最新版 syslog-ng Premium Edition 7 更新於 2023/1/17
syslog-ng 是可用於代替系統原來的 syslog 日誌服務器。其配置簡單,並且支持多種不同的日誌目的導向方式,包括 mysql數據庫。以下再配合 php-syslog-ng套件,即可從瀏覽器實現日誌的觀察和過濾,相當方便。
syslog-ng 的解決方案集成用戶端,繼電器和伺服器的功能到一個可信賴的,且多平臺的日誌基礎架構。它收集分類操作系統和應用程序日誌訊息,然後在一個可做進一步訊息監視處理和儲存的安全且加密的文件或數據庫中,轉換到高性能的log伺服器。 syslog-ng 支援可信靠的轉換協議,信息緩衝,和客戶端的故障轉移,最大限度地減少信息損失,因此它用於的合規性的要求,如PCI-DSS。 syslog-ng的應用程序已經在Unix / Linux界過去十年中應用最普遍的替代系統日誌,它可以從 Microsoft Windows以及IBM System i平臺收集日誌。它體現了新一代日誌系統,是第一個真正靈活和可擴展性的系統日誌工具。
syslog-ng 是您一直在尋找的產品:
- 保證日誌消息的可用性
- 與廣泛的操作系統兼容,包括Unix、Windows版本,和IBM System i
- 提供加密的日誌傳輸和存儲
- 世界已經證明瞭它的價值,
- 跟蹤系統事件提供了驚艷的靈活性。
syslog-ng Premium Edition(PE)日誌解決方案,允許企業建立一個強大,可信和集中的日誌基礎架構,可以審查和審計日誌消息, 支援40個以上的平臺。有了syslog-ng PE商業和IT管理人員可以很容易地滿足系統需求,同時降低運營成本。
它可以從IT設備、操作系統和應用程序收集和進行分類,並將它們從一個可靠的線路傳送到高性能的日誌伺服器。換句話說,你可以利用的syslog-ng PE作為一個標準的日誌管理工具:收集,整理,篩選和存儲日誌,量身定制在不同的IT環境。
- 集中管理企業範圍內的記錄需求
- 完整,統一的記錄基礎架構
- 合規性的防篡改記錄
- 現有的SIEM裝置優化的TCO
- 更容易的故障排除和取證
- 降低運營風險和成本
Secure transfer and storage
Have confidence in the data underlying your analytics, forensics and compliance efforts.
Using local disk buffering, client-side failover and application layer acknowledgement, syslog-ng can transfer logs with zero message loss. Encrypted transfer and storage ensure logs cannot be tampered with, preserving the digital chain of custody.
Reliable log transfer
syslog-ng Premium Edition can send and receive log messages in a reliable way over the TCP transport layer using the Advanced Log Transfer Protocol™ (ALTP™).
ALTP™ is a new transport protocol that prevents message loss during connection breaks.
Secure Transfer using TLS
Log messages may contain sensitive information that should not be accessed by third parties. Therefore, syslog-ng Premium Edition uses the Transport Layer Security (TLS) protocol to encrypt the communication.
TLS also allows the mutual authentication of the host and the server using X.509 certificates.
Secure, Encrypted Log Storage
syslog-ng Premium Edition can store log messages securely in encrypted, compressed, indexed and timestamped binary files, so any sensitive data is available only for authorized personnel who have the appropriate encryption key.
Timestamps can be requested from external timestamping authorities.
Scalable architecture
Scale up your log management
Depending on its configuration, one syslog-ng server can collect more than half a million log messages per second from thousands of log sources.
A single central server can collect log messages from more than 5,000 log source hosts. When deployed in a client relay configuration, a single syslog-ng log server can collect logs from tens of thousands of log sources.
Extreme message rate collection
The syslog-ng application is optimized for performance, and can handle an enormous amount of messages.
Depending on its exact configuration, it can process over half a million messages per second in real-time, and over 24 GB of raw logs per hour on standard server hardware.
Collection from thousands of sources
With the syslog-ng client-relay architecture, IT organizations can collect log messages from more than 10,000 log sources across a geographically distributed environment on one central log server.
Easy monitoring
syslog-ng allows you to granularly select which statistics of syslog-ng you want to monitor. The statistics are available as structured name-value pairs, so you can format the output similarly to other log messages.
That way, you can easily convert the statistics and metrics and send the results into your enterprise monitoring solution (for example, IBM Tivoli Netcool, Riemann, Redis, or Graphite).
Flexible log routing
Reduce maintenance and deployment costs with universal collection
syslog-ng can be deployed as an agent on a wide variety of hosts and flexibly route logs to multiple analytic tools or databases, eliminating the need to deploy multiple agents on servers.
Tested binary files for the syslog-ng Premium Edition are available for more than 50 server platforms, reducing the time required for installation and maintenance.
Collect from a wide variety of sources, including Windows
syslog-ng Premium Edition can natively collect and process log messages from SQL databases, enabling users to easily manage log messages from a wide variety of enterprise software and custom applications.
The syslog-ng Agent for Windows is an event log collector and forwarder application for Microsoft Windows platforms.
Read log messages from any text file
Some applications use many different log files, and sometimes these files are not even located in the same folder. Automatically generated file and folder names are also often a problem.
To solve these issues, the filenames and paths specifying the log files read by syslog-ng can include wildcards, and syslog-ng can automatically scan entire subfolder trees for the specified files.
The syslog-ng Premium Edition application is also able to process multi-line log messages, for example, Apache Tomcat messages.
Forward to multiple destinations
Many large organizations need to send their logs to multiple log analysis tools. Different groups, including IT operations, IT security and corporate risk and governance, need access to the same log data but have different log analysis goals and tools.
The syslog-ng application can send logs directly to SQL databases, MongoDB and Hadoop Distributed File System (HDFS) nodes, or use the Standard Network Management Protocol (SNMP) and Simple Mail Transfer Protocol (SMTP) for other destinations.
Real time transformation
Optimize your tools with distributed processing
With powerful filtering, parsing, re-writing and classification options, syslog-ng can transform logs on remote hosts, reducing the amount and complexity of log data forwarded to analytic tools like SIEM or APM, reducing their total cost of ownership.
The flexible configuration language allows users to construct powerful, complex log processing systems on remote hosts with simple rules.
Filter, parse, re-write
syslog-ng can sort the incoming log messages based on their content and various parameters like the source host, application, and priority. Directories, files, and database tables can be created dynamically using macros.
Complex filtering using regular expressions and boolean operators offers almost unlimited flexibility to forward only the important log messages to the selected destinations.
Real time classification
By comparing log messages to known patterns, syslog-ng is able to identify the exact type of the messages, and sort them into message classes. The message classes can then be used to classify the type of the event described in the log message.
The message classes can be customized, and for example can label the messages as user login, application crash, file transfer, etc. events.
Enrich
syslog-ng can use an external database file to append custom name-value pairs to incoming logs, thus extending, enriching, and complementing the data found in the log message.
You can also correlate and aggregate information from log messages using a few simple filters that are similar to SQL GROUPBY statements.
Additional Features
Disk-based buffering
syslog-ng stores messages on the local hard disk if the central log server or the network connection becomes unavailable. The syslog-ng application automatically sends the stored messages to the server when the connection is re-established, in the same order the messages were received. The disk buffer is persistent - no messages are lost even if syslog-ng is restarted.
Flow control
Flow control uses a control window to determine if there is free space in the output buffer of syslog-ng for new messages. If the output buffer is full and the destination cannot accept new messages for some reason, for example it's overloaded or the network connection has become unavailable. In such cases, syslog-ng stops reading messages from the source until some messages have been successfully sent to the destination.
Real time classification
By comparing log messages to known patterns, syslog-ng is able to identify the exact type of the messages, and sort them into message classes. The message classes can be used to classify the type of the event described in the log message. The message classes can be customized, and, for example, can label the messages as user login, application crash, file transfer, etc.
Python log parser
The Python log parser allows you to write your own parsers in Python. Practically, that way you can process the log message (or parts of the log message) any way you need. You can also write your own template functions in Python.
Normalize with PatternDB
syslog-ng can compare the contents of the log messages to a database of predefined message patterns.
Read and parse SNMP traps
syslog-ng PE can read these traps from a log file, and extract their content into name-value pairs, making it easy to forward them as a structured log message (for example, in JSON format).
Extract important information
In addition to classifying messages, you can also add different tags which can be used later for filtering messages. For example, to collect messages tagged as user_login to a separate file or to perform conditional post processing on the tagged messages.
Real time event correlation
syslog-ng also makes real time event correlation possible. This can be useful in many different situations, for example important data for a single event is often scattered into multiple syslog messages. Also login and logout events are often logged far away from each other, even in different log files, making log analysis difficult. Using correlation, these can be collected into a single new message.
Windows Event Collector
The Windows Event Collector (WEC) is a stand-alone log-collector and-forwarder tool for the Microsoft Windows platform. It collects log messages from Windows hosts and forwards them – by source-initiated push subscriptions and WinRM protocol - to a syslog-ng Premium Edition server (7.0 or later). Because it’s a remote solution and doesn’t require installation on the host itself, WEC is an ideal log solution for IT environments that want to minimize the use of agent software.
syslogd | syslog-ng Open Source Edition |
syslog-ng Premium Edition |
syslog-ng Store Box | |
Reliable message transfer using TCP | - | ✔ | ✔ | ✔ |
Content-based message filtering | - | ✔ | ✔ | ✔ |
Use macros to dynamically create target files, directories, and database tables | - | ✔ | ✔ | ✔ |
IPv6 support | OS dependent | ✔ | ✔ | - |
Direct output to database | - | ✔ | ✔ | ✔ |
Encrypted message transfer (TLS support) | - | ✔ | ✔ | ✔ |
Support for the latest IETF syslog protocol standard | - | ✔ | ✔ | ✔ |
Message parsing and rewriting | - | ✔ | ✔ | ✔ |
Encrypted, signed, timestamped log storage | - | - | ✔ | ✔ |
Disk-based buffering | - | - | ✔ | ✔ |
Handle and process multi-line messages | - | - | ✔ | - |
Client-side failover | - | - | ✔ | - |
Tag messages | - | ✔ | ✔ | ✔ |
Identify and classify log messages using pattern matching | - | ✔ | ✔ | ✔ |
Extract data as name-value pairs from identified messages | - | ✔ | ✔ | ✔ |
Add custom metadata to identified messages | - | ✔ | ✔ | ✔ |
Integrated, real-time message correlation | - | ✔ | ✔ | - |
Ability to trigger actions for identified messages | - | ✔ | ✔ | - |
Collect process accounting logs on Linux | - | ✔ | - | - |
Message-rate control | - | ✔ | ✔ | ✔ |
Collect detailed statistics about the processed messages based on host, destination, message class, and so on | - | ✔ | ✔ | ✔ |
Windows server | - | - | ✔ | - |
Windows client / relay | - | - | ✔ | ✔ |
Hardware appliance | - | - | - | ✔ |
Web-based management interface | - | - | - | ✔ |
High-availability support | - | - | - | ✔ |
Integrated log browsing and searching interface | - | - | - | ✔ |
Customizable reporting capabilities | - | - | - | ✔ |
Multi-thread Processing | - | ✔ | ✔ | ✔ |
Sending SNMP traps | - | - | ✔ | ✔ |
SQL source | - | - | ✔ | ✔ |
RLTP (Reliable Log Transfer Protocol) | - | - | ✔ | - |
Reliable disk buffer | - | - | ✔ | - |
Message rate alerts | - | - | - | ✔ |
MongoDB output | - | ✔ | - | - |
JSON output and parser | - | ✔ | - | - |
AMQP output | - | ✔ | - | - |
What does syslog-ng PE offer over syslogd?
The syslogd application is the standard system logging application used by network devices like switches and routers, as well as servers running operating systems based on Unix, including Linux, HP-UX, BSD, Solaris, and AIX, but excluding Microsoft Windows. The implementations of syslogd on the different operating systems are in part system-specific, while syslog-ng has higher portability, using the same codebase on every platform. Regarding reliability, syslogd does nothing to ensure that the sent messages really arrive to the server. It uses the unreliable UDP network protocol, meaning that messages can get lost on the network without the sender or the server ever noticing it. Additionally, syslogd simply drops messages when the server is unavailable or overloaded. It does not have the ability to encrypt the messages, and the server can output the logs only into text files. The syslog-ng application offers improved reliability and powerful message processing capabilities, as well as several other features, and optional vendor support.
What does syslog-ng PE offer over syslog-ng OSE?
The syslog-ng Open Source Edition (syslog-ng OSE) application is the most popular and widespread alternative system logging application used in the world, having replaced syslogd on tens of thousands of systems. It has several features surpassing syslogd, including reliable message transferring using the TCP protocol, transfer messages securely using TLS, the ability to send log messages directly to an SQL database like MySQL or PostgreSQL, and the possibility to control the flow of messages to handle minor server outages. But only syslog-ng PE has the more advanced features of buffering the messages on the hard disk, storing messages in encrypted log files, reading messages from arbitrary files, and support for Microsoft Windows and IBM System i operating systems.
The following table summarizes the main differences between the syslogd, syslog-ng Open Source Edition (OSE), and syslog-ng Premium Edition (PE). For a more in-depth technical comparison, see the detailed feature comparison between syslogd, syslog-ng OSE, and syslog-ng PE.
If you want to see the cost benefits of syslog-ng PE usage over syslog-ng OSE, please try our ROI calculator.
What does syslog-ng Store Box offer over other versions?
The syslog-ng Store Box (SSB) is a central logserver appliance. It is built around syslog-ng PE, and offers a complete turn-key solution for managing your logs, including log collection, encrypted storage, automatic archiving and backups. SSB is managed from a web interface offering powerful log searching, browsing, and reporting capabilities, as well as high-availability support. For details, see the syslog-ng Store Box product page.
What does syslog-ng offer over rsyslog?
Another popular syslog implementation is rsyslog. While it is often used as an easy upgrade path from traditional syslogd, there are many reasons to change to syslog-ng instead. The syslog-ng application has a well structured configuration format, support for a wider diversity of platforms, real-time message classification and correlation and all of these features are very well documented. For a more in-depth comparison, see the detailed comparison between rsyslog and syslog-ng.
Log management appliance
syslog-ng Store Box™ (SSB) is a high performance, high reliability log management appliance that builds on the strengths of syslog-ng Premium Edition.
With SSB, you can collect and index log data, perform complex searches, secure sensitive information with granular access policies, generate reports to demonstrate compliance, and forward log data to 3rd party analysis tools.
Key Features
- High Performance
- Web-based UI
- Ultra fast search
- Content-based alerts
- Granular access control
- AWS and Azure support