I want to implement a modern logging architecture using JSON structured data and elasticsearch. Ye Olde Syslog is not good enough. The version of rsyslog that comes as default on CentOS is old and lacks the functionality I need. My three candidates for a new logging clients are: nxlog, syslog-ng, and rsyslog version 8. This is a review of nxlog community edition on CentOS 6.5.
Despite its many strong points, I do not recommend nxlog. I recommend you use one of the other logging clients instead. Perhaps it is a good choice on Windows but not on CentOS. My reasons are below.
In its favor nxlog has excellent primary documentation. This is a sign of quality software. Developers who write good documentation care about the quality of their software. nxlog also has a nice configuration file format. Here is a snippet to illustrate:
Like most logging applications it uses the pipe and filter style. nxlog’s format, however, is especially clear. The input, output, and routes are explicit and easy to understand. The “filters” are implicit in the
Exec statements which is less desirable, nevertheless, this is the best configuration format I have seen so far. I find it much more clear than even the logstash format.
Good documentation and a good configuration language are so rare that I really wanted to like nxlog. Unfortunately, I simply couldn’t get it to work. First the rpm install failed because of dependency problems. I had to manually install the three missing packages. The nxlog package didn’t handle that simply task. Once I installed the missing dependencies by hand nxlog installed fine.
Then came the real problem. I opened the default configuration file
/etc/nxlog.conf and found that it was completely unusable. Normally, applications provide reasonable defaults so that the software just works. Sometimes you have to edit a line or two in the default configuration if, for example, you have to add a host name. I want software that just works. nxlog doesn’t.
I expected nxlog to function as a drop in replacement for rsyslog. My intent was to customize it from a working base. Instead, I had to figure out how to re-create an entire CentOS logging setup. I didn’t want to give up right away–well, actually I did but decided to persevere anyway–so I read the documentation and added a few rules to handle kernel message and “unix” logs. I then restarted it.
First I had a permission errors because nxlog runs as user
nxlog. OK, easy enough to fix. I set all the permissions on the log files and tried again. I waited a bit and … nothing. I tried to send a log using
logger but it just hanged. I tried a few more things including sending logs from another host. Still nothing. No logs in the files. I checked the nxlog log itself and saw no errors. When something doesn’t work and you get no errors you don’t have many options. With regret, I chose the uninstall option.
Perhaps I missed something simple? I did read the install documentation and didn’t see anything. The unusable default configuration is a show-stopper so it’s time to give rsyslog 8 and syslog-ng a try…