What's new

New to AxoSyslog? AxoSyslog is a binary compatible syslog-ng replacement, from the original creator, developed by the same team.

Same architecture, same config files, same paths. Cloud-native images, fast releases, modern observability (OTel, K8s, Windows), and powerful data processing: read more about the differences between AxoSyslog and syslog-ng.

Also, it’s super easy to install, and you can upgrade from syslog-ng in minutes.

Version 4.18 (2025-09-30)

You can now use macros and templates in the headers() option of the http() destination to set the headers dynamically.
The parse_csv FilterX parser now supports the quote-pairs option.
+ and - unary operators for FilterX.

Version 4.17 (2025-09-04)

The parse_kv FilterX function has an option (stray_words_key) to append stray words to the preceding key.
You can now use negative indexes when slicing FilterX strings.
The dpath FilterX function assigns a value to a dictionary and creates any elements of the path that don’t exist.
When using parallelize() during Nonsequential message processing, you set the batch-size() option to specify how many consecutive messages should be processed by a single parallelize() worker.
For the clickhouse() destination, you can now use the json-var() option to send the message to the ClickHouse server in Protobuf/JSON mixed mode (JSONEachRow format). In this mode, type validation is performed by the ClickHouse server itself, so no Protobuf schema is required for communication.

Version 4.16 (2025-08-15)

New ${PROTO_NAME macro.
New FilterX functions str_strip, str_lstrip, str_rstrip to remove the leading and/or trailing whitespaces from a string.
The batch-timeout() option of the following destinations now defaults to 0: google-pubsub(), ’logscale()’, openobserve(), splunk().

Breaking change

The name of some fields changed in the parse_cef and parse_leef parsers to avoid name collisions with fields in the extensions:

For CEF:

version -> cef_version
name -> event_name

For LEEF:

version -> leef_version
vendor -> vendor_name
delimiter -> leef_delimiter

Version 4.15 (2025-08-01)

You can exclude files in the wildcard-file() source using the exclude-pattern() option.
You can use templates in the body-prefix() option of the http() destination, and in destinations based on http().
ADC authentication now can use service-account-key().
gcp(service-account()) authentication can now use scope() instead of audience().
New FilterX features:
- str_replace function for string replacement.
- String slicing operator (..).
- Create dict element if non-null (:??) operator.

Version 4.14 (2025-07-18)

New client-port option for loggen.
Starting with version 4.14, running syslog-ng-ctl stats automatically shows orphan counters to avoid losing information. Information loss could happen, for example, when sending messages using short-lived (few seconds long) connections, while scraping metrics in minute intervals.
The cisco-parser() now handles the Cisco Nexus NXOS 9.3 syslog format.

Version 4.13 (2025-07-08)

You can format arbitrary data as protobuf using the specified schema (proto file) using the protobuf_message FilterX function. Also, you can send such pre-formatted data using the proto-var() option of the ClickHouse and Google BigQuery destinations.
You can now format dictionaries as XML and Windows Event Log XML using the format_xml and format_windows_eventlog_xml FilterX functions.
You can now format dictionaries as CEF and LEEF messages using the format_cef and format_leef FilterX functions.
Changes in CEF and LEEF:

separate_extensions

Available in AxoSyslog 4.13 and later.

Starting with version 4.13, AxoSyslog parses fields from extensions to the same level as regular fields. In earlier versions, extensions were grouped under the extensions key. To keep using the extensions key, set separate_extensions=true.

Default value: false

Version 4.12 (2025-06-18)

Starting from this version, AxoSyslog is licensed under GPL-3.0-or-later. For details, see Product licensing and the AxoSyslog License Update: Moving to GPL3 blog post.
New FilterX features:
- Arithmetic operators: + (addition), - (substraction), * (multiplication), / (division), and % (modulo)
- List membership operator (in): checks if a value is present in a list.
- strcasecmp function for case insensitive string comparison.
- To help troubleshooting FilterX blocks, AxoSyslog now includes specific functions that allow you to track failures in FilterX code.
Way to propagate the type information of the data fields in the clickhouse() destination using the ClickHouse format schema. For details, see server-side-schema().
You can enable flow-control for every log path using the log-flow-control() global option.
loggen has a new --perf option to disable rate limiting.
Internal STATS messages are now disabled by default.

Version 4.11 (2025-04-09)

Documentation for the Webhook.
New macros: PEERIP and PEERPORT
New gRPC option response-action() for the bigquery(), clickhouse(), google-pubsub-grpc(), loki(), and the opentelemetry() destinations.
New FilterX functions: set_pri, set_timestamp.
Updates the Azure Monitor destination.

Version 4.10 (2025-02-13)

New Google Pub/Sub gRPC destination to send logs and data to Google Pub/Sub via gRPC.
New destination to send logs and data to Azure Monitor and Microsoft Sentinel. For details, see Send data to Azure Monitor and Sentinel.
New $SOURCEPORT macro which expands to the source port of the peer.
The syslog() source driver can now auto-detect RFC6587-style octet-count based framing.
Lots of FilterX updates, including a new =?? operator and several functions:
- keys
- load_vars
- metrics_labels
- set_fields
- strftime
Switch-case expressions in FilterX to better organize the code instead of using multiple if, elif, else blocks. Using switch-case expressions also improves performance.

Version 4.9 (2024-11-11)

ClickHouse database destination.
Log tapping with the syslog-ng-ctl attach command.
FilterX data parsing and processing engine.
Updated lists of available options for the gRPC-based destinations (bigquery(), loki(), opentelemetry(), syslog-ng-otlp()). You can now also set dynamic header values for these destinations.
Added the idle-timeout() option to file() source options, stdin() source options, systemd-syslog() source options, wildcard-file() source options, pipe() source options, program() source options, unix-stream() and unix-dgram() source options.

These sources have a new exit-on-eof flag that makes AxoSyslog stop when EOF is received.
Added the MSGFORMAT macro.
Added .tls.x509_fp to .tls.x509.

Version 4.8 (2024-07-12)

APT repository for Debian and Ubuntu based systems.
You can send messages and metrics to Elasticsearch data streams to store your log and metrics data as time series data using the elasticsearch-datastream() destination driver.
You can use the server-side-encryption() and kms-key() options to configure encryption for Amazon S3 destinations.
You can now set static gRPC headers in the bigquery(), loki(), and the opentelemetry() destinations.
The opentelemetry() parser has a new set-hostname() option.

Version 4.7 (2024-04-18)

Arr logs source
Jellyfin logs source
channel-args() option for gRPC-based drivers, like opentelemetry()
concurrent-requests() option for the opentelemetry() source and the syslog-ng-otlp() source
tenant-id() option for the Loki destination
tags-head template function
MQTT_TOPIC macro
TRANSPORT macro updates

For details, see the release announcement blog post.

Version 4.6 (2024-02-01)

Google BigQuery destination
Windows XML Event Log (EVTX) parser
tag template function
batch-bytes(), compression() and workers() options for the syslog-ng-otlp() and opentelemetry() destinations

For details, see the release announcement blog post.

New sources

2023-10-20 to version 4.5 release (2024-01-05)

Google Pub/Sub destination
OpenObserve destination
New http() destination options Templates in the url() and worker-partition-key()

Parsers

New PostgreSQL csvlog parser
Columnless mode in csv-parser

TLS options

ssl-version()
ignore-validity-period option in to ssl-options()

Manual pages

--check-startup in The syslog-ng manual page
secure-logging, slogencrypt, slogkey, and slogverify manual pages.

Other changes

New quickstart section Sending Kubernetes logs to OpenSearch
Updates in Install AxoSyslog with Podman and Install AxoSyslog with Docker
close_batch and set_transport methods in the python source

2023-08-18 to 2023-10-20

syslog-ng-otlp source and syslog-ng-otlp destination
Loki destination
Amazon S3 destination
OpenSearch destination
stdout destination
http destination options:
Dynamic labeling in the metrics-probe parser

2023-07-07 to 2023-08-18

OpenTelemetry

Falcon LogScale
OpenTelemetry
Splunk HEC
dbdi-driver-dir() and quote-char() options of the sql() destination
bulk-mode(), bulk-bypass-validation(), and bulk-unordered() and write-concern() options of the mongodb() destination

Other changes

New global options

Last modified October 1, 2025: Whatsnew update and misc fixes (7749855)

What's new

Version 4.18 (2025-09-30)

Version 4.17 (2025-09-04)

Version 4.16 (2025-08-15)

Breaking change

Version 4.15 (2025-08-01)

Version 4.14 (2025-07-18)

Version 4.13 (2025-07-08)

separate_extensions

Version 4.12 (2025-06-18)

Version 4.11 (2025-04-09)

Version 4.10 (2025-02-13)

Version 4.9 (2024-11-11)

Other documentation updates

Version 4.8 (2024-07-12)

Version 4.7 (2024-04-18)

Version 4.6 (2024-02-01)

New sources

2023-10-20 to version 4.5 release (2024-01-05)

Parsers

TLS options

Manual pages

Other changes

2023-08-18 to 2023-10-20

2023-07-07 to 2023-08-18

OpenTelemetry

New sources and related changes

New destinations and related changes

New parsers and related changes

Other changes

New global options