67

I am a bit confused in syslog, rsyslog and syslog-ng.

From where can I get the source code for syslog()?

Is there any difference between rsyslog and rsyslogd?

peterh
  • 4,914
  • 13
  • 29
  • 44
StackUser
  • 803
  • 1
  • 7
  • 7
  • rsyslogd with the D letter is the rsyslogd daemon – c4f4t0r May 15 '15 at 14:32
  • 3
    For completeness sake, I will add one difference I found that may or may not impact you. syslog-ng uses fopen whereas rsyslog uses fappend. This matters if you `chattr +a` your syslog files. Most people don't do this, I just had a special use-case and that is how I found out. I just made a lot of people cringe. – Aaron Jun 26 '17 at 13:38

4 Answers4

55

Basically, they are all the same, in the way they all permit the logging of data from different types of systems in a central repository.

But they are three different project, each project trying to improve the previous one with more reliability and functionalities.

The Syslog project was the very first project. It started in 1980. It is the root project to Syslog protocol. At this time Syslog is a very simple protocol. At the beginning it only supports UDP for transport, so that it does not guarantee the delivery of the messages.

Next came syslog-ng in 1998. It extends basic syslog protocol with new features like:

  • content-based filtering
  • Logging directly into a database
  • TCP for transport
  • TLS encryption

Next came Rsyslog in 2004. It extends syslog protocol with new features like:

  • RELP Protocol support
  • Buffered operation support

Let's say that today they are three concurrent projects that have grown separately upon versions, but also grown in parallel regarding what the neighbors was doing.

I personally think that today syslog-ng is the reference in most cases, as it is the most mature project offering the main features you may need, in addition to an easy and comprehensive setup and configuration.

Anthony Geoghegan
  • 2,800
  • 1
  • 23
  • 34
krisFR
  • 12,830
  • 3
  • 31
  • 40
33

these are 3 different kind of log managers : it enables your system to collect filter, and transmit/store logs.

  • Syslog (daemon also named sysklogd) is the default LM in common Linux distributions. Light but not very flexible, you can redirect log flux sorted by facility and severity to files and over network (TCP, UDP).
  • rsyslog is an "advanced" version of sysklogd where the config file remains the same (you can copy a syslog.conf file directly into rsyslog.conf and it works) ; but you have a lot of new cool stuff coming with it :

    • You can listen to TCP/UDP/... connections, with restrictions (ports, Source IPs)
    • You can load a lot of modules
    • You can discriminate the log filtering by program, source, message, pid etc. (for instance, each message tagged with the message "connexion closed" to the file closed.log)
    • You can discard message after one or more rules Visit http://www.rsyslog.com which is very good indeed
  • Syslog-ng is "Next-Gen". I think it's the best way to manage logs : everything is object (source, destination, filter, and the very forwarding rule) and the syntax is clear. I doubt in terms of functionality that rsyslog and syslog-ng are different.

moutonjr
  • 498
  • 5
  • 9
  • 8
    I would argue that both syslog-ng and rsyslog are 'next gen', or at least the newer replacement for the older syslog. Both are comparable in terms of features, but the syntax for both is very different. syslog-ng has it's own unique syntax, while rsyslog's syntax is more like the older syslog syntax. – Stefan Lasiewski May 15 '15 at 15:44
  • 11
    And then there's `journalctl`/`journald` – Mausy5043 Jul 16 '16 at 12:18
9

From where can I get the source code for syslog()

This is provided by glibc or the libc implementations on other Unix flavors. This call basically submits your message to the syslog unix domain socket /dev/log. This socket is normally created by the system logger (e.g. rsyslog, syslog-ng, nxlog, etc).

b0ti
  • 986
  • 1
  • 6
  • 13
3

They're all syslog daemons, where rsyslog and syslog-ng are faster and more feature-rich replacements for the (mostly unmaintained) traditional syslogd. syslog-ng started from scratch (with a different config format) while rsyslog was originally a fork of syslogd, supporting and extending its syntax. In recent years, rsyslog started supporting a newer config format as well. By now, it's really hard to compare the two without getting into the very specifics and starting flame wars.

Syslog in general is quite confusing as it can be multiple things. I had a shot at disambiguating here: https://sematext.com/blog/2017/01/30/what-is-syslog-daemons-message-formats-and-protocols/