Written by Rainer Gerhards (2008-01-29)
We have often been asked abut a comparison sheet between rsyslog and syslog-ng. Unfortunately, I do not know much about syslog-ng, I did not even use it once. Also, there seems to be no comprehensive feature sheet available for syslog-ng. So I started this comparison, but it probably is not complete. For sure, I miss some syslog-ng features. This is not an attempt to let rsyslog shine more than it should. I just used the rsyslog feature sheet as a staring point, simply because it was available. If you would like to add anything to the chart, or correct it, please simply drop me a line. I would love to see a real honest and up-to-date comparison sheet, so please don't be shy ;)
Feature | rsyslog | syslog-ng |
native support for writing to MySQL databases | yes | paid edition only |
native support for writing to Postgres databases | yes | paid edition only |
support for (plain) tcp based syslog | yes | yes |
support for sending and receiving compressed syslog messages | yes | I think "no" |
support for on-demand on-disk spooling of messages | yes | paid edition only |
ability to configure backup syslog/database servers | yes | no |
support for receiving messages via reliable RFC 3195 delivery | yes | no |
ability to generate file names and directories (log targets) dynamically | yes | yes |
control of log output format, including ability to present channel and priority as visible log data | yes | not sure... |
good timestamp format control; at a minimum, ISO 8601/RFC 3339 second-resolution UTC zone | yes | ? (I guess so) |
ability to reformat message contents and work with substrings | yes | I think yes |
support for log files larger than 2gb | yes | yes |
support for file size limitation and automatic rollover command execution | yes | yes (?) |
support for running multiple rsyslogd instances on a single machine | yes | ? (but I think yes) |
support for ssl-protected syslog | via stunnel | via stunnel paid edition natively |
ability to filter on any part of the message, not just facility and severity | yes | yes |
ability to use regular expressions in filters | yes | yes |
support for discarding messages based on filters | yes | ? |
ability to execute shell scripts on received messages | yes | yes |
ability to pipe messages to a continously running program | no | yes |
ability to preserve the original hostname in NAT environments and relay chains | yes | yes (think so) |
ability to limit the allowed network senders (syslog ACLs) | yes | yes (?) |
powerful BSD-style hostname and program name blocks for easy multi-host support | yes | no |
massively multi-threaded for tomorrow's multi-core machines | yes | ? |
support for IETF's new syslog-protocol draft | yes | no |
support for syslog-transport-tls based framing on syslog/tcp connections | yes | no (?) |
support for IPv6 | yes | yes |
ability to control repeated line reduction ("last message repeated n times") on a per selector-line basis | yes | yes (?) |
ability to include config file from within other config files | yes | no (?) |
ability to include all config files existing in a specific directory | yes | no (?) |
supports multiple actions per selector/filter condition | yes | ? |
plug-in interface | yes | no (?) |
Windows Event Log gatherer | via EventReporter or MonitorWare Agent (both commercial software) | via Windows agent, paid edition only |
config file format | compatible to legacy syslogd but ugly | clean but not backwards compatible |
support for GSS-API | yes | ? |
web interface | phpLogCon [also works with php-syslog-ng] |
php-syslog-ng |
using text files as input source | no | yes |
native support for Oracle databases | no | paid edition only |
native support for SQLite databases | no | paid edition only |
rate-limiting output actions | yes | yes |
discard low-priority messages under system stress | yes | ? |
flow control (slow down message recpetion when system is busy) | limited (TCP Window, delay on queue full) | yes (limited, too? "stops accepting messages") |
rewriting messages | yes | yes (at least I think so...) |
output data into various formats | yes | yes (looks somewhat limited to me) |
ability to control "message repeated n times" generation | yes | no (?) |
on the wire (zlib) message compression | yes | no (?) |
license | GPLv3 (GPLv2 for v2 branch) | GPL (paid edition is closed source) |
supported platforms | Linux, anecdotical seen on Solaris | many popular *nixes |
DNS cache | no | yes |
? (probably many I do no know off...) | no | yes |
Based on a discussion I had, I also wrote about the political argument why it is good to have another strong syslogd besides syslog-ng. You may want to read it at my blog at "Why does the world need another syslogd?".
This document is current as of 2008-02-11 and definitely incomplete (I did not yet manage to complete it!).