After testing NXLog, rsyslog, syslog-ng, and logstash I’ve chosen syslog-ng open source as my primary logging application. I wanted to try Graylog2 but I couldn’t tell from its practically nonexistent documentation whether or not it would meet my requirements.
The logging application had to meet the following functional requirements:
- Syslog compatible
- A drop-in replacement for the stock version of rsyslog included with CentOS 6.5
- Ability to act as a syslog server
- Ability to forward syslog logs to another server
- Support for encrypted sockets
- Supports user-defined log parsers
- JSON output (formatter)
- Support for Elasticsearch
rsyslog met all of these functional requirements. The others were very close. syslog-ng meets all but the Elasticsearch requirement. I chose it anyway because it best met my non-functional requirements. To me the non-functional weigh as much in my decision as the functional requirements. They include critical factors such as the usability of the software.
syslog-ng performed well. My throughput requirements are modest since my servers are measured in the tens. syslog-ng had no trouble keeping up and it’s memory footprint was small. Start-up was also very quick. It was compatible was SElinux and with my CentOS security configuration.
Installation was easy. The syslog-ng package can be downloaded directly from EPEL via yum. The package is signed. Once installed, I smoke-tested it by starting it immediately and it functioned just as I expected. Its default configuration worked as a drop-in replacement for rsyslog.
Like NXLog syslog-ng has a nice configuration file syntax. I found it easy to read and understand. Old style syslog configuration syntax is by comparison inscrutable. syslog-ng’s format uses a clear and explicit pipe-and-filter model that is conceptually easy to grasp. There are inputs, processors such as filters, and outputs. For example, this snippet mean send all system logs (
sources_sys) to a central log server (
It also offers a sophisticated log parsing engine with a syntax similar to OSSEC’s.
It’s documentation is very good. Balabit has produced a nice administration manual that covers the key tasks and explains the complete syntax of each command. For situations not covered in the Manual, I have been able to find answers to my questions via the Internet in blogs and forums.
A Note on rsyslog
Why not rsyslog since it meets all my functional requirements? I spent a lot of time trying to get rsyslog to work. I finally gave up in frustration due to the very poor documentation. I wanted to use rsyslog’s new syntax and its custom parsing ability. Due to the lack of documentation I couldn’t get either to work. In contrast, syslog-ng’s good documentation enabled me to accomplish my tasks quickly. When you are trying to get 30 or so infrastructure applications working who want to spend all your time trying to figure out just one of them?
I’ve been using syslog-ng for a couple of months now and it has worked well. I haven’t had any problems with it. If you are looking for a logging application syslog-ng is worth your time testing.