From e1e6ef71f4572de404d63a53f43c53c1b2b56803 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 9 Jan 2012 18:44:05 +0100 Subject: finally cleaning up the syslog-ng rsyslog comparison this page should be removed from the doc set over time -- it really does not belong here. --- doc/rsyslog_ng_comparison.html | 235 +++++++++++++++++++++-------------------- 1 file changed, 123 insertions(+), 112 deletions(-) diff --git a/doc/rsyslog_ng_comparison.html b/doc/rsyslog_ng_comparison.html index 7d12a4a7..44c895f7 100644 --- a/doc/rsyslog_ng_comparison.html +++ b/doc/rsyslog_ng_comparison.html @@ -4,24 +4,45 @@ back

rsyslog vs. syslog-ng

Written by Rainer Gerhards -(2008-05-06)

-

Warning: this comparison is a little outdated, take it with a grain -of salt and be sure to check the links at the bottom (both syslog-ng as well as -rsyslog features are missing, but our priority is on creating great software not -continously updating this comparison ;)). -

We have often been asked about a comparison sheet between -rsyslog and syslog-ng. Unfortunately, I do not know much about -syslog-ng, I did not even use it once. Also, there seems to be no -comprehensive feature sheet available for syslog-ng (that recently -changed, see below). So I started this -comparison, but it probably is not complete. For sure, I miss some -syslog-ng features. This is not an attempt to let rsyslog shine more -than it should. I just used the rsyslog -feature sheet as a starting point, simply because it was -available. If you would like to add anything to the chart, or correct -it, please simply drop -me a line. I would love to see a real honest and up-to-date -comparison sheet, so please don't be shy ;)

+(2008-05-06), slightly updated 2012-01-09

+

This comparison page is rooted nearly 5 years in the past and has become severely +outdated since then. It was unmaintained for several years and contained false +information on both syslog-ng and rsyslog as technology had advanced so much. +

This page was initially written because so many people asked about a comparison when +rsyslog was in its infancy. So I tried to create one, but it was hard to maintain as both +projects grew and added feature after feature. I have to admit we did not try hard to keep +it current -- there were many other priorities. I even had forgetten about this page, when I +saw that Peter Czanik blogged about its +incorrectness (it must be noted +that Peter is wrong on RELP -- it is well alive). I now remember +that he asked me some time ago about this page, what I somehow lost... I guess he must have been +rather grumpy about that :-( +

Visiting this page after so many years is interesting, because it shows how much has changed since then. +Obviously, one of my main goals in regard to syslog-ng is reached: in 2007, I blogged that +the +world needs another syslogd in order to have healthy competition and a greate feature +set in the free editions. In my opinion, the timeline clearly tells that rsyslog's competition +has driven more syslog-ng features from the commercial to the free edition. Also, I found +it interesting to see that syslog-ng has adapted rsyslog's licensing scheme, modular design and +multi-threadedness. On the other hand, the Balabit folks have obviously done a quicker and +better move on log normalization with what they call patterndb (it is very roughly equivalent +to what rsyslog has just recently introduced with the help of liblognorm). + +

To that account, I think the projects are closer together than 5 years ago. I should now +go ahead and create a new feature comparison. Given previous experience, I think this does not +work out. In the future, we will probably focus on some top features, as Balabit does. However, +that requires some time and I have to admit I do not like to drop this page that has a lot of +inbound links. So I think I do the useful thing by providing these notes and removing the +syslog-ng information. So it can't be wrong on syslog-ng any more. Note that it still contains +some incorrect information about rsyslog (it's the state it had 5 years ago!). The core idea is +to start with updating the rsyslog feature sheet and from there +on work to a complete comparision. Of course, feel free to read on if you like to get some sense +of history (and inspiration on what you can still do -- but more ;)). +

+Thanks,
+Rainer Gerhards +

+ @@ -37,50 +58,50 @@ comparison sheet, so please don't be shy ;)

- + - + - + - + - + - + - + - + @@ -89,8 +110,7 @@ optional inputEventReporter or MonitorWare Agent (both commercial software, both fund rsyslog development) - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -277,47 +296,47 @@ program name blocks for easy multi-host support - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + loadable modules - + - + @@ -417,7 +436,7 @@ plugins - + - + - + - + - + - + - + - + - + - + - - + + - + - + - + @@ -510,24 +528,23 @@ selector/filter condition - + - + - + - + - + - + - + - + - + - + - - + +
UNIX domain socket yesyes
UDP yesyes
TCP yesyes
RELP yesno
RFC 3195/BEEP yes (via im3195)no
kernel log yesyes
file yesyes
mark message generator as an optional input yesno (?)
via separate Windows agent, paid -edition only

@@ -100,83 +120,82 @@ Network (Protocol) Support
support for (plain) tcp based syslog yesyes
support for GSS-API yesno
ability to limit the allowed network senders (syslog ACLs) yesyes (?)
support for syslog-transport-tls based framing on syslog/tcp connections yesno (?)
udp syslog yesyes
syslog over RELP
truly reliable message delivery (Why is plain tcp syslog not reliable?)		 yesno
on the wire (zlib) message compression yesno (?)
support for receiving messages via reliable RFC 3195 delivery yesno
support for TLS/SSL-protected syslog natively (since 3.19.0)
via stunnel		via stunnel
-paid edition natively
support for IETF's new syslog-protocol draft yesno
support for IETF's new syslog-transport-tls draft yes
(since 3.19.0 - world's first implementation)		no
support for IPv6 yesyes
native ability to send SNMP traps yesno
ability to preserve the original hostname in NAT environments and relay chains yesyes

@@ -187,81 +206,81 @@ hostname in NAT environments and relay chains		 Filtering for syslog facility and priority yesyes
Filtering for hostname yesyes
Filtering for application yesyes
Filtering for message contents yesyes
Filtering for sending IP address yesyes
ability to filter on any other message field not mentioned above (including substrings and the like) yesno
support for complex filters, using full boolean algebra with and/or/not operators and parenthesis yesyes
Support for reusable filters: specify a filter once and use it in multiple selector lines noyes
support for arbritrary complex arithmetic and string expressions inside filters yesno
ability to use regular expressions in filters yesyes
support for discarding messages based on filters yesyes
ability to filter out messages based on sequence of appearing yes (starting with 3.21.3)no
powerful BSD-style hostname and program name blocks for easy multi-host support yesno
MySQL yes (native ommysql, omlibdbi)yes (via libdibi)
PostgreSQL yes (native ompgsql, omlibdbi)yes (via libdibi)
Oracle yes (omlibdbi)yes (via libdibi)
SQLite yes (omlibdbi)yes (via libdibi)
Microsoft SQL (Open TDS) yes (omlibdbi)no (?)
Sybase (Open TDS) yes (omlibdbi)no (?)
Firebird/Interbase yes (omlibdbi)no (?)
Ingres yes (omlibdbi)no (?)
mSQL yes (omlibdbi)no (?)

@@ -328,26 +347,26 @@ program name blocks for easy multi-host support		 support for on-demand on-disk spooling of messages yespaid edition only
ability to limit disk space used by spool files yesyes
each action can use its own, independant set of spool files yesno
different sets of spool files can be placed on different disk yesno
ability to process spooled @@ -356,18 +375,18 @@ during off-peak hours, during peak hours they are enqueued only) yes
(can independently be configured for the main queue and each action queue)		no
ability to configure backup syslog/database servers yesno
Professional Support yesyes

@@ -378,20 +397,20 @@ syslog/database servers 		config file format compatible to legacy syslogd but uglyclean but not backwards compatible
ability to include config file from within other config files yesno
ability to include all config files existing in a specific directory yesno

@@ -403,13 +422,13 @@ existing in a specific directory		 yesno
Support for third-party input plugins yesno
Support for third-party output plugins yesno

@@ -430,79 +449,78 @@ plugins		 ability to generate file names and directories (log targets) dynamically yesyes
control of log output format, including ability to present channel and priority as visible log data yesyes
native ability to send mail messages yes (ommail, introduced in 3.17.0)no (only via piped external process)
good timestamp format control; at a minimum, ISO 8601/RFC 3339 second-resolution UTC zone yesyes
ability to reformat message contents and work with substrings yesI think yes
support for log files larger than 2gb yesyes
support for log file size limitation and automatic rollover command execution yesyes
support for running multiple syslogd instances on a single machine yes? (but I think yes)
ability to execute shell scripts on received messagesyes yes
ability to pipe messages to a continously running programnoyes
massively multi-threaded for tomorrow's multi-core machines yesno (only multithreaded with -database destinations)
ability to control repeated line reduction ("last message repeated n times") on a per selector-line basis yesyes (?)
supports multiple actions per selector/filter condition yesyes
phpLogCon
[also works with php-syslog-ng]		 -php-syslog-ng
using text files as input source yesyes
rate-limiting output actions yesyes
discard low-priority messages under system stress yesno (?)
flow control @@ -535,40 +552,39 @@ system stress yes (advanced, with multiple ways to slow down inputs depending on individual input capabilities, based on watermarks)yes (limited? -"stops accepting messages")
rewriting messages yesyes (at least I think so...)
output data into various formats yesyes (looks somewhat limited to me)
ability to control "message repeated n times" generation yesno (?)
license GPLv3 (GPLv2 for v2 branch)GPL (paid edition is closed source)
supported platforms Linux, BSD, anecdotical seen on Solaris; compilation and basic testing done on HP UXmany popular *nixes
DNS cachenoyes
@@ -585,11 +601,6 @@ that vast experience and sometimes even on the code.

argument why it is good to have another strong syslogd besides syslog-ng. You may want to read it at my blog at "Why does the world need another syslogd?".

-

Balabit, the vendor of syslog-ng, has just recently done a -feature sheet. I have not yet been able to fully work through it. In -the mean time, you may want to read it in parallel. It is available at -Balabit's -site.

[manual index] [rsyslog.conf] [rsyslog site]

-- cgit v1.2.3