From 8860335f57904501bfd72c1c5b65b0c83c7d1c1e Mon Sep 17 00:00:00 2001
From: Rainer Gerhards
Date: Thu, 28 Feb 2008 09:31:46 +0000
Subject: worked a bit on the rsyslog/syslog-ng comparsion - slowly gets in
better shape ;)
---
doc/manual.html | 2 +-
doc/rsyslog_ng_comparison.html | 514 ++++++++++++++++++++++++++++-------------
2 files changed, 354 insertions(+), 162 deletions(-)
diff --git a/doc/manual.html b/doc/manual.html
index 80358f39..46bfd958 100644
--- a/doc/manual.html
+++ b/doc/manual.html
@@ -60,7 +60,7 @@ modules
ssl-encrypting
syslog with stunnel
writing syslog
-messages to MySQL
+messages to MySQL (and other databases as well)
writing
massive amounts of syslog messages to a database
using
diff --git a/doc/rsyslog_ng_comparison.html b/doc/rsyslog_ng_comparison.html
index 07ceb09d..6a9d9bd8 100644
--- a/doc/rsyslog_ng_comparison.html
+++ b/doc/rsyslog_ng_comparison.html
@@ -1,15 +1,17 @@
-rsyslog vs. syslog-ng - a comparison
+rsyslog vs. syslog-ng - a comparison
+
+
rsyslog vs. syslog-ng
Written by Rainer Gerhards
-(2008-02-15)
+(2008-02-28)
We have often been asked about a comparison sheet between
rsyslog and syslog-ng. Unfortunately, I do not know much about
syslog-ng, I did not even use it once. Also, there seems to be no
-comprehensive feature sheet available for syslog-ng (that recently changed, see
-below). So I started this
+comprehensive feature sheet available for syslog-ng (that recently
+changed, see below). So I started this
comparison, but it probably is not complete. For sure, I miss some
syslog-ng features. This is not an attempt to let rsyslog shine more
than it should. I just used the rsyslog
@@ -25,319 +27,509 @@ comparison sheet, so please don't be shy ;)
rsyslog |
syslog-ng |
+
+
-support for on-demand on-disk
-spooling of messages |
+ Input Sources
|
+
+UNIX domain socket |
yes |
-paid edition only |
+yes |
|
-ability to configure backup
-syslog/database servers |
+UDP |
yes |
-no |
+yes |
|
-ability to generate file names and
-directories (log targets) dynamically |
-yes |
+TCP |
yes |
+yes |
|
-control of log output format,
-including ability to present channel and priority as visible log data |
+RFC 3195/BEEP |
+yes (needs separate build process) |
+no |
+ |
+
+kernel log |
yes |
-not sure... |
+yes |
|
-good timestamp format control; at a
-minimum, ISO 8601/RFC 3339 second-resolution UTC zone |
+file |
yes |
-? (I guess so) |
+yes |
|
-ability to reformat message
-contents and work with substrings |
+mark message generator as an optional input |
yes |
-I think yes |
+no (?) |
|
-support for log files larger than
-2gb |
+Windows Event Log |
+via EventReporter
+or MonitorWare Agent
+(both commercial software) |
+via separate Windows agent, paid edition only |
+
+
+
+
+ Network (Protocol) Support
|
+
+
+support for (plain) tcp based syslog |
yes |
yes |
-support for log file size limitation
-and automatic rollover command execution |
+support for GSS-API |
+yes |
+no (?) |
+
+
+ability to limit the allowed
+network senders (syslog ACLs) |
yes |
yes (?) |
-support for running multiple
-syslogd instances on a single machine |
+support for syslog-transport-tls
+based framing on syslog/tcp connections |
yes |
-? (but I think yes) |
+no (?) |
-ability to filter on any part of
-the message, not just facility and severity |
+udp syslog |
yes |
yes |
-ability to use regular expressions
-in filters |
+on the wire (zlib) message
+compression |
yes |
+no (?) |
+
+
+support for receiving messages via
+reliable RFC
+3195 delivery |
yes |
+no |
-support for discarding messages
-based on filters |
+support for ssl-protected
+syslog |
+via
+stunnel |
+via stunnel
+paid edition natively |
+
+
+support for IETF's new
+syslog-protocol draft |
yes |
-? |
+no |
-ability to execute shell scripts on
-received messages |
+support for IPv6 |
yes |
yes |
-ability to pipe messages to a
-continously running program |
-no |
+native ability to send SNMP traps |
yes |
+? |
-powerful BSD-style hostname and
-program name blocks for easy multi-host support |
+ability to preserve the original
+hostname in NAT environments and relay chains |
+yes |
yes |
-no |
+
+
-massively multi-threaded for
-tomorrow's multi-core machines |
+ Message Filtering
|
+
+Filtering for syslog facility and priority |
yes |
-no (only multithreaded with database destinations) |
+yes |
|
-ability to control repeated line
-reduction ("last message repeated n times") on a per selector-line basis |
+Filtering for hostname |
yes |
-yes (?) |
+yes |
|
-ability to include config file from
-within other config files |
+Filtering for application |
yes |
-no |
+yes |
|
-ability to include all config files
-existing in a specific directory |
-yes |
-no |
+Filtering for message contents |
+yes |
+yes |
|
-supports multiple actions per
-selector/filter condition |
+Filtering for sending IP address |
yes |
-? |
+yes |
|
-plug-in interface |
+ability to filter on any other message
+field not mentioned above
+(including substrings and the like) |
yes |
no |
-Windows Event Log gatherer |
-via EventReporter
-or MonitorWare Agent
-(both commercial software) |
-via Windows agent, paid edition only |
+support for complex filters, using full boolean algebra
+with and/or/not operators and parenthesis |
+yes |
+yes |
-config file format |
-compatible to legacy syslogd but
-ugly |
-clean but not backwards compatible |
+Support for reusable filters: specify a filter once and
+use it in multiple selector lines |
+no |
+yes |
-web interface |
-phpLogCon
-[also works with
-php-syslog-ng] |
-
-php-syslog-ng |
+support for arbritrary complex arithmetic and string
+expressions inside filters |
+yes |
+no |
-using text files as input source |
+ability to use regular expressions
+in filters |
+yes |
yes |
+
+
+support for discarding messages
+based on filters |
yes |
+yes |
+ |
+
+powerful BSD-style hostname and
+program name blocks for easy multi-host support |
+yes |
+no |
+
+
+ |
+ |
+ |
-rate-limiting output actions |
-yes |
+ Supported Database Outputs
|
+
+
+MySQL |
+yes
+(native ommysql, omlibdbi) |
+yes (via libdibi) |
+
+
+PostgreSQL |
+yes (native ompgsql, omlibdbi) |
+yes (via libdibi) |
+
+
+Oracle |
+yes (omlibdbi) |
+yes (via libdibi) |
+
+
+SQLite |
+yes (omlibdbi) |
+yes (via libdibi) |
+
+
+Microsoft SQL (Open TDS) |
+yes (omlibdbi) |
+no (?) |
+
+
+Sybase (Open TDS) |
+yes (omlibdbi) |
+no (?) |
+
+
+Firebird/Interbase |
+yes (omlibdbi) |
+no (?) |
+
+
+Ingres |
+yes (omlibdbi) |
+no (?) |
+
+
+mSQL |
+yes (omlibdbi) |
+no (?) |
+
+
+
+
+ Enterprise Features
|
+
+
+support for on-demand on-disk
+spooling of messages |
yes |
+paid edition only |
-discard low-priority messages under
-system stress |
+ability to limit disk space used
+by spool files |
+yes |
yes |
-no (?) |
-flow control
-(slow down message reception when system is busy) |
-limited (TCP
-Window, delay on queue full) |
-yes (limited,
-too? "stops accepting messages") |
+each action can use its own, independant
+set of spool files |
+yes |
+no |
-rewriting messages |
+different sets of spool files can
+be placed on different disk |
yes |
-yes (at least I think so...) |
+no |
-output data into various formats |
+ability to configure backup
+syslog/database servers |
yes |
-yes (looks somewhat limited to me) |
+no |
-ability to control "message
-repeated n times" generation |
+Professional Support |
+yes |
+yes |
+
+
+
+
+ Config File
|
+
+
+config file format |
+compatible to legacy syslogd but
+ugly |
+clean but not backwards compatible |
+
+
+ability to include config file from
+within other config files |
yes |
-no (?) |
+no |
-license |
-GPLv3 (GPLv2 for v2 branch) |
-GPL (paid edition is closed source) |
+ability to
+include all config files
+existing in a specific directory |
+yes |
+no |
+
+
+
-supported platforms |
-Linux, BSD, anecdotical seen on
-Solaris |
-many popular *nixes |
+ Extensibility
|
-DNS cache |
+Functionality split in separately loadable
+modules |
+yes |
+no |
+
+
+Support for third-party input plugins |
+yes |
no |
+
+
+
+Support for third-party output plugins |
yes |
+no |
-Professional Support | yes | yes |
-
-Network (Protocol) Support
- |
- |
- |
-
+
-support for (plain) tcp based syslog |
+ Other Features
|
+
+
+
+ability to generate file names and
+directories (log targets) dynamically |
yes |
yes |
-support for GSS-API |
+control of log output format,
+including ability to present channel and priority as visible log data |
yes |
-no (?) |
+not sure... |
-ability to limit the allowed
-network senders (syslog ACLs) |
+good timestamp format control; at a
+minimum, ISO 8601/RFC 3339 second-resolution UTC zone |
+yes |
yes |
-yes (?) |
-support for syslog-transport-tls
-based framing on syslog/tcp connections |
+ability to reformat message
+contents and work with substrings |
yes |
-no (?) |
+I think yes |
-udp syslog |
+support for log files larger than
+2gb |
yes |
yes |
-
-on the wire (zlib) message
-compression |
+support for log file size
+limitation
+and automatic rollover command execution |
+yes |
yes |
-no (?) |
-support for receiving messages via
-reliable RFC
-3195 delivery |
+support for running multiple
+syslogd instances on a single machine |
yes |
+? (but I think yes) |
+
+
+ability to execute shell scripts on
+received messages |
+yes |
+yes |
+
+
+ability to pipe messages to a
+continously running program |
no |
+yes |
-support for ssl-protected
-syslog |
-via
-stunnel |
-via stunnel
-paid edition natively |
+massively multi-threaded for
+tomorrow's multi-core machines |
+yes |
+no (only multithreaded with
+database destinations) |
-support for IETF's new
-syslog-protocol draft |
+ability to control repeated line
+reduction ("last message repeated n times") on a per selector-line basis |
yes |
-no |
+yes (?) |
-support for IPv6 |
+supports multiple actions per
+selector/filter condition |
+yes |
+yes |
+ |
+
+web interface |
+phpLogCon
+[also works with
+php-syslog-ng] |
+
+php-syslog-ng |
+
+
+using text files as input source |
yes |
yes |
-native ability to send SNMP traps |
+rate-limiting output actions |
+yes |
yes |
-? |
-ability to preserve the original
-hostname in NAT environments and relay chains |
+discard low-priority messages under
+system stress |
yes |
+no (?) |
+
+
+flow control
+(slow down message reception when system is busy) |
+limited (TCP
+Window, delay on queue full) |
+yes (limited,
+too? "stops accepting messages") |
+
+
+rewriting messages |
yes |
+yes (at least I think so...) |
-
-Supported Database Outputs
- |
- |
- |
+output data into various formats |
+yes |
+yes (looks somewhat limited to me) |
-
-MySQL |
-yes (native ommysql, omlibdbi) |
-yes (via libdibi) |
+ability to control "message
+repeated n times" generation |
+yes |
+no (?) |
-PostgreSQL |
-yes (native ompgsql, omlibdbi) |
-yes (via libdibi) |
+license |
+GPLv3 (GPLv2 for v2 branch) |
+GPL (paid edition is closed source) |
-Oracle | yes (omlibdbi) | yes (via libdibi) |
SQLite | yes (omlibdbi) | yes (via libdibi) |
Microsoft SQL (Open TDS) | yes (omlibdbi) | no (?) |
Sybase (Open TDS) | yes (omlibdbi) | no (?) |
Firebird/Interbase | yes (omlibdbi) | no (?) |
Ingres | yes (omlibdbi) | no (?) |
mSQL | yes (omlibdbi) | no (?) |
+
+supported platforms |
+Linux, BSD, anecdotical seen on
+Solaris |
+many popular *nixes |
+
+
+DNS cache |
+no |
+yes |
+
+
+
+
+While the rsyslog
+project was initiated in 2004, it is
+build on the main author's (Rainer Gerhards) 12+ years of
+logging experience. Rainer, for example, also
+wrote the first Windows
+syslog server in early 1996 and invented the eventlog-to-syslog
+class of applications in early 1997. He did custom logging development
+and consulting even before he wrote these products. Rsyslog draws on
+that vast experience and sometimes even on the code.
Based on a discussion I had, I also wrote about the political
argument why it is good to have another strong syslogd besides syslog-ng.
You may want to read it at my blog at "Why
does the world need another syslogd?".
-Balabit, the vendor of syslog-ng, has just recently done a feature sheet. I
-have not yet been able to fully work through it. In the mean time, you may want
-to read it in parallel. It is available at
-
-Balabit's site.
-This document is current as of 2008-02-15 and definitely
+
Balabit, the vendor of syslog-ng, has just recently done a
+feature sheet. I have not yet been able to fully work through it. In
+the mean time, you may want to read it in parallel. It is available at
+Balabit's
+site.
+This document is current as of 2008-02-28 and definitely
incomplete (I did not yet manage to complete it!).
-