rsyslog
Feb 09, 2010 - 07:10 PM
Professional Services
Custom written rsyslog.conf? Maintenance Contract?

rsyslog professional services



Donate!
Satisfied with rsyslog?

Donate and help keep
the project alive!

Rainer's Blog

Login




 


 Log in Problems?
 New User? Sign Up!

Online
There are 53 unlogged users and 0 registered users online.

You can log-in or register for a user account here.
back

rsyslog vs. syslog-ng

Written by Rainer Gerhards (2008-05-06)

Warning: this comparison is a little outdated, take it with a grain of salt and be sure to check the links at the bottom (both syslog-ng as well as rsyslog features are missing, but our priority is on creating great software not continously updating this comparison ;)).

We have often been asked about a comparison sheet between rsyslog and syslog-ng. Unfortunately, I do not know much about syslog-ng, I did not even use it once. Also, there seems to be no comprehensive feature sheet available for syslog-ng (that recently changed, see below). So I started this comparison, but it probably is not complete. For sure, I miss some syslog-ng features. This is not an attempt to let rsyslog shine more than it should. I just used the rsyslog feature sheet as a starting point, simply because it was available. If you would like to add anything to the chart, or correct it, please simply drop me a line. I would love to see a real honest and up-to-date comparison sheet, so please don't be shy ;)

Feature rsyslog syslog-ng

Input Sources
UNIX domain socket yes yes
UDP yes yes
TCP yes yes
RELP yes no
RFC 3195/BEEP yes (via im3195) no
kernel log yes yes
file yes yes
mark message generator as an optional input yes no (?)
Windows Event Log via a Windows event logging software such as EventReporter or MonitorWare Agent (both commercial software, both fund rsyslog development) via separate Windows agent, paid edition only

Network (Protocol) Support
support for (plain) tcp based syslog yes yes
support for GSS-API yes no
ability to limit the allowed network senders (syslog ACLs) yes yes (?)
support for syslog-transport-tls based framing on syslog/tcp connections yes no (?)
udp syslog yes yes
syslog over RELP
truly reliable message delivery (Why is plain tcp syslog not reliable?)		 yes no
on the wire (zlib) message compression yes no (?)
support for receiving messages via reliable RFC 3195 delivery yes no
support for TLS/SSL-protected syslog natively (since 3.19.0)
via stunnel		 via stunnel
paid edition natively
support for IETF's new syslog-protocol draft yes no
support for IETF's new syslog-transport-tls draft yes
(since 3.19.0 - world's first implementation)		 no
support for IPv6 yes yes
native ability to send SNMP traps yes no
ability to preserve the original hostname in NAT environments and relay chains yes yes

Message Filtering
Filtering for syslog facility and priority yes yes
Filtering for hostname yes yes
Filtering for application yes yes
Filtering for message contents yes yes
Filtering for sending IP address yes yes
ability to filter on any other message field not mentioned above (including substrings and the like) yes no
support for complex filters, using full boolean algebra with and/or/not operators and parenthesis yes yes
Support for reusable filters: specify a filter once and use it in multiple selector lines no yes
support for arbritrary complex arithmetic and string expressions inside filters yes no
ability to use regular expressions in filters yes yes
support for discarding messages based on filters yes yes
ability to filter out messages based on sequence of appearing yes (starting with 3.21.3) no
powerful BSD-style hostname and program name blocks for easy multi-host support yes no

Supported Database Outputs
MySQL yes (native ommysql, omlibdbi) yes (via libdibi)
PostgreSQL yes (native ompgsql, omlibdbi) yes (via libdibi)
Oracle yes (omlibdbi) yes (via libdibi)
SQLite yes (omlibdbi) yes (via libdibi)
Microsoft SQL (Open TDS) yes (omlibdbi) no (?)
Sybase (Open TDS) yes (omlibdbi) no (?)
Firebird/Interbase yes (omlibdbi) no (?)
Ingres yes (omlibdbi) no (?)
mSQL yes (omlibdbi) no (?)

Enterprise Features
support for on-demand on-disk spooling of messages yes paid edition only
ability to limit disk space used by spool files yes yes
each action can use its own, independant set of spool files yes no
different sets of spool files can be placed on different disk yes no
ability to process spooled messages only during a configured timeframe (e.g. process messages only during off-peak hours, during peak hours they are enqueued only) yes
(can independently be configured for the main queue and each action queue)		 no
ability to configure backup syslog/database servers yes no
Professional Support yes yes

Config File
config file format compatible to legacy syslogd but ugly clean but not backwards compatible
ability to include config file from within other config files yes no
ability to include all config files existing in a specific directory yes no

Extensibility
Functionality split in separately loadable modules yes no
Support for third-party input plugins yes no
Support for third-party output plugins yes no

Other Features
ability to generate file names and directories (log targets) dynamically yes yes
control of log output format, including ability to present channel and priority as visible log data yes yes
native ability to send mail messages yes (ommail, introduced in 3.17.0) no (only via piped external process)
good timestamp format control; at a minimum, ISO 8601/RFC 3339 second-resolution UTC zone yes yes
ability to reformat message contents and work with substrings yes I think yes
support for log files larger than 2gb yes yes
support for log file size limitation and automatic rollover command execution yes yes
support for running multiple syslogd instances on a single machine yes ? (but I think yes)
ability to execute shell scripts on received messages yes yes
ability to pipe messages to a continously running program no yes
massively multi-threaded for tomorrow's multi-core machines yes no (only multithreaded with database destinations)
ability to control repeated line reduction ("last message repeated n times") on a per selector-line basis yes yes (?)
supports multiple actions per selector/filter condition yes yes
web interface phpLogCon
[also works with php-syslog-ng]		 php-syslog-ng
using text files as input source yes yes
rate-limiting output actions yes yes
discard low-priority messages under system stress yes no (?)
flow control (slow down message reception when system is busy) yes (advanced, with multiple ways to slow down inputs depending on individual input capabilities, based on watermarks) yes (limited? "stops accepting messages")
rewriting messages yes yes (at least I think so...)
output data into various formats yes yes (looks somewhat limited to me)
ability to control "message repeated n times" generation yes no (?)
license GPLv3 (GPLv2 for v2 branch) GPL (paid edition is closed source)
supported platforms Linux, BSD, anecdotical seen on Solaris; compilation and basic testing done on HP UX many popular *nixes
DNS cache no yes

While the rsyslog project was initiated in 2004, it is build on the main author's (Rainer Gerhards) 12+ years of logging experience. Rainer, for example, also wrote the first Windows syslog server in early 1996 and invented the eventlog-to-syslog class of applications in early 1997. He did custom logging development and consulting even before he wrote these products. Rsyslog draws on that vast experience and sometimes even on the code.

Based on a discussion I had, I also wrote about the political argument why it is good to have another strong syslogd besides syslog-ng. You may want to read it at my blog at "Why does the world need another syslogd?".

Balabit, the vendor of syslog-ng, has just recently done a feature sheet. I have not yet been able to fully work through it. In the mean time, you may want to read it in parallel. It is available at Balabit's site.

[manual index] [rsyslog.conf] [rsyslog site]

This documentation is part of the rsyslog project.
Copyright © 2008 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 2 or higher.



Comments


Only logged in users are allowed to comment. register/log in Bottom 
Author Comment
pkruchok Subject: date of the last changes posted: Jan 14, 2009 - 06:10 PM
pkruchok's Avatar

registered: Dec. 2008

I think adding one line on top of page, containing date of the last changes - it's good idea.
Top  pkruchok send PM
ib33 Subject: link from feature to manual posted: Feb 20, 2009 - 02:12 AM
ib33's Avatar

registered: Feb. 2009

excellent & extensive feature set

IMHO to make this a little less daunting to the uninitiated turning each rsyslog feature on this page into a link to the appropriate section of an example script OR the rsyslog config manual would make it an even more powerful resource/migration tool

Top  ib33 send PM
incase Subject: syslog-ng features posted: Apr 07, 2009 - 02:18 PM
incase's Avatar

registered: Apr. 2009

1) rewriting of syslog messages is possible in syslog-ng, though it might be limited in scope - I've not yet used it

2) control over "last message repeated N times" is not available as far as I know (and to be honest: I hugely dislike this suppresion anyway, makes logfile analysis a lot harder).

3) syslog-ng allows storing the log files in an encrpyted way, which is something rsyslog definitely misses (and something I actually need)

If you want a truely fair comparison, you might want to check http://www.balabit.com/network-security/syslog-ng/comparing/detailed/ and see what the OpenSource Edition has which rsyslog might not (yet) have.
Top  incase send PM
rgerhards Subject: nothing to hide ;) posted: Apr 08, 2009 - 11:27 AM
rgerhards's Avatar

registered: Jun. 2005

Well, quite honestly, we have nothing to hide here. For example, the link to Balabit you quoted is inside our own document since that link exists (you'll find it towards the bottom of the doc). There is good reason the link has always been there: I really don't care that much about updating the feature comparison and I bet Balabit does a much better job in regard to syslog-ng than I do (but, granted, it is time for an update ;)).

Regarding the encrypted store: I've just checked and it is available in the paid edition of syslog-ng only. But if you are interested in paying Balabit for this feature, you could also consider sponsoring its development in rsyslog. The plus would be that once it is in, you do no need to think about paying for new versions are new licenses when you extend your environment. So there definitely is some benefit in sponsoring.

I have not yet implemented such a feature because it is not of that large interest for the community at large - mainly for commercial organizations. But I focus free work on what the community at large helps. The corporate world of course also gets a lot for free, but they can also sponsor parts of the development (as has happened in the past). I am just trying to put my limited resources at the best use...

Hope that clarifies,

Rainer
Top  rgerhards send PM

Back to the start page
 rsyslog Sponsors
 
Functionality looking for Sponsors
rsyslog sponsoring
Click here for more information


 Search
 
Google

 Last Forum Posts
 · Re: AIX syslog tolinux rsyslog?
lol, no problem. Glad it works
· Re: AIX syslog tolinux rsyslog?
I'm so lame.. I had not active rsyslog to recive UDP messages, on ...
· Re: AIX syslog tolinux rsyslog?
what's your rsyslog.conf? do you start an UDP listener on port 51 ...
· Re: AIX syslog tolinux rsyslog?
There is no firewall.. It worked to regular syslog, but now I run ...
· Re: no MARK in logs
Doing further investigation - I see marks only in kern.log and no ...
· Re: Kernel logging
mhhh... I have just setup a lab on debian sid with rsyslog 4.4.2, ...
· Re: AIX syslog tolinux rsyslog?
There must be some firewall in between - because rsyslog really d ...
· Re: AIX syslog tolinux rsyslog?
rgerhards wrote:does*.* @server.example.net not work on aix?It wo ...

:: Syndication: ::
Page created in 0.259297847748 seconds.