What's New in AxoSyslog Versions 4.13–4.17

In today’s data-driven world, logs matter. The summer releases of AxoSyslog (4.13–4.17) focus on helping organizations get more value from their data: from smarter parsers and richer output formats in FilterX to performance-tuning features and seamless cloud integrations. Whether you need to standardize logs into CEF or Protobuf, fine-tune parallel processing, or improve Google Cloud authentication, these updates make AxoSyslog (our syslog-ng™ fork) more flexible, efficient, and integration-ready than ever.

Flexible Data Formatting & Protobuf Handling (v4.13)

Protobuf formatting with client or server-side schema validation
You can format arbitrary data as protobuf using the specified schema (proto file) using the protobuf_message FilterX function. Also, you can send such pre-formatted data using the proto-var() option of the ClickHouse and Google BigQuery. (v4.13)
For the clickhouse() destination, you can also use the json-var() option to send the message to the ClickHouse server in Protobuf/JSON mixed mode. In this mode, type validation is performed by the ClickHouse server itself, so no Protobuf schema is required for communication. (v4.17)

Enhanced formatting options: XML, CEF, LEEF, Windows Event XML
Version 4.13 introduces powerful FilterX functions for transforming dictionaries into commonly used log formats:
- format_xml() and format_windows_eventlog_xml() for structured XML output.
- format_cef() and format_leef() for Common Event Format and Log Event Extended Format outputs.

Parsing improvements

Unified parsing behavior for CEF and LEEF extensions (v4.13)
The parse_cef() and parse_leef() functions now flatten extension fields to the same level as regular fields by default (separate_extensions=false), simplifying downstream processing.

Note that in v4.16, there were breaking changes in the names of the parsed fields to prevent naming conflicts
- In CEF: version → cef_version, name → event_name
- In LEEF: version → leef_version, vendor → vendor_name, and delimiter → leef_delimiter.
Accurate parsing for Cisco NX-OS 9.3 logs via enhanced cisco-parser() (v4.14)
The updated parser now correctly handles the syslog format of Cisco Nexus NX-OS 9.3 devices.
Enhanced parse_kv() with stray_words_key option
In addition to storing stray words under a separate key, now you can capture stray words and wrap them into the preceding key for better error handling and clarity.

Smarter Destination Handling & Observability (v4.14)

Track orphaned counters via syslog-ng-ctl stats
Running stats now surfaces orphan counters automatically, reducing risk of hidden metric loss when dealing with short-lived connections.
Streamlined performance during load testing with client-port in loggen
The new client-port option in loggen gives you better control over simulated client behavior when testing log ingestion.

String Cleanup & Accessibility Enhancements

Exclude files via exclude-pattern() in wildcard-file() sources (v4.15)
Simplify log selection by filtering unwanted files using patterns.
Dynamic message prefixing with templates in body-prefix() (v4.15)
HTTP-based destinations can now prepend custom templated content to the message body, increasing context flexibility.
Streamlined ADC authentication via service-account-key() and scope()(v4.15)
Google Cloud integration gets a boost with improved service account handling for both ADC and GCP options.
FilterX gained string slicing, conditional dict assignment, and str_replace (v4.15)
New capabilities include:
- str_replace() for literal string substitution.
- A string slicing operator (..) and null-safe dict element creation operator (:??)(v4.15). In v4.17, we’ve also added negative indexing support to FilterX string slicing. Manipulating strings from the end with familiar negative indexes is great for tail-based parsing logic.

Whitespace trimming functions—str_strip, str_lstrip, str_rstrip (v4.16)
Clean messages more efficiently by trimming strings within FilterX.
Default batch-timeout() updated for key destinations (v4.16)
Destinations like Google Pub/Sub, Falcon LogScale, OpenObserve, and Splunk now default to a timeout of 0 for more responsive batching.

Advanced Parsing, Routing & ClickHouse Enhancements (v4.17)

Path-aware dictionary updates via dpath()
Easily assign values deep in a nested dictionary structure, auto-creating intermediate nodes if they don’t yet exist.
Tunable parallel processing with batch-size() in parallelize()
Refine performance by controlling how many message chunks each parallel worker handles.
ClickHouse destination now supports mixed Protobuf/JSON ingestion via json-var()
Leverage JSONEachRow format to let ClickHouse validate types—no schema file required on the AxoSyslog side.

Why These Updates Matter

AxoSyslog’s recent releases markedly elevate its versatility and reliability:

Transformation Flexibility — From structured XML to industry-standard formats like CEF and LEEF, plus Protobuf, it’s easier than ever to tailor outputs.
Cleaner, smarter parsing — Improvements like stray_words_key and string slicing make your data easier to understand and debug.
Observability & performance gains — Metrics exposure, parallel processing tuning, and ClickHouse destination enhancements improve both visibility and throughput.
Improved integration readiness — ADC enhancements and templated features smooth the path for cloud-native deployments.