 Oct 01:17 2014

Elasticsearch destination


We are already using the open source version of syslog-ng and I am about to set up some elastic search
instances and would much prefer to feed data direct from syslog-ng rather than go through logstash (I
already have a heap of patterndb parsers and performance should be way better!)

I have spent an hour or so with Google and have found various references to elastic search destination being
available but I can find no mention of it in the release notes for 3.6.1.  I have also downloaded the the
tarball and unpacked it but could not find any evidence of the module , nore is there any mention of it in the manual.

As of now what is the recommended way of getting parsed data from OS syslog-ng into ES?

Thanks, Russell

Member info:

Czanik, Péter | 22 Oct 11:34 2014

syslog-ng 3.6.1 is released


We are proud to announce that culminating almost a year’s worth of
development, syslog-ng 3.6.1 has been released! This is the first
stable release from the 3.6 branch, the successor to 3.5, which was
originally released in November, 2013.

Read more about the highlights of this release at
or all the technical details at


Peter Czanik (CzP) <peter.czanik <at>>
BalaBit IT Security / syslog-ng upstream
Member info:

Evan Rempel | 20 Oct 00:47 2014

patterndb will not accept a program containing a $

Technically speaking, any non-alphanumeric character will terminate the 
TAG field at the beginning
of the message. This is usually one of : [ or space as in the examples

program: this is the message
program[123]: this is the message
program this is the message

In practice though, syslog daemons will send TAGs that contain any 
character and the syslog-ng Agent for Windows
will forward the application name as it shows in the Windows Event Log. 
In some cases, this TAG will contain a $ character.

The patterndb-4.xsd definition disallows the $ character in the program 
pattern in pattern database files.

Can this restriction be removed to allow for the $ or is this a larger 
issue that I see?

Thanks again for all of the support.

Member info:

Davide Alberani | 9 Oct 18:08 2014

inserts into a sqlite3 database are not delayed

I'm using a SQLite 3 database as a destination,
but it seems that the options to delay the insert
of new rows are ignored.

The destination is something like:

destination sqlite_db {
        [...table, columns, values, indexes definitions...]

Every time a log arrives, it's immediately written into
the database, while I expected to have it delayed accordingly
to flush_timeout and flush_lines.

Currently I'm using syslog-ng OSE 3.4.2, but looking at
the code of the latest version doesn't seem to have
changed much.
SQLite version is 3.8.4.
libdbi 0.8.4
libdbi-drivers 0.8.3
libdbi-dbd-sqlite 0.8.3
libol 0.3.16
libevtlog 0.2.13

Any idea about how to fix it?

Thanks in advance,


Davide Alberani <davide.alberani <at>>  [PGP KeyID: 0x465BFD47]
Member info:

Richards, James L - DOA | 3 Oct 21:18 2014

Question on parsing

So I have a scenario I am having difficulties with.


I have an IDS sensor (suricata), and it is generating a log-file at /log_file_dir/fast.log


And I would like to parse this log and send it off to a remote syslog server.


I have put the following in my syslog-ng.conf:


source s_log_server { file("/log_file_dir/fast.log " program_override("snort")); };


added a destination for the remote server:


destination d_log_server { udp ("" port(514)); };


Then in the log{ section I have put this:


Destination (d_log_server);


Logs are making it to the remote box, but in an unparsed format…


How do I get this to trigger a parser in syslog-ng?


Thanks much,









Member info:

Jim Hendrick | 3 Oct 02:33 2014

syslog-ng as "shipper" into ELK stack


   I am working on configuring Elasticsearch, Logstash & Kibana (ELK) to 
test it as a backend search tool for large volumes of logs.

I decided to put Redis in front of Logstash as a "broker" for the 
incoming logs, and syslog-ng as the "shipper" so it looks like this:

syslog-ng ==> redis ==> logstash ==> elasticsearch ==> apache ==> kibana

It works very well using the redis destination in syslog-ng, although I 
am having performance problems with logstash & elasticsearch default 
configurations keeping up.

(I topped out today sending ~7000 events per second, and saw an insane 
amount of swapping going on)

Not so much a specific question (I'll be working on heap & thread 
settings and am pretty confident I can get it to handle at least this 
moderate load) but I was wondering if anyone else is working in this area.

Also, in this configuration logstash is simply "parsing" the data it 
pulls from redis and sending it into elasticsearch.

Seems like something syslog-ng might be able to do directly.

Is anyone aware of any plans to implement an elasticsearch destination?

Feel free to contact me on or off list if you want to discuss this.


Member info:

Doug McClure | 2 Oct 23:43 2014

File Source limits in OSE and PE?

Are there limits to the number of unique files that can be monitored with an installation of OSE or PE?

For example, could I monitor 500 unique log files on a given server?


Member info:

wiskbroom | 30 Sep 20:34 2014

Syslog-NG.conf to Fork to Two Log Aggregators


I have syslog clients that I would like to configure to send log-data to a middle-man/intermediary syslog-NG server.  Once received on the intermediary, I want to immediately fork that data onto a different log-server, not syslog-NG; satisfying a requirement to feed two systems.

The reason for the fork is because the non-syslog-NG-server is running a proprietary logging system, and it must, at least for now, be capable of seeing *most* of my logs.  It, the non-syslog-NG-server, is incapable of retransmitting to my syslog-NG server, nor would I trust it to do so.

My questions to the list are,
1.   Has anyone successfully done something similar?
2.   Any recommendations/gotchas I should be aware of?
3.   Can I also configure syslog-NG to also resend Splunk data?  Or do I have to run a Splunk Univ Forwarder configured similarly to my intermediary syslog-NG server to achieve that?   (Yes, I know, OT question, sorry...)

Thank you in advance,


Member info: