What’s New in AxoSyslog Versions 4.18 – 4.22

AxoSyslog continues to evolve as a powerful, cloud-ready log and security data processor — retaining full binary compatibility with syslog-ng while introducing modern pipelines, smarter parsing, and tighter integrations with observability tooling. Similarly to our earlier overview blog of AxoSyslog releases 4.13-4.17, this post highlights the changes in versions 4.18, 4.19, 4.20, 4.21 and 4.22. These releases focused on smaller enhancements in the FilterX processing engine, some new destination options, and ways to optimize batch sizes to improve the performance in high-volume pipelines.

Below, we walk through the most important new features in each version.

Worker Partitioning Improvements (4.20 and 4.21)

Worker partitioning (how the processing of messages is distributed between the available worker threads) plays a crucial part (pun intended) in handling high loads and optimizing throughput. If you want to optimize your configuration for high throughput, you can now finetune worker partitioning in threaded destinations like http() using the new worker-partition-autoscaling(yes) option. Worker autoscaling maximizes batch sizes automatically in destinations that support partitioning.When using worker-partition-key() to categorize messages into different batches, the messages are hashed into workers by default. However, this prevents distribution across workers based on load. Setting worker-partition-autoscaling(yes) uses a 1-minute statistic to distribute high-traffic partitions among multiple workers, allowing each worker to maximize its batch size. When using worker-partition-autoscaling(yes), set the number of workers() to higher than the expected number of partitions.

destination d_partitioned {
  http(
    url("https://endpoint")
    worker-partition-key("${HOST}")
    worker-partition-autoscaling(yes)
  );
};

‍

Better Dynamic Headers & Parsing Enhancements (v4.18)

Version 4.18 focused on enriching filter and destination configuration with dynamic constructs and enhanced CSV parsing.

Macros & Templates in HTTP Headers

You can now use macros and templates in the headers() option for http() destinations — letting you dynamically construct HTTP headers based on message content. This is especially useful when integrating with APIs that require token or context-aware headers.

destination d_api {
  http(
    url("https://api.example.com/logs")
    headers(
      "Authorization: Bearer `api_token`"
    )
  );
};

CSV Parser Gets quote-pairs Support

The parse_csv FilterX parser now supports a quote-pairs option to control how pairs with quotes are handled. This improves accuracy when ingesting CSV-style log feeds where values contain quoted text.

FilterX Unary Operators (+, -)

FilterX now lets you use unary + and - operators in expressions, simplifying numeric and string manipulation, for example:

filterx {
  str = "example";
  str[..-2] == "examp";
  str[-3..] == "ple";
  str[2..-2] == "amp";
};

This small addition makes logic cleaner and more expressive.

Dictionary improvements (v4.19 and v4.22)

Version 4.19 delivers a handy new FilterX function to convert dictionaries to lists: the dict_to_pairs() FilterX function. This makes it easier to flatten structured data and loop over fields in downstream logic.

Also, the FilterX list membership operators now support searching the keys of dictionaries.

Richer Outputs & Observability Sources (v4.20)

Version 4.20 added major upgrades across destinations and observability source options:

ClickHouse Destination: Custom Output Format

The clickhouse() destination now supports a format() option, including the space-efficient JSONCompactEachRow format:

destination d_clickhouse {
  clickhouse(
    host("clickhouse.example.com")
    database("logs")
    table("events")
    format("JSONCompactEachRow")
  );
};

This is perfect for logs or semi-structured events where compact payload helps throughput and storage.

OTLP Sources: Keep-Alive by Default

Both opentelemetry() and axosyslog-otlp() sources have keep-alive() support enabled by default — improving connection stability for observability data streams.

S3 Object Key Suffixes

You can now set a custom suffix for S3 object keys using object-key-suffix() which comes after the timestamp/index added by the object creation strategies.

Standards & Transport Enhancements (v4.21)

RFC 5424 Syslog Formatting in FilterX

A new format_syslog_5424 function helps you generate syslog records compliant with RFC 5424 directly inside FilterX:

format_syslog_5424(
  message,
  add_octet_count=false,
  pri=<variable-or-expression>,
  timestamp=<variable-or-expression>,
  host=<variable-or-expression>,
  program=<variable-or-expression>,
  pid=<variable-or-expression>,
  msgid=<variable-or-expression>
)

Setting the message option is required. You can set the other options using any FilterX variable, function, or expression.

NUL-Terminated Syslog Support

Syslog sources can now process streams using NUL (\0) instead of newline separators:

source s_syslog_nul {
  syslog(
    transport(nul-terminated)
    port(514)
  );
};

This ensures compatibility with collectors using custom NUL framing.

Why These Releases Matter

Across versions 4.18–4.22, AxoSyslog delivered improvements to scale reliably in hybrid environments, bridge logs into modern observability pipelines, and give you finer control over data flows.