From 8860335f57904501bfd72c1c5b65b0c83c7d1c1e Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 28 Feb 2008 09:31:46 +0000 Subject: worked a bit on the rsyslog/syslog-ng comparsion - slowly gets in better shape ;) --- doc/manual.html | 2 +- doc/rsyslog_ng_comparison.html | 514 ++++++++++++++++++++++++++++------------- 2 files changed, 354 insertions(+), 162 deletions(-) diff --git a/doc/manual.html b/doc/manual.html index 80358f39..46bfd958 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -60,7 +60,7 @@ modules
  • ssl-encrypting syslog with stunnel
  • writing syslog -messages to MySQL
    • +messages to MySQL (and other databases as well)
  • writing massive amounts of syslog messages to a database
  • using diff --git a/doc/rsyslog_ng_comparison.html b/doc/rsyslog_ng_comparison.html index 07ceb09d..6a9d9bd8 100644 --- a/doc/rsyslog_ng_comparison.html +++ b/doc/rsyslog_ng_comparison.html @@ -1,15 +1,17 @@ -rsyslog vs. syslog-ng - a comparison +rsyslog vs. syslog-ng - a comparison + +

    rsyslog vs. syslog-ng

    Written by Rainer Gerhards -(2008-02-15)

    +(2008-02-28)

    We have often been asked about a comparison sheet between rsyslog and syslog-ng. Unfortunately, I do not know much about syslog-ng, I did not even use it once. Also, there seems to be no -comprehensive feature sheet available for syslog-ng (that recently changed, see -below). So I started this +comprehensive feature sheet available for syslog-ng (that recently +changed, see below). So I started this comparison, but it probably is not complete. For sure, I miss some syslog-ng features. This is not an attempt to let rsyslog shine more than it should. I just used the rsyslog @@ -25,319 +27,509 @@ comparison sheet, so please don't be shy ;)

    rsyslog syslog-ng + + -support for on-demand on-disk -spooling of messages +
    Input Sources
    + +UNIX domain socket yes -paid edition only +yes -ability to configure backup -syslog/database servers +UDP yes -no +yes -ability to generate file names and -directories (log targets) dynamically -yes +TCP yes +yes -control of log output format, -including ability to present channel and priority as visible log data +RFC 3195/BEEP +yes (needs separate build process) +no + + +kernel log yes -not sure... +yes -good timestamp format control; at a -minimum, ISO 8601/RFC 3339 second-resolution UTC zone +file yes -? (I guess so) +yes -ability to reformat message -contents and work with substrings +mark message generator as an optional input yes -I think yes +no (?) -support for log files larger than -2gb +Windows Event Log +via     EventReporter +or MonitorWare Agent +(both commercial software) +via separate Windows agent, paid edition only + + + + +
    Network (Protocol) Support
    + + +support for (plain) tcp based syslog yes yes -support for log file size limitation -and automatic rollover command execution +support for GSS-API +yes +no (?) + + +ability to limit the allowed +network senders (syslog ACLs) yes yes (?) -support for running multiple -syslogd instances on a single machine +support for syslog-transport-tls +based framing on syslog/tcp connections yes -? (but I think yes) +no (?) -ability to filter on any part of -the message, not just facility and severity +udp syslog yes yes -ability to use regular expressions -in filters +on the wire (zlib) message +compression yes +no (?) + + +support for receiving messages via +reliable RFC +3195 delivery yes +no -support for discarding messages -based on filters +support for ssl-protected +syslog +via +stunnel +via stunnel
    +paid edition natively + + +support for IETF's new +syslog-protocol draft yes -? +no -ability to execute shell scripts on -received messages +support for IPv6 yes yes -ability to pipe messages to a -continously running program -no +native ability to send SNMP traps yes +? -powerful BSD-style hostname and -program name blocks for easy multi-host support +ability to preserve the original +hostname in NAT environments and relay chains +yes yes -no + + -massively multi-threaded for -tomorrow's multi-core machines +
    Message Filtering
    + +Filtering for syslog facility and priority yes -no (only multithreaded with database destinations) +yes -ability to control repeated line -reduction ("last message repeated n times") on a per selector-line basis +Filtering for hostname yes -yes (?) +yes -ability to include config file from -within other config files +Filtering for application yes -no +yes -ability to include all config files -existing in a specific directory -yes -no +Filtering for message contents +yes +yes -supports multiple actions per -selector/filter condition +Filtering for sending IP address yes -? +yes -plug-in interface +ability to filter on any other message +field not mentioned above +(including substrings and the like) yes no -Windows Event Log gatherer -via EventReporter -or MonitorWare Agent -(both commercial software) -via Windows agent, paid edition only +support for complex filters, using full boolean algebra +with and/or/not operators and parenthesis +yes +yes -config file format -compatible to legacy syslogd but -ugly -clean but not backwards compatible +Support for reusable filters: specify a filter once and +use it in multiple selector lines +no +yes -web interface -phpLogCon
    -[also works with -php-syslog-ng] - -php-syslog-ng +support for arbritrary complex arithmetic and string +expressions inside filters +yes +no -using text files as input source +ability to use regular expressions +in filters +yes yes + + +support for discarding messages +based on filters yes +yes + + +powerful BSD-style hostname and +program name blocks for easy multi-host support +yes +no + + + + + -rate-limiting output actions -yes +
    Supported Database Outputs
    + + +MySQL +yes +(native ommysql, omlibdbi) +yes (via libdibi) + + +PostgreSQL +yes (native ompgsql, omlibdbi) +yes (via libdibi) + + +Oracle +yes (omlibdbi) +yes (via libdibi) + + +SQLite +yes (omlibdbi) +yes (via libdibi) + + +Microsoft SQL (Open TDS) +yes (omlibdbi) +no (?) + + +Sybase (Open TDS) +yes (omlibdbi) +no (?) + + +Firebird/Interbase +yes (omlibdbi) +no (?) + + +Ingres +yes (omlibdbi) +no (?) + + +mSQL +yes (omlibdbi) +no (?) + + + + +
    Enterprise Features
    + + +support for on-demand on-disk +spooling of messages yes +paid edition only -discard low-priority messages under -system stress +ability to limit disk space used +by spool files +yes yes -no (?) -flow control -(slow down message reception when system is busy) -limited (TCP -Window, delay on queue full) -yes (limited, -too? "stops accepting messages") +each action can use its own, independant +set of spool files +yes +no -rewriting messages +different sets of spool files can +be placed on different disk yes -yes (at least I think so...) +no -output data into various formats +ability to configure backup +syslog/database servers yes -yes (looks somewhat limited to me) +no -ability to control "message -repeated n times" generation +Professional Support +yes +yes + + + + +
    Config File
    + + +config file format +compatible to legacy syslogd but +ugly +clean but not backwards compatible + + +ability to include config file from +within other config files yes -no (?) +no -license -GPLv3 (GPLv2 for v2 branch) -GPL (paid edition is closed source) +ability to +include all config files +existing in a specific directory +yes +no + + + -supported platforms -Linux, BSD, anecdotical seen on -Solaris -many popular *nixes +
    Extensibility
    -DNS cache +Functionality split in separately loadable +modules +yes +no + + +Support for third-party input plugins +yes no + + + +Support for third-party output plugins yes +no -Professional Supportyesyes -
    -Network (Protocol) Support
     -  -  - + -support for (plain) tcp based syslog +
    Other Features
    + + + +ability to generate file names and +directories (log targets) dynamically yes yes -support for GSS-API +control of log output format, +including ability to present channel and priority as visible log data yes -no (?) +not sure... -ability to limit the allowed -network senders (syslog ACLs) +good timestamp format control; at a +minimum, ISO 8601/RFC 3339 second-resolution UTC zone +yes yes -yes (?) -support for syslog-transport-tls -based framing on syslog/tcp connections +ability to reformat message +contents and work with substrings yes -no (?) +I think yes -udp syslog +support for log files larger than +2gb yes yes - -on the wire (zlib) message -compression +support for log file size +limitation +and automatic rollover command execution +yes yes -no (?) -support for receiving messages via -reliable RFC -3195 delivery +support for running multiple +syslogd instances on a single machine yes +? (but I think yes) + + +ability to execute shell scripts on +received messages +yes +yes + + +ability to pipe messages to a +continously running program no +yes -support for ssl-protected -syslog -via -stunnel -via stunnel
    -paid edition natively +massively multi-threaded for +tomorrow's multi-core machines +yes +no (only multithreaded with +database destinations) -support for IETF's new -syslog-protocol draft +ability to control repeated line +reduction ("last message repeated n times") on a per selector-line basis yes -no +yes (?) -support for IPv6 +supports multiple actions per +selector/filter condition +yes +yes + + +web interface +phpLogCon
    +[also works with +php-syslog-ng] + +php-syslog-ng + + +using text files as input source yes yes -native ability to send SNMP traps +rate-limiting output actions +yes yes -? -ability to preserve the original -hostname in NAT environments and relay chains +discard low-priority messages under +system stress yes +no (?) + + +flow control +(slow down message reception when system is busy) +limited (TCP +Window, delay on queue full) +yes (limited, +too? "stops accepting messages") + + +rewriting messages yes +yes (at least I think so...) -
    -Supported Database Outputs
     - - +output data into various formats +yes +yes (looks somewhat limited to me) - -MySQL -yes (native ommysql, omlibdbi) -yes (via libdibi) +ability to control "message +repeated n times" generation +yes +no (?) -PostgreSQL -yes (native ompgsql, omlibdbi) -yes (via libdibi) +license +GPLv3 (GPLv2 for v2 branch) +GPL (paid edition is closed source) -Oracleyes (omlibdbi)yes (via libdibi)SQLiteyes (omlibdbi)yes (via libdibi)Microsoft SQL (Open TDS)yes (omlibdbi)no (?)Sybase (Open TDS)yes (omlibdbi)no (?)Firebird/Interbaseyes (omlibdbi)no (?)Ingresyes (omlibdbi)no (?)mSQLyes (omlibdbi)no (?) + +supported platforms +Linux, BSD, anecdotical seen on +Solaris +many popular *nixes + + +DNS cache +no +yes + + + + +

    While the rsyslog +project was initiated in 2004, it is +build on the main author's (Rainer Gerhards) 12+ years of +logging experience. Rainer, for example, also +wrote the first Windows +syslog server in early 1996 and invented the eventlog-to-syslog +class of applications in early 1997. He did custom logging development +and consulting even before he wrote these products. Rsyslog draws on +that vast experience and sometimes even on the code.

    Based on a discussion I had, I also wrote about the political argument why it is good to have another strong syslogd besides syslog-ng. You may want to read it at my blog at "Why does the world need another syslogd?".

    -

    Balabit, the vendor of syslog-ng, has just recently done a feature sheet. I -have not yet been able to fully work through it. In the mean time, you may want -to read it in parallel. It is available at - -Balabit's site.

    -

    This document is current as of 2008-02-15 and definitely +

    Balabit, the vendor of syslog-ng, has just recently done a +feature sheet. I have not yet been able to fully work through it. In +the mean time, you may want to read it in parallel. It is available at +Balabit's +site.

    +

    This document is current as of 2008-02-28 and definitely incomplete (I did not yet manage to complete it!).

    - \ No newline at end of file + -- cgit