English Español français rss
> Accueil > Actualités

Interview : Marton Illes, Syslog-ng

Traduction(s) de cet article : English

- Marton, would you introduce yourself ?

My name is Marton Illes, I am 28 years old and live in Budapest, Hungary. I started using computers and doing basic programing very early, but later I become involved with IT just by a chance. Originally I wanted to study economics, but somehow I was grabbed by the early linux movements and the emerge of the Internet, so I choose IT finally. (I studied at many universities, but finally I graduated as an IT economist - back to the roots ?)

I give classes at the Technical University of Budapest and at the Corvinus University on IT security and related topics. I am currently working at BalaBit at the R&D department where I am the product architect of our Shell Control Box and syslog-ng Store Box appliance products. In my work

and in my free time (I do not have much of the latter...) I am using many open-source projects and trying to commit back to the community our changes and fixes. Nothing really big so far, but I believe small things are also very important.

In my free time I like to travel, read books and watch American football, but I do not have much time for them.

- How did you come to contribute to syslog-ng ? What are your tasks inside syslog-ng project ?

I have been working for BalaBit for 8 years now with Bazsi around all the time, so it was just a matter of time for me to get involved with syslog-ng. I have been always using syslog-ng, but for most of the time I was just a user of it. Last year BalaBit started a new product based on syslog-ng and I become the product architect for it. As we integrated syslog-ng into the product I had to fix some bugs and add minor enhancements to it. Doing these myself was fun and also a faster way of getting it done, as Bazsi always had a lot of other things to do.

I also wanted to add a logcheck like artificial-ignorance based message classification to the product, but did not like the way logcheck did it, so I started to write a message parser based on a pattern database. Luckily BalaBit decided to open-source the parser and release it in syslog-ng Open Source Edition. Since then I am maintaining that part of the codebase and trying to come up with extensions and enhancements around that.

- What are the main differences between the different versions of syslog-ng (community vs premium edition) ? Is it easy to maintain 2 software versions with different licences and audience ?

The main difference ? I think it is licensing. Seriously there are some features available in the Premium Edition which is the commercial branch of syslog-ng. With the latest release 3.0, the PE has support for disk-based persistent buffering, an on-the-fly compressed/encrypted/timestamped binary file format called logstore and wildcard file sources. The Premium Edition is available on more than 20 UNIX-like platforms and comes with a Windows agent with support for EventLogs and file sources. Also, an IBM System i agent is available as a separate option. The third "edition" is the syslog-ng Store Box which is an appliance with more added features based on the Premium Edition.

Maintaining the different editions is a difficult task, especially porting patches between branches, it is a lot of work and it is easy to make mistakes. I think the audience is not that different though , as many large systems use the open-source edition. Users choose the premium edition because of the features, the readily available binary packages or because they need to "buy" software or official support.

Regarding the development we used to introduce new features in the Premium Edition and later backport them to the Open Source Edition, though we are trying to change this process a bit, by

introducing new features in the open-source edition and porting them to the Premium Edition. Also we wanted to make our development process more transparent and open for the community.

We started a public Bugzilla and encourage our development team to discuss the open-source related issues and questions on the public mailing list, and also to push their patches through a public git repository. This way we hope the community will get a better and more transparent view of our development process, and hopefully the project will benefit from more patches coming from the community and get more testing for the new features. Bazsi and some others (including me) also started blogs, so if anyone interested to get a deeper view is very welcome to our blogs at http://www.balabit.com/news/

- What are the main ideas that will be in the syslog-ng roadmap for the next months/year ?

syslog-ng is know for its reliability of handling messages over the network and filtering messages in a flexible way. Though so far the main focus was on message transport, not on the content of the messages. syslog-ng is not an analyzer, correlation or reporting tool, but we would like to see more functionality around message content handling. The parser I have mentioned earlier is a first step into that direction, which we would like to extend in the future. I would like to build a community site around the parser which would provide users a common meeting place for exchanging message pattern databases for various applications.

The other direction is to enhance further the transport capabilities of syslog-ng. With the 3.0 release, syslog-ng gained support for the new "IETF-syslog protocol" which offers many interesting possibilities over the old legacy BSD syslog protocol. We would like to see the new protocol to spread around , and applications, devices take advantage of the features offered by the new protocol. syslog-ng comes with an eventlog library which can be used as a replacement syslog() API. We want to extend the library to include support for the new protocol.

Beside all of the above we want to improve the stability and the performance of syslog-ng. We see good chance especially for the latter one, as syslog-ng currently does not scale to more CPUs or cores, but todays architectures come with such CPUs, so improving scalability is important.

For anyone interested check our roadmap page at http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/roadmap/

- In a more personal point of view, what are the main fields you would like to involve yourself (projects, developments, etc.) ?

I would like to continue working on the message parsing and classification project I started with syslog-ng. I see a chance for building a community around it to provide users with quality message patterns. Personally I am also interested in the message correlation and alerting topic, but I do not know how much free time I will have for those...

- What are your main points for your LSM 2009 talk ?

I would like to give an update on the latest development of syslog-ng and show the parser capabilities in more depth with some practical examples. I think syslog-ng has more features and potential than many users are aware of. I hope I can show new and interesting things for syslog-ng old-timers and newbies alike. Also it is a very good chance for me to meet users and hopefully current and future contributors personally to discuss and share future development ideas and get feedbacks as well.

- A last word : have you any special wish for the 2009 LSM ?

Yes, I hope people will have a chance to meet old and new friends, see new and interesting projects, ideas and have fun.

Thank you Marton and see you soon at LSM.