Cybersecurity

Syslog-ng: Taming Logs, Blocking Threats, and Keeping You Sane

Adam Petkovsky

28 Feb 2025 — 3 min read

Logging. Every admin’s best friend and worst nightmare. Logs hold the answers to why that server crashed at 3 AM, who tried to brute-force your email accounts, and which botnet decided today was the day to test your SMTP relay. But raw logs? They’re chaos. Enter syslog-ng, the Swiss Army knife of log processing, capable of taming that torrent of data, extracting valuable intelligence, and turning it into actionable insights.

Let’s talk about why syslog-ng is the log processor you should be running—and a few things to watch out for along the way.

📊 Why Syslog-ng?

If you’re still using rsyslog, you’re working with a relic of the past. Syslog-ng is a modern, flexible, and scalable log processing tool that:

✅ Handles massive log volumes – It can process logs at high throughput, making it ideal for busy mail servers, security appliances, and cloud-scale infrastructure.

✅ Supports advanced filtering and rewriting – You can extract exactly what you need, whether it’s IPs of spammers hammering your SMTP or attackers brute-forcing accounts.

✅ Multiple output destinations – Store logs locally, forward them to another syslog server, or trigger actions like updating a firewall blocklist in real-time.

✅ Secure and reliable – TLS encryption, disk-buffering, and failover mechanisms ensure logs arrive even when things go wrong.

Let’s get real. If you run a mail server, you need syslog-ng. Here’s why.

🌐 Detecting and Blocking SMTP Abuse

If you’re running Postfix, you know the drill: spammers will try to relay through your server, and brute-force attempts against email accounts never stop. With syslog-ng, you can:

🎮 Extract attacker IPs in real-time from log messages like:

Feb 19 13:10:04 172.22.0.1 postfix/smtpd[1016]: warning: unknown[92.118.39.63]: SASL LOGIN authentication failed

Using this rewrite rule in syslog-ng.conf:

rewrite extract_ip_from_brackets {
    subst(".*?unknown\\[([0-9.]+)\\].*", "$1", value("MESSAGE") type("pcre"));
};

🔗 Ship that data straight to a webhook that updates your firewall blocklist over SSH:

destination webhook_blocklist {
    http(url("https://my-firewall-api/block")
         method("POST")
         headers("Content-Type: application/json")
         body("$(format-json ip='$MESSAGE')"));
};

Your firewall isn’t the only option—once that IP hits your webhook, you’re in control. Want to blackhole every packet instantly? Done. Prefer to log failed attempts in Redis before blocking repeat offenders? Easy. You could even trigger a honeypot response or alert your SIEM. With syslog-ng and a well-placed webhook, you’re not just reacting—you’re orchestrating security on your terms. 🚀

🤖 The Intelligent Smart Log Processor

Syslog-ng isn’t just about filtering—it’s about intelligent processing. With features like pattern databases, it can automatically detect known threats without writing endless regex rules.

For example, instead of matching brute-force attempts manually, you can train syslog-ng to recognize attack patterns and send alerts or take action.

You’re not just reacting to attacks—you’re stopping them before they escalate.

🚨 Caveats: Things to Watch Out For

Syslog-ng is powerful, but it’s not perfect. Here’s what you need to keep in mind:

⚠️ Complex Configurations – Syslog-ng’s flexibility means you’ll spend time fine-tuning regex rules and destinations. A typo in syslog-ng.conf can break log processing.

⚠️ Performance Overhead – High-volume environments need careful tuning. Poorly written regex or excessive log filtering can eat CPU cycles.

⚠️ Limited Native Alerting – While you can forward logs to SIEM solutions, syslog-ng itself isn’t built for full-fledged alerting. You’ll need Grafana, Prometheus, or a SIEM for dashboards.

⚠️ Firewall Integration Needs Work – If you’re auto-blocking attackers, make sure you whitelist trusted sources. You don’t want to block yourself out because of a misfired regex!

💪 The Verdict: Deploy It Yesterday

If you’re running a mail server, securing a network, or processing high-volume logs, syslog-ng is a must-have. Its ability to extract, transform, and forward logs in real-time makes it an essential tool for modern IT admins.

✔ Extract critical data with precision ✔ Detect and block threats automatically ✔ Send log data where you need it ✔ Scale to handle even the busiest infrastructures

It’s not just a log processor—it’s an intelligence engine for your infrastructure.