Rsyslog vs. syslog-ng
Every few days I find references to an rsyslog vs. syslog-ng comparison on the rsyslog site, which has not been updated for more than three years. Since it contains some outdated information about syslog-ng (some of which was incorrect at the time of publishing), I want to make some corrections and updates. Here is a short summary.
First on the list is RELP & RFC 3195/BEEP. These are syslog transport protocols and as far as I know, they don’t have any implementation outside of rsyslog. RELP is a protocol exclusive to rsyslog. Their failure has even been acknowledged on recent rsyslog blogs, for example in http://blog.gerhards.net/2011/11/serious-syslog-problems.html
Contrary to the information in the rsyslog comparison table, a mark message generator is also available in syslog-ng. It can be configured using the mark_freq() and the mark_mode() options.
Similarly, using the suppress() option, one can eliminate the same message appearing over and over, instead a “message repeated n times” will appear in the logs.
GSS-API is not supported due to a lack of interest from users. Similarly, until recently we received very few requests for zlib compression so it will be included only in the next release.
Both syslog-ng OSE and syslog-ng PE support encrypted connections. It first appeared in PE, but has also been available in OSE for many years (from version 3.0). Sending SNMP traps is currently a PE only feature, which appeared in the latest feature release.
The new IETF syslog protocol (which became RFC 5424) is supported by syslog-ng, and is even used as the default protocol by our Windows agent.
The message filtering comparison in the table is unclear. So instead of discussing each point, we recommend reading the syslog-ng documentation, which has many examples how to use filtering in syslog-ng: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/syslog-ng-ose-v3.3-guide-admin-en.html/index.html-single.html
The database part of the comparison also needs some clarification. As syslog-ng uses libdbi, databases which are supported by libdbi should work. We regularly test MySQL, Microsoft SQL (MSSQL), Oracle, PostgreSQL, SQLite as we found the rest marginal.
Fail-over to another syslog server is supported but database fail-over is not supported by syslog-ng.
Configuration and extensibility has changed considerably in the version 3.X series of syslog-ng, The ability to add another configuration from within an other configuration file is now possible, even a complete directory full of configuration files. Also, syslog-ng is now modular, meaning that most functionality is now split into modules. This yields a smaller footprint and also to third party I/O and processing modules.
Multi-threading is now also available in syslog-ng, making it extremely fast on multicore machines.
These are just some of the features from the comparison table, which already existed by that time or added since 2008. Of course there are many other interesting new features in syslog-ng, worth another blog. For now, please check the following URLs for further reading:
- what’s new in syslog-ng 3.3: http://bazsi.blogs.balabit.com/2011/10/syslog-ng-3-3-1-released/
- a couple of reasons to choose syslog-ng: http://www.balabit.com/user/register/?nid=4415