diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/manual.html | 2 | ||||
-rw-r--r-- | doc/rsyslog_ng_comparison.html | 514 |
2 files changed, 354 insertions, 162 deletions
diff --git a/doc/manual.html b/doc/manual.html index 80358f39..46bfd958 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -60,7 +60,7 @@ modules</a></li> <li><a href="rsyslog_stunnel.html">ssl-encrypting syslog with stunnel</a></li> <li><a href="rsyslog_mysql.html">writing syslog -messages to MySQL</a></li> +messages to MySQL (and other databases as well)</a></li> <li><a href="rsyslog_high_database_rate.html">writing massive amounts of syslog messages to a database</a></li> <li><a href="rsyslog_php_syslog_ng.html">using diff --git a/doc/rsyslog_ng_comparison.html b/doc/rsyslog_ng_comparison.html index 07ceb09d..6a9d9bd8 100644 --- a/doc/rsyslog_ng_comparison.html +++ b/doc/rsyslog_ng_comparison.html @@ -1,15 +1,17 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html><head> -<meta content="de" http-equiv="Content-Language"><title>rsyslog vs. syslog-ng - a comparison</title></head> +<meta content="de" http-equiv="Content-Language"><title>rsyslog vs. syslog-ng - a comparison</title> + +</head> <body> <h1>rsyslog vs. syslog-ng</h1> <p><small><i>Written by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> -(2008-02-15)</i></small></p> +(2008-02-28)</i></small></p> <p>We have often been asked about a comparison sheet between rsyslog and syslog-ng. Unfortunately, I do not know much about syslog-ng, I did not even use it once. Also, there seems to be no -comprehensive feature sheet available for syslog-ng (that recently changed, see -below). So I started this +comprehensive feature sheet available for syslog-ng (that recently +changed, see below). So I started this comparison, but it probably is not complete. For sure, I miss some syslog-ng features. This is not an attempt to let rsyslog shine more than it should. I just used the <a href="features.html">rsyslog @@ -25,319 +27,509 @@ comparison sheet, so please don't be shy ;)</p> <td valign="top"><b>rsyslog</b></td> <td valign="top"><b>syslog-ng</b></td> </tr> + + <tr> -<td valign="top">support for on-demand on-disk -spooling of messages</td> +<td colspan="3" valign="top"><br><b>Input Sources</b><br></td> +</tr> +<td valign="top">UNIX domain socket</td> <td valign="top">yes</td> -<td valign="top">paid edition only</td> +<td valign="top">yes<td> </tr> <tr> -<td valign="top">ability to configure backup -syslog/database servers </td> +<td valign="top">UDP</td> <td valign="top">yes</td> -<td valign="top">no</td> +<td valign="top">yes<td> </tr> <tr> -<td valign="top">ability to generate file names and -directories (log targets) dynamically</td> -<td valign="top">yes</td> +<td valign="top">TCP</td> <td valign="top">yes</td> +<td valign="top">yes<td> </tr> <tr> -<td valign="top">control of log output format, -including ability to present channel and priority as visible log data</td> +<td valign="top">RFC 3195/BEEP</td> +<td valign="top">yes (needs separate build process)</td> +<td valign="top">no<td> +</tr> +<tr> +<td valign="top">kernel log</td> <td valign="top">yes</td> -<td valign="top">not sure...</td> +<td valign="top">yes<td> </tr> <tr> -<td valign="top">good timestamp format control; at a -minimum, ISO 8601/RFC 3339 second-resolution UTC zone</td> +<td valign="top">file</td> <td valign="top">yes</td> -<td valign="top">? (I guess so)</td> +<td valign="top">yes<td> </tr> <tr> -<td valign="top">ability to reformat message -contents and work with substrings</td> +<td valign="top">mark message generator as an optional input</td> <td valign="top">yes</td> -<td valign="top">I think yes</td> +<td valign="top">no (?)<td> </tr> <tr> -<td valign="top">support for log files larger than -2gb</td> +<td valign="top">Windows Event Log</td> +<td valign="top">via <a href="http://www.eventreporter.com">EventReporter</a> +or <a href="http://www.mwagent.com">MonitorWare Agent</a> +(both commercial software)</td> +<td valign="top">via separate Windows agent, paid edition only</td> +</tr> + + +<tr> +<td colspan="3" valign="top"><b><br>Network (Protocol) Support</b><br></td> +</tr> +<tr> +<td valign="top">support for (plain) tcp based syslog</td> <td valign="top">yes</td> <td valign="top">yes</td> </tr> <tr> -<td valign="top">support for log file size limitation -and automatic rollover command execution</td> +<td valign="top">support for GSS-API</td> +<td valign="top">yes</td> +<td valign="top">no (?)</td> +</tr> +<tr> +<td valign="top">ability to limit the allowed +network senders (syslog ACLs)</td> <td valign="top">yes</td> <td valign="top">yes (?)</td> </tr> <tr> -<td valign="top">support for running multiple -syslogd instances on a single machine</td> +<td valign="top">support for syslog-transport-tls +based framing on syslog/tcp connections</td> <td valign="top">yes</td> -<td valign="top">? (but I think yes)</td> +<td valign="top">no (?)</td> </tr> <tr> -<td valign="top">ability to filter on any part of -the message, not just facility and severity</td> +<td valign="top">udp syslog</td> <td valign="top">yes</td> <td valign="top">yes</td> </tr> <tr> -<td valign="top">ability to use regular expressions -in filters</td> +<td valign="top">on the wire (zlib) message +compression</td> <td valign="top">yes</td> +<td valign="top">no (?)</td> +</tr> +<tr> +<td valign="top">support for receiving messages via +reliable <a href="http://www.monitorware.com/Common/en/glossary/rfc3195.php">RFC +3195</a> delivery</td> <td valign="top">yes</td> +<td valign="top">no</td> </tr> <tr> -<td valign="top">support for discarding messages -based on filters</td> +<td valign="top">support for <a href="rsyslog_stunnel.html">ssl-protected +syslog</a> </td> +<td valign="top"><a href="rsyslog_stunnel.html">via +stunnel</a></td> +<td valign="top">via stunnel<br> +paid edition natively</td> +</tr> +<tr> +<td valign="top">support for IETF's new +syslog-protocol draft</td> <td valign="top">yes</td> -<td valign="top">?</td> +<td valign="top">no</td> </tr> <tr> -<td valign="top">ability to execute shell scripts on -received messages</td> +<td valign="top">support for IPv6</td> <td valign="top">yes</td> <td valign="top">yes</td> </tr> <tr> -<td valign="top">ability to pipe messages to a -continously running program</td> -<td valign="top">no</td> +<td valign="top">native ability to send SNMP traps</td> <td valign="top">yes</td> +<td valign="top">?</td> </tr> <tr> -<td valign="top">powerful BSD-style hostname and -program name blocks for easy multi-host support</td> +<td valign="top">ability to preserve the original +hostname in NAT environments and relay chains</td> +<td valign="top">yes</td> <td valign="top">yes</td> -<td valign="top">no</td> </tr> + + <tr> -<td valign="top">massively multi-threaded for -tomorrow's multi-core machines</td> +<td colspan="3" valign="top"><br><b>Message Filtering</b><br></td> +</tr> +<td valign="top">Filtering for syslog facility and priority</td> <td valign="top">yes</td> -<td valign="top">no (only multithreaded with database destinations)</td> +<td valign="top">yes<td> </tr> <tr> -<td valign="top">ability to control repeated line -reduction ("last message repeated n times") on a per selector-line basis</td> +<td valign="top">Filtering for hostname</td> <td valign="top">yes</td> -<td valign="top">yes (?)</td> +<td valign="top">yes<td> </tr> <tr> -<td valign="top">ability to include config file from -within other config files</td> +<td valign="top">Filtering for application</td> <td valign="top">yes</td> -<td valign="top">no</td> +<td valign="top">yes<td> </tr> <tr> -<td height="25" valign="top">ability to include all config files -existing in a specific directory</td> -<td height="25" valign="top">yes</td> -<td height="25" valign="top">no</td> +<td valign="top">Filtering for message contents</td> +<td valign="top">yes</td> +<td valign="top">yes<td> </tr> <tr> -<td valign="top">supports multiple actions per -selector/filter condition</td> +<td valign="top">Filtering for sending IP address</td> <td valign="top">yes</td> -<td valign="top">?</td> +<td valign="top">yes<td> </tr> <tr> -<td valign="top">plug-in interface</td> +<td valign="top">ability to filter on any other message +field not mentioned above +(including substrings and the like)</td> <td valign="top">yes</td> <td valign="top">no</td> </tr> <tr> -<td valign="top">Windows Event Log gatherer</td> -<td valign="top">via <a href="http://www.eventreporter.com">EventReporter</a> -or <a href="http://www.mwagent.com">MonitorWare Agent</a> -(both commercial software)</td> -<td valign="top">via Windows agent, paid edition only</td> +<td>support for complex filters, using full boolean algebra +with and/or/not operators and parenthesis</td> +<td>yes</td> +<td>yes</td> </tr> <tr> -<td valign="top">config file format</td> -<td valign="top">compatible to legacy syslogd but -ugly</td> -<td valign="top">clean but not backwards compatible</td> +<td>Support for reusable filters: specify a filter once and +use it in multiple selector lines</td> +<td>no</td> +<td>yes</td> </tr> <tr> -<td valign="top">web interface</td> -<td valign="top"><a href="http://www.phplogcon.org">phpLogCon</a><br> -[also works with <a href="http://freshmeat.net/projects/php-syslog-ng/"> -php-syslog-ng</a>]</td> -<td valign="top"><a href="http://freshmeat.net/projects/php-syslog-ng/"> -php-syslog-ng</a></td> +<td>support for arbritrary complex arithmetic and string +expressions inside filters</td> +<td>yes</td> +<td>no</td> </tr> <tr> -<td valign="top">using text files as input source</td> +<td valign="top">ability to use regular expressions +in filters</td> +<td valign="top">yes</td> <td valign="top">yes</td> +</tr> +<tr> +<td valign="top">support for discarding messages +based on filters</td> <td valign="top">yes</td> +<td valign="top">yes<td> +</tr> +<tr> +<td valign="top">powerful BSD-style hostname and +program name blocks for easy multi-host support</td> +<td valign="top">yes</td> +<td valign="top">no</td> +</tr> +<tr> +<td></td> +<td></td> +<td></td> </tr> <tr> -<td valign="top">rate-limiting output actions</td> -<td valign="top">yes</td> +<td colspan="3" valign="top"><br><b>Supported Database Outputs</b><br></td> +</tr> +<tr> +<td valign="top">MySQL</td> +<td valign="top"><a href="rsyslog_mysql.html">yes</a> +(native ommysql, <a href="omlibdbi.html">omlibdbi</a>)</td> +<td valign="top">yes (via libdibi)</td> +</tr> +<tr> +<td valign="top">PostgreSQL</td> +<td valign="top">yes (native ompgsql, <a href="omlibdbi.html">omlibdbi</a>)</td> +<td valign="top">yes (via libdibi)</td> +</tr> +<tr> +<td valign="top">Oracle</td> +<td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td> +<td valign="top">yes (via libdibi)</td> +</tr> +<tr> +<td valign="top">SQLite</td> +<td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td> +<td valign="top">yes (via libdibi)</td> +</tr> +<tr> +<td valign="top">Microsoft SQL (Open TDS)</td> +<td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td> +<td valign="top">no (?)</td> +</tr> +<tr> +<td valign="top">Sybase (Open TDS)</td> +<td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td> +<td valign="top">no (?)</td> +</tr> +<tr> +<td valign="top">Firebird/Interbase</td> +<td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td> +<td valign="top">no (?)</td> +</tr> +<tr> +<td valign="top">Ingres</td> +<td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td> +<td valign="top">no (?)</td> +</tr> +<tr> +<td valign="top">mSQL</td> +<td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td> +<td valign="top">no (?)</td> +</tr> + + +<tr> +<td colspan="3" valign="top"><br><b>Enterprise Features</b><br></td> +</tr> +<tr> +<td valign="top">support for on-demand on-disk +spooling of messages</td> <td valign="top">yes</td> +<td valign="top">paid edition only</td> </tr> <tr> -<td valign="top">discard low-priority messages under -system stress</td> +<td valign="top">ability to limit disk space used +by spool files</td> +<td valign="top">yes</td> <td valign="top">yes</td> -<td valign="top">no (?)</td> </tr> <tr> -<td height="43" valign="top">flow control -(slow down message reception when system is busy)</td> -<td height="43" valign="top">limited (TCP -Window, delay on queue full)</td> -<td height="43" valign="top">yes (limited, -too? "stops accepting messages")</td> +<td valign="top">each action can use its own, independant +set of spool files</td> +<td valign="top">yes</td> +<td valign="top">no</td> </tr> <tr> -<td valign="top">rewriting messages</td> +<td valign="top">different sets of spool files can +be placed on different disk</td> <td valign="top">yes</td> -<td valign="top">yes (at least I think so...)</td> +<td valign="top">no</td> </tr> <tr> -<td valign="top">output data into various formats</td> +<td valign="top">ability to configure backup +syslog/database servers </td> <td valign="top">yes</td> -<td valign="top">yes (looks somewhat limited to me)</td> +<td valign="top">no</td> </tr> <tr> -<td valign="top">ability to control "message -repeated n times" generation</td> +<td>Professional Support</td> +<td><a href="professional_support.html">yes</a></td> +<td>yes</td> +</tr> + + +<tr> +<td colspan="3" valign="top"><br><b>Config File</b><br></td> +</tr> +<tr> +<td valign="top">config file format</td> +<td valign="top">compatible to legacy syslogd but +ugly</td> +<td valign="top">clean but not backwards compatible</td> +</tr> +<tr> +<td valign="top">ability to include config file from +within other config files</td> <td valign="top">yes</td> -<td valign="top">no (?)</td> +<td valign="top">no</td> </tr> <tr> -<td valign="top">license</td> -<td valign="top">GPLv3 (GPLv2 for v2 branch)</td> -<td valign="top">GPL (paid edition is closed source)</td> +<td height="25" valign="top">ability to +include all config files +existing in a specific directory</td> +<td height="25" valign="top">yes</td> +<td height="25" valign="top">no</td> </tr> + + + <tr> -<td valign="top">supported platforms</td> -<td valign="top">Linux, BSD, anecdotical seen on -Solaris</td> -<td valign="top">many popular *nixes</td> +<td colspan="3" valign="top"><br><b>Extensibility</b><br></td> </tr> <tr> -<td valign="top">DNS cache</td> +<td valign="top">Functionality split in separately loadable +modules</td> +<td valign="top">yes</td> +<td valign="top">no</td> +</tr> +<tr> +<td valign="top">Support for third-party input plugins</td> +<td valign="top">yes</td> <td valign="top">no</td> +</tr> +<tr> +</tr> +<td valign="top">Support for third-party output plugins</td> <td valign="top">yes</td> +<td valign="top">no</td> </tr> -<tr><td>Professional Support</td><td><a href="professional_support.html">yes</a></td><td>yes</td></tr><tr> -<td valign="top"><b><br> -Network (Protocol) Support<br> - </b></td> -<td valign="top"> </td> -<td valign="top"> </td> -</tr> + <tr> -<td valign="top">support for (plain) tcp based syslog</td> +<td colspan="3" valign="top"><br><b>Other Features</b><br></td> +</tr> +<tr> +<tr> +<td valign="top">ability to generate file names and +directories (log targets) dynamically</td> <td valign="top">yes</td> <td valign="top">yes</td> </tr> <tr> -<td valign="top">support for GSS-API</td> +<td valign="top">control of log output format, +including ability to present channel and priority as visible log data</td> <td valign="top">yes</td> -<td valign="top">no (?)</td> +<td valign="top">not sure...</td> </tr> <tr> -<td valign="top">ability to limit the allowed -network senders (syslog ACLs)</td> +<td valign="top">good timestamp format control; at a +minimum, ISO 8601/RFC 3339 second-resolution UTC zone</td> +<td valign="top">yes</td> <td valign="top">yes</td> -<td valign="top">yes (?)</td> </tr> <tr> -<td valign="top">support for syslog-transport-tls -based framing on syslog/tcp connections</td> +<td valign="top">ability to reformat message +contents and work with substrings</td> <td valign="top">yes</td> -<td valign="top">no (?)</td> +<td valign="top">I think yes</td> </tr> <tr> -<td valign="top">udp syslog</td> +<td valign="top">support for log files larger than +2gb</td> <td valign="top">yes</td> <td valign="top">yes</td> </tr> - <tr> -<td valign="top">on the wire (zlib) message -compression</td> +<td valign="top">support for log file size +limitation +and automatic rollover command execution</td> +<td valign="top">yes</td> <td valign="top">yes</td> -<td valign="top">no (?)</td> </tr> <tr> -<td valign="top">support for receiving messages via -reliable <a href="http://www.monitorware.com/Common/en/glossary/rfc3195.php">RFC -3195</a> delivery</td> +<td valign="top">support for running multiple +syslogd instances on a single machine</td> <td valign="top">yes</td> +<td valign="top">? (but I think yes)</td> +</tr> +<tr> +<td valign="top">ability to execute shell scripts on +received messages</td> +<td valign="top">yes</td> +<td valign="top">yes</td> +</tr> +<tr> +<td valign="top">ability to pipe messages to a +continously running program</td> <td valign="top">no</td> +<td valign="top">yes</td> </tr> <tr> -<td valign="top">support for <a href="rsyslog_stunnel.html">ssl-protected -syslog</a> </td> -<td valign="top"><a href="rsyslog_stunnel.html">via -stunnel</a></td> -<td valign="top">via stunnel<br> -paid edition natively</td> +<td valign="top">massively multi-threaded for +tomorrow's multi-core machines</td> +<td valign="top">yes</td> +<td valign="top">no (only multithreaded with +database destinations)</td> </tr> <tr> -<td valign="top">support for IETF's new -syslog-protocol draft</td> +<td valign="top">ability to control repeated line +reduction ("last message repeated n times") on a per selector-line basis</td> <td valign="top">yes</td> -<td valign="top">no</td> +<td valign="top">yes (?)</td> </tr> <tr> -<td valign="top">support for IPv6</td> +<td valign="top">supports multiple actions per +selector/filter condition</td> +<td valign="top">yes</td> +<td valign="top">yes<td> +</tr> +<tr> +<td valign="top">web interface</td> +<td valign="top"><a href="http://www.phplogcon.org">phpLogCon</a><br> +[also works with <a href="http://freshmeat.net/projects/php-syslog-ng/"> +php-syslog-ng</a>]</td> +<td valign="top"><a href="http://freshmeat.net/projects/php-syslog-ng/"> +php-syslog-ng</a></td> +</tr> +<tr> +<td valign="top">using text files as input source</td> <td valign="top">yes</td> <td valign="top">yes</td> </tr> <tr> -<td valign="top">native ability to send SNMP traps</td> +<td valign="top">rate-limiting output actions</td> +<td valign="top">yes</td> <td valign="top">yes</td> -<td valign="top">?</td> </tr> <tr> -<td valign="top">ability to preserve the original -hostname in NAT environments and relay chains</td> +<td valign="top">discard low-priority messages under +system stress</td> <td valign="top">yes</td> +<td valign="top">no (?)</td> +</tr> +<tr> +<td height="43" valign="top">flow control +(slow down message reception when system is busy)</td> +<td height="43" valign="top">limited (TCP +Window, delay on queue full)</td> +<td height="43" valign="top">yes (limited, +too? "stops accepting messages")</td> +</tr> +<tr> +<td valign="top">rewriting messages</td> <td valign="top">yes</td> +<td valign="top">yes (at least I think so...)</td> </tr> <tr> -<td valign="top"><span style="font-weight: bold;"><br> -Supported Database Outputs<br> - </span></td> -<td valign="top"></td> -<td valign="top"></td> +<td valign="top">output data into various formats</td> +<td valign="top">yes</td> +<td valign="top">yes (looks somewhat limited to me)</td> </tr> - <tr> -<td valign="top">MySQL</td> -<td valign="top"><a href="rsyslog_mysql.html">yes</a> (native ommysql, <a href="omlibdbi.html">omlibdbi</a>)</td> -<td valign="top">yes (via libdibi)</td> +<td valign="top">ability to control "message +repeated n times" generation</td> +<td valign="top">yes</td> +<td valign="top">no (?)</td> </tr> <tr> -<td valign="top">PostgreSQL</td> -<td valign="top">yes (native ompgsql, <a href="omlibdbi.html">omlibdbi</a>)</td> -<td valign="top">yes (via libdibi)</td> +<td valign="top">license</td> +<td valign="top">GPLv3 (GPLv2 for v2 branch)</td> +<td valign="top">GPL (paid edition is closed source)</td> </tr> -<tr><td valign="top">Oracle</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">yes (via libdibi)</td></tr><tr><td valign="top">SQLite</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">yes (via libdibi)</td></tr><tr><td valign="top">Microsoft SQL (Open TDS)</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">no (?)</td></tr><tr><td valign="top">Sybase (Open TDS)</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">no (?)</td></tr><tr><td valign="top">Firebird/Interbase</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">no (?)</td></tr><tr><td valign="top">Ingres</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">no (?)</td></tr><tr><td valign="top">mSQL</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">no (?)</td></tr></tbody> +<tr> +<td valign="top">supported platforms</td> +<td valign="top">Linux, BSD, anecdotical seen on +Solaris</td> +<td valign="top">many popular *nixes</td> +</tr> +<tr> +<td valign="top">DNS cache</td> +<td valign="top">no</td> +<td valign="top">yes</td> +</tr> + + +</tbody> </table> +<p>While the <span style="font-weight: bold;">rsyslog</span> +project was initiated in 2004, it <span style="font-weight: bold;">is +build on the main author's (Rainer Gerhards) 12+ years of +logging experience</span>. Rainer, for example, also +wrote the first <a href="http://www.winsyslog.com/Common/en/News/WinSyslog-1996-03-31.php">Windows +syslog server</a> in early 1996 and invented the <a href="http://www.eventreporter.com/Common/en/News/EvntSLog-1997-03-23.php">eventlog-to-syslog</a> +class of applications in early 1997. He did custom logging development +and consulting even before he wrote these products. Rsyslog draws on +that vast experience and sometimes even on the code.</p> <p>Based on a discussion I had, I also wrote about the <b>political argument why it is good to have another strong syslogd besides syslog-ng</b>. You may want to read it at my blog at "<a href="http://rgerhards.blogspot.com/2007/08/why-does-world-need-another-syslogd.html">Why does the world need another syslogd?</a>".</p> -<p>Balabit, the vendor of syslog-ng, has just recently done a feature sheet. I -have not yet been able to fully work through it. In the mean time, you may want -to read it in parallel. It is available at -<a href="http://www.balabit.com/network-security/syslog-ng/features/detailed/"> -Balabit's site</a>.</p> -<p>This document is current as of 2008-02-15 and definitely +<p>Balabit, the vendor of syslog-ng, has just recently done a +feature sheet. I have not yet been able to fully work through it. In +the mean time, you may want to read it in parallel. It is available at +<a href="http://www.balabit.com/network-security/syslog-ng/features/detailed/">Balabit's +site</a>.</p> +<p>This document is current as of 2008-02-28 and definitely incomplete (I did not yet manage to complete it!).</p> -</body></html>
\ No newline at end of file +</body></html> |