Czanik, Péter | 26 Jun 18:37 2015

3.7beta2 packages for openSUSE / SLES


My unofficial syslog-ng 3.7 beta2 packages for openSUSE / SLES are now available, at this time completely untested (I'm sitting at a conference right now... :-) ). They are available at the usual location:

Python support failed to build on SLES11 (most likely missing pkg-config information for python) and java failed in post build checks...

Have a nice weekend!


Peter Czanik (CzP) <peter.czanik <at>>
BalaBit IT Security / syslog-ng upstream
Member info:

Budai, László | 26 Jun 15:28 2015

syslog-ng 3.7.0beta2


This is the second beta release of the upcoming syslog-ng OSE 3.7

Changes compared to the previous alpha release:


  • Added a geoip parser.

  • ssl_options inside tls() extended with the following set:
    no-sslv2, no-sslv3, no-tlsv1, no-tlsv11, no-tlsv12

  • minimal libriemann-client version bumped from 1.0.0 to 1.6.0

  • TLS support added to Riemann destination

  • timeout() option added to Riemann destination


  • SyslogNg.jar removed from the release tarball.

  • When the configured host was not available during the initialization of
    afsocket destination syslog-ng just didn't start. From now, syslog-ng
    starts in that case and will retry connecting to the host periodically.

  • When a not writeable file becomes writeable later, syslog-ng recognize it
    (with the help of reopen-timer) and delivers messages to the file without
    dropping those which were received during the file was not available.

  • Fixed a configure error around libsystemd-journal.

  • --disable-python option and other Python related fixes addded to 

  • Retries fixed in SQL destination. In some circumstances when
    retry_sql_inserts was set to 1, after an insertion failure all incoming
    messages were dropped.

  • Added DOS/Windows line ending support in config.

  • Parallel build is supported for Python and Java destination drivers.

  • Fixed compilation failure on OpenBSD

  • Memory leak around reload and internal queueing mechanism has been fixed.

  • AMQP connection process fixed.

  • Fixed a potential abort when the localhost name cannot be detected.

  • Security issue fixed around $HOST.
    Tech details:
    When the name of the host is too long, the buffer we use to format the
    chained hostname is truncated. However snprintf() returns the length the
    result would be if no truncation happened, thus we will read uninitialized
    bytes off the stack when we use that pointer to set $HOST
    with log_msg_set_value().

    There can be some security implications, like reading values from the stack
    that can help to craft further exploits, especially in the presense of
    address space randomization. It can also cause a DoS if the hostname length
    is soo large that we would read over the top-of-the-stack, which is probably
    not mmapped causing a SIGSEGV.

  • Journal entries containing name-value pairs without '=' caused syslog-ng
    to crash. Instead of crashing, syslog-ng just drop these nv pairs.


syslog-ng is developed as a community project, and as such it relies
on volunteers, to do the work necessarily to produce syslog-ng.

Reporting bugs, testing changes, writing code or simply providing
feedback are all important contributions, so please if you are a user
of syslog-ng, contribute.

We would like to thank the following people for their contribution:

Alex Badics, Andras Mitzki, Balazs Scheidler, Bence Tamas Gedai,
Fabien Wernli, Gergely Nagy, Gergo Nagy, Gyorgy Pasztor, Istvan Adam Mozes,
Laszlo Budai, Peter Czanik, Robert Fekete, Tibor Benke, Viktor Juhasz,
Zoltan Pallagi.

View it on GitHub.

Member info:

westlake | 25 Jun 20:19 2015

syslog-ng with http

is it possible to send http-put traffic as a destination with syslog-ng?

Member info:

Tech Support | 25 Jun 15:11 2015

Migrating from syslog-ng v 3.2.5 to 3.6.4


    I am currently migrating a CentOS 6.6 server running syslog-ng 3.2.5 to a CentOS 7.1 system running syslog-ng 3.6.4. I’m trying to use the same configuration file, but I’m getting the following message:


/usr/sbin/syslog-ng -v -s -f /etc/syslog-ng/syslog-ng.conf

[2015-06-25T09:05:16.796854] Using /dev/log Unix socket with systemd is not possible. Changing to systemd-syslog source, which supports socket activation.;



I know one problem is that I’m just not up to speed yet with systemd, but I was hoping that someone could shed some light on this error. Any help at all would be greatly appreciated.


John V.


Tech Support

Tech Support

VoIP Business Solutions

240-215-3479 x325

support <at>


Member info:


CentOS7 syslog-ng 3.5.6: TLS: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

Dear all,

I've this source settings for TLS:

source s_tcp_tls {
   network(  transport("tls")
             ip( port(6514)

But when a client connects via TCP/TLS to the syslog-ng service..

In syslog-ng these messages are showing up:

syslog-ng starting up; version='3.5.6'
Syslog connection accepted; fd='12', client='AF_INET(', local='AF_INET('
SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
I/O error occurred while reading; fd='12', error='Connection reset by peer (104)'
Syslog connection closed; fd='12', client='AF_INET(', local='AF_INET('
Closing log transport fd; fd='12'

I don't know why syslog-ng is proving the CA?
As far as I know the configuration is a non-mutual authentication - so the CA shouldn't play a role in this - is
this correct?

The client sends messages in RFC5424 format.

Any help is appriciated - I've no clue what's going wrong.

Best regards

Member info:

Sergey Y. Afonin | 24 Jun 09:38 2015

mark-freq() and mark-mode() understanding


I need an explanation of  mark-freq() and mark-mode() works.

=== a part of syslog-ng.conf ===
options {

destination mesg	{ file("/var/log/syslog/messages" mark-mode(periodical)); };

=== a part of /var/log/syslog/messages ===
Jun 24 08:26:35 -- MARK --
Jun 24 08:30:01 crond[10512]: (root) CMD (   /usr/bin/freshclam --quiet --daemon-notify)
Jun 24 08:31:30 -- MARK --
Jun 24 09:01:01 crond[10544]: (root) CMD (run-parts /etc/cron.hourly)
Jun 24 09:25:30 syslog-ng[9983]: Log statistics ...

"MARK" label absent between 08:31:30 and 09:01:01 for example.
Does it turns out that "idle" is checked for all file() globally ?
Can I setup it for one file() ?


Regards, Sergey.
Member info:

Czanik, Péter | 23 Jun 14:50 2015

3.6.4 in FreeBSD ports and for EPEL6


As promised:
- FreeBSD ports now has 3.6.4:
- my unofficial EPEL6 (RHEL/CentOS/etc.) repo is also updated:


Peter Czanik (CzP) <peter.czanik <at>>
BalaBit IT Security / syslog-ng upstream
Member info:

Cottington-Bray, Ian | 23 Jun 12:27 2015

Problems trying to compile syslog-ng 3.6.4 on Solaris 11.2 (SPARC)

Have compiled and installed eventlog-0.2.12  (into /usr/local/syslog-ng).


Now trying to compile syslog-ng I’m hitting the error shown at the end.


Following commands were used to configure the environment for the compile


export PKG_CONFIG_PATH=/usr/local/syslog-ng/lib/pkgconfig

./configure --prefix=/usr/local/syslog-ng --enable-sun-streams --enable-tcp-wrapper --enable-ipv6 --enable-sql --enable-ssh --with-ld-library-path=/usr/local/syslog-ng/lib --disable-amqp --enable-sun-door


Any suggestions ?





  CC     modules/afsocket/modules_afsocket_libafsocket_notls_la-transport-mapper-unix.lo

  CC     modules/afsocket/modules_afsocket_libafsocket_notls_la-transport-unix-socket.lo

modules/afsocket/transport-unix-socket.c: In function â_format_proc_file_nameâ:

modules/afsocket/transport-unix-socket.c:50:3: warning: format â%dâ expects argument of type âintâ, but argument 4 has type âpid_tâ [-Wformat=]

   g_snprintf(buf, buflen, "/proc/%d/%s", pid, proc_file);


modules/afsocket/transport-unix-socket.c: In function â_unix_socket_readâ:

modules/afsocket/transport-unix-socket.c:219:6: error: âstruct msghdrâ has no member named âmsg_controlâ

   msg.msg_control = ctlbuf;


modules/afsocket/transport-unix-socket.c:220:6: error: âstruct msghdrâ has no member named âmsg_controllenâ

   msg.msg_controllen = sizeof(ctlbuf);


modules/afsocket/transport-unix-socket.c: In function âlog_transport_unix_dgram_socket_newâ:

modules/afsocket/transport-unix-socket.c:261:3: warning: implicit declaration of function âsocket_set_pass_credentialsâ [-Wimplicit-function-declaration]



modules/afsocket/transport-unix-socket.c: At top level:

modules/afsocket/transport-unix-socket.c:36:1: warning: â_add_nv_pair_intâ defined but not used [-Wunused-function]

_add_nv_pair_int(LogTransportAuxData *aux, const gchar *name, gint value)


modules/afsocket/transport-unix-socket.c:102:1: warning: â_add_nv_pair_proc_read_unless_unsetâ defined but not used [-Wunused-function]

_add_nv_pair_proc_read_unless_unset(LogTransportAuxData *aux, const gchar *name, pid_t pid, const gchar *proc_file, const gchar *unset_value)


modules/afsocket/transport-unix-socket.c:115:1: warning: â_add_nv_pair_proc_read_argvâ defined but not used [-Wunused-function]

_add_nv_pair_proc_read_argv(LogTransportAuxData *aux, const gchar *name, pid_t pid, const gchar *proc_file)


modules/afsocket/transport-unix-socket.c:135:1: warning: â_add_nv_pair_proc_readlinkâ defined but not used [-Wunused-function]

_add_nv_pair_proc_readlink(LogTransportAuxData *aux, const gchar *name, pid_t pid, const gchar *proc_file)


gmake[2]: *** [modules/afsocket/modules_afsocket_libafsocket_notls_la-transport-unix-socket.lo] Error 1

gmake[1]: *** [all-recursive] Error 1

gmake: *** [all] Error 2

The contents of this e-mail are confidential and for the exclusive use of the intended recipient. If you are not the intended recipient you should not read, copy, retransmit or disclose its contents. If you have received this email in error please delete it from your system immediately and notify us either by email or telephone. The views expressed in this communication may not necessarily be the views held by McLaren Technology Group Limited.
McLaren Technology Group Limited | McLaren Technology Centre | Chertsey Road | Woking | Surrey | GU21 4YH | UK | Company Number: 01967715
Member info:

Budai, László | 22 Jun 15:08 2015

syslog-ng 3.6.4 Debian packages are available


I've just created an OBS repo[1] for syslog-ng 3.6.x series (current version: 3.6.4 [2] ).
This means that this is not an official Debian/Ubuntu APT repository but one hosted by OBS.

List of supported OSs (i386/amd64):
* Debian 7.0
* Debian 8.0
* Ubuntu 12.04
* Ubuntu 14.04
* Ubuntu 14.10
* Ubuntu 15.04


1. get release key

2. add repo to APT sources
eg.: /etc/apt/sources.list.d/syslog-ng-obs.list

Then `apt-get update` and `apt-get install syslog-ng-core=3.6.4-1`

You can replace Debian_8.0 to
 * Debian_7.0
 * xUbuntu_12.04, 
 * xUbuntu_14.04
 * xUbuntu_14.10
 * xUbuntu_15.04

(`x` before Ubuntu is not a typo ;-) )

Available packages:
 * syslog-ng-core
 * syslog-ng-dbg
 * syslog-ng-dev
 * syslog-ng-mod-amqp
 * syslog-ng-mod-geoip
 * syslog-ng-mod-graphite
 * syslog-ng-mod-json
 * syslog-ng-mod-mongodb
 * syslog-ng-mod-redis
 * syslog-ng-mod-riemann
 * syslog-ng-mod-smtp
 * syslog-ng-mod-sql
 * syslog-ng-mod-stomp


Laszlo Budai

Member info:

Czanik, Péter | 22 Jun 09:15 2015

CzP in Boston <at> Red Hat Summit


This week I'm in Boston at the Red Hat Summit:
If you are at the Summit or just in the Boston area and would like to
talk to a BalaBit engineer about syslog-ng, contact me by e-mail or
twitter ( <at> PCzanik)!


Peter Czanik (CzP) <peter.czanik <at>>
BalaBit IT Security / syslog-ng upstream
Member info:

Czanik, Péter | 22 Jun 09:10 2015

my unofficial 3.6.4 packages for opensuse/sles/fedora/rhel7


Most of my unofficial syslog-ng packages are now ready:



RHEL6 and FreeBSD ports will hopefully follow later this week. As I'm
off to the Red Hat Summit this week (
) my response time will be slower than usual.


Peter Czanik (CzP) <peter.czanik <at>>
BalaBit IT Security / syslog-ng upstream
Member info: