What's new

This page is a changelog that collects the major changes and additions to this documentation. (If you want to know the details about why we have separate documentation for AxoSyslog and how it relates to the syslog-ng documentation, read our syslog-ng documentation and similarities with AxoSyslog Core blog post.)

Version 4.17 (2025-09-04)

• The parse_kv FilterX function has an option (stray_words_key) to append stray words to the preceding key.
• You can now use negative indexes when slicing FilterX strings.
• The dpath FilterX function assigns a value to a dictionary and creates any elements of the path that don’t exist.
• When using parallelize() during Nonsequential message processing, you set the batch-size() option to specify how many consecutive messages should be processed by a single parallelize() worker.
• For the clickhouse() destination, you can now use the json-var() option to send the message to the ClickHouse server in Protobuf/JSON mixed mode (JSONEachRow format). In this mode, type validation is performed by the ClickHouse server itself, so no Protobuf schema is required for communication.

Version 4.16 (2025-08-15)

• New ${PROTO_NAME macro.
• New FilterX functions str_strip, str_lstrip, str_rstrip to remove the leading and/or trailing whitespaces from a string.
• The batch-timeout() option of the following destinations now defaults to 0: google-pubsub(), ’logscale()’, openobserve(), splunk().

Breaking change

The name of some fields changed in the parse_cef and parse_leef parsers to avoid name collisions with fields in the extensions:

For CEF:

• version -> cef_version
• name -> event_name

For LEEF:

• version -> leef_version
• vendor -> vendor_name
• delimiter -> leef_delimiter

Version 4.15 (2025-08-01)

• You can exclude files in the wildcard-file() source using the exclude-pattern() option.

• You can use templates in the body-prefix() option of the http() destination, and in destinations based on http().

• ADC authentication now can use service-account-key().

• gcp(service-account()) authentication can now use scope() instead of audience().

• New FilterX features:

  • str_replace function for string replacement.
  • String slicing operator (..).
  • Create dict element if non-null (:??) operator.

Version 4.14 (2025-07-18)

• New client-port option for loggen.
• Starting with version 4.14, running syslog-ng-ctl stats automatically shows orphan counters to avoid losing information. Information loss could happen, for example, when sending messages using short-lived (few seconds long) connections, while scraping metrics in minute intervals.
• The cisco-parser() now handles the Cisco Nexus NXOS 9.3 syslog format.

Version 4.13 (2025-07-08)

• You can format arbitrary data as protobuf using the specified schema (proto file) using the protobuf_message FilterX function. Also, you can send such pre-formatted data using the proto-var() option of the ClickHouse and Google BigQuery destinations.

• You can now format dictionaries as XML and Windows Event Log XML using the format_xml and format_windows_eventlog_xml FilterX functions.

• You can now format dictionaries as CEF and LEEF messages using the format_cef and format_leef FilterX functions.

• Changes in CEF and LEEF:

  separate_extensions

  Available in AxoSyslog 4.13 and later.

  Starting with version 4.13, AxoSyslog parses fields from extensions to the same level as regular fields. In earlier versions, extensions were grouped under the extensions key. To keep using the extensions key, set separate_extensions=true.

  Default value: false

Version 4.12 (2025-06-18)

• Starting from this version, AxoSyslog is licensed under GPL-3.0-or-later. For details, see Product licensing and the AxoSyslog License Update: Moving to GPL3 blog post.
• New FilterX features:
  • Arithmetic operators: + (addition), - (substraction), * (multiplication), / (division), and % (modulo)
  • List membership operator (in): checks if a value is present in a list.
  • strcasecmp function for case insensitive string comparison.
  • To help troubleshooting FilterX blocks, AxoSyslog now includes specific functions that allow you to track failures in FilterX code.
• Way to propagate the type information of the data fields in the clickhouse() destination using the ClickHouse format schema. For details, see server-side-schema().
• You can enable flow-control for every log path using the log-flow-control() global option.
• loggen has a new --perf option to disable rate limiting.
• Internal STATS messages are now disabled by default.

Version 4.11 (2025-04-09)

• Documentation for the Webhook.
• New macros: PEERIP and PEERPORT
• New gRPC option response-action() for the bigquery(), clickhouse(), google-pubsub-grpc(), loki(), and the opentelemetry() destinations.
• New FilterX functions: set_pri, set_timestamp.
• Updates the Azure Monitor destination.

Version 4.10 (2025-02-13)

• New Google Pub/Sub gRPC destination to send logs and data to Google Pub/Sub via gRPC.

• New destination to send logs and data to Azure Monitor and Microsoft Sentinel. For details, see Send data to Azure Monitor and Sentinel.

• New $SOURCEPORT macro which expands to the source port of the peer.

• The syslog() source driver can now auto-detect RFC6587-style octet-count based framing.

• Lots of FilterX updates, including a new =?? operator and several functions:

  • keys
  • load_vars
  • metrics_labels
  • set_fields
  • strftime

• Switch-case expressions in FilterX to better organize the code instead of using multiple if, elif, else blocks. Using switch-case expressions also improves performance.

Version 4.9 (2024-11-11)

• ClickHouse database destination.

• Log tapping with the syslog-ng-ctl attach command.

• FilterX data parsing and processing engine.

• Updated lists of available options for the gRPC-based destinations (bigquery(), loki(), opentelemetry(), syslog-ng-otlp()). You can now also set dynamic header values for these destinations.

• Added the idle-timeout() option to file() source options, stdin() source options, systemd-syslog() source options, wildcard-file() source options, pipe() source options, program() source options, unix-stream() and unix-dgram() source options.

  These sources have a new exit-on-eof flag that makes AxoSyslog stop when EOF is received.

• Added the MSGFORMAT macro.

• Added .tls.x509_fp to .tls.x509.

Other documentation updates

• Cloud authentication option updates for the http() and google-pubsub destinations.
• syslog-ng-ctl list-files command lists files referenced in your configuration, for example, certificates or external configuration files.
• lifetime() global option to prune dynamic counters.

Version 4.8 (2024-07-12)

• APT repository for Debian and Ubuntu based systems.
• You can send messages and metrics to Elasticsearch data streams to store your log and metrics data as time series data using the elasticsearch-datastream() destination driver.
• You can use the server-side-encryption() and kms-key() options to configure encryption for Amazon S3 destinations.
• You can now set static gRPC headers in the bigquery(), loki(), and the opentelemetry() destinations.
• The opentelemetry() parser has a new set-hostname() option.

Version 4.7 (2024-04-18)

• Arr logs source
• Jellyfin logs source
• channel-args() option for gRPC-based drivers, like opentelemetry()
• concurrent-requests() option for the opentelemetry() source and the syslog-ng-otlp() source
• tenant-id() option for the Loki destination
• tags-head template function
• MQTT_TOPIC macro
• TRANSPORT macro updates

For details, see the release announcement blog post.

Version 4.6 (2024-02-01)

• Google BigQuery destination
• Windows XML Event Log (EVTX) parser
• tag template function
• batch-bytes(), compression() and workers() options for the syslog-ng-otlp() and opentelemetry() destinations

For details, see the release announcement blog post.

New sources

• New macOS sources
• qBittorrent logs
• Pi-hole Faster Than Light logs

2023-10-20 to version 4.5 release (2024-01-05)

• Google Pub/Sub destination
• OpenObserve destination
• New http() destination options Templates in the url() and worker-partition-key()

Parsers

• New PostgreSQL csvlog parser
• Columnless mode in csv-parser

TLS options

• ssl-version()
• ignore-validity-period option in to ssl-options()

Manual pages

• --check-startup in The syslog-ng manual page
• secure-logging, slogencrypt, slogkey, and slogverify manual pages.

Other changes

• New quickstart section Sending Kubernetes logs to OpenSearch
• Updates in Install AxoSyslog with Podman and Install AxoSyslog with Docker
• close_batch and set_transport methods in the python source

2023-08-18 to 2023-10-20

• syslog-ng-otlp source and syslog-ng-otlp destination
• Loki destination
• Amazon S3 destination
• OpenSearch destination
• stdout destination
• http destination options:
  • ignore-hostname-mismatch ssl-option
  • accept-encoding()
  • accept-redirects()
  • content-compression()
• Dynamic labeling in the metrics-probe parser

2023-07-07 to 2023-08-18

OpenTelemetry

• OpenTelemetry source
• OpenTelemetry destination
• OpenTelemetry parser

New sources and related changes

• Hypr Audit Trail and Hypr App Audit Trail
• OpenTelemetry
• match-boot and matches options of the syslog-journal() source

New destinations and related changes

• Falcon LogScale
• OpenTelemetry
• Splunk HEC
• dbdi-driver-dir() and quote-char() options of the sql() destination
• bulk-mode(), bulk-bypass-validation(), and bulk-unordered() and write-concern() options of the mongodb() destination

New parsers and related changes

• group-lines
• Count the messages that pass through the log path (metrics-probe)
• OpenTelemetry
• RFC5424 structured data (SDATA) parser
• sdata-prefix option for the syslog-parser
• escape-backslash-with-sequences option for the csv-parser

Other changes

• Typing support (Specifying data types in value-pairs)
• Nonsequential message processing for improved performance
• An overview of writing Python modules for syslog-ng
• New syslog-ng-ctl commands
• Configuration identifier
• Named log paths
• format-date template function
• TLS improvements: OCSP stapling verification and SSL_CONF_cmd support
• RAWMSG_SIZE macro
• lower and upper transformations for the rekey value-pairs() option

New global options

• log-level
• stats