syslog-ng
Related pages
Technical features of syslog-ng
The following table provides a detailed list of the features of syslog-ng 3.0.
| syslogd | syslog-ng OSE | syslog-ng PE | |
| Receive log messages from | |||
| UNIX domain socket (stream & dgram) | ✔ | ✔ | ✔ |
| UDP | ✔ | ✔ | ✔ | UDP using the IETF-syslog protocol standard | - | ✔ | ✔ |
| TCP | - | ✔ | ✔ | TCP using the IETF-syslog protocol standard | - | ✔ | ✔ |
| UDP6 | depends on the OS | ✔ | ✔ |
| TCP6 | - | ✔ | ✔ | TLS-encrypted channels | - | ✔ | ✔ | TLS using the IETF-syslog protocol standard | - | ✔ | ✔ |
| Named pipe | - | ✔ | ✔ |
| File | - | ✔ | ✔ | Standard output (stdout) of an application | - | ✔ | ✔ |
| Kernel log device on Linux, Solaris, BSD | klogd | ✔ | ✔ | File with wildcars in its filename or path | - | - | ✔ |
| IBM System i audit journal (QAUDJRN) & operator console journal (QSYSOPR) (via separate agent application) | - | - | ✔ |
| Windows EventLog /log files (via separate agent application) | - | - | ✔ |
| Send log messages to | |||
| UNIX domain sockets (stream & dgram) | - | ✔ | ✔ |
| UDP | ✔ | ✔ | ✔ | UDP using the IETF-syslog protocol standard | - | ✔ | ✔ |
| TCP | - | ✔ | ✔ | TCP using the IETF-syslog protocol standard | - | ✔ | ✔ |
| UDP6 | depends on the OS | ✔ | ✔ |
| TCP6 | - | ✔ | ✔ |
| Named pipe | ✔ | ✔ | ✔ |
| File | ✔ | ✔ | ✔ | Encrypted, compressed, timestamped, and indexed binary file | - | - | ✔ |
| SQL database (MySQL, Microsoft SQL (MSSQL), Oracle, PostgreSQL, SQLite) | - | ✔ | ✔ |
| The standard input of any user-specified program | - | ✔ | ✔ |
| User tty | ✔ | ✔ | ✔ |
| Support for native TLS encryption when using TCP, TCP6, or the IETF-syslog protocol | - | ✔ | ✔ |
| Performance | |||
| Superior performance, on-line collection of about 75000 messages/second (measured with 150-byte-long messages on entry-level server hardware) | - | ✔ | ✔ |
| Message formats | |||
| Support for raw, non-syslog messages | - | ✔ | ✔ |
| Support for RFC3164 message format (BSD) | ✔ | ✔ | ✔ | Support for the IETF-syslog message format | - | ✔ | ✔ |
| Support for extended RFC3339 (a.k.a. ISO 8601) timestamps | - | ✔ | ✔ |
| Support for some non-standard timestamp formats (Cisco PIX, LinkSys, etc.) | - | ✔ | ✔ |
| Support for microsecond time resolution (precision is user adjustable) | - | ✔ | ✔ |
| Support for timezone information | - | ✔ | ✔ |
| Support for detecting invalid hostnames (enables to accept messages from applications that send imperfectly formatted syslog messages) | - | ✔ | ✔ |
| Support for chained hostname format the records the message path through syslog relays | - | ✔ | ✔ |
| Message processing/filtering | |||
| Support for resolving hostnames from DNS | ✔ | ✔ | ✔ |
| Support for resolving hostnames from file (local IP->host mapping) | - | ✔ | ✔ |
| Cached DNS queries to avoid overloading DNS servers and improved performance | - | ✔ | ✔ |
| Support for normalizing hostnames (ensure that hostnames are all lower case) | - | ✔ | ✔ |
| Messages can target multiple, independent destinations (file, sql, multiple remote server, etc.) at the same time | ✔ | ✔ | ✔ |
| The same filtering operation can direct messages to multiple destinations | - | ✔ | ✔ |
| Segment the text of the message into name=value pairs using parsers | - | ✔ | ✔ |
| Use the results of parsing as macros | - | ✔ | ✔ |
| Define default values for macros | - | ✔ | ✔ |
| Rewrite selected parts of the message | - | ✔ | ✔ |
| Set the value of a name=value pair | - | ✔ | ✔ |
| Support for converting timestamps between timezones | - | ✔ | ✔ |
| Support for flow-controlled log paths: accepting messages from the input is suspended while the destination is full, until the destination can accept messages | - | ✔ | ✔ |
| Support for complex filters, using full bool algebra with and/or/not operators and parenthesis | - | ✔ | ✔ |
| Support for reusable filters: specify a filter once and use it in multiple log paths | - | ✔ | ✔ |
| Re-use the results of filtering, parsing, and rewriting to create embedded logpaths | - | ✔ | ✔ |
| Support for combined filters: filters can be combined using boolean operations, embedded into each other, etc. | - | ✔ | ✔ |
| Support for content based filtering using POSIX regular expressions | - | ✔ | ✔ |
| Filtering for syslog facility and priority | ✔ | ✔ | ✔ |
| Filtering for hostname | - | ✔ | ✔ |
| Filtering for application | - | ✔ | ✔ |
| Filtering for message contents | - | ✔ | ✔ |
| Filtering for sending IP address | - | ✔ | ✔ | Filtering for any SD metadata when using the IETF-syslog protocol | - | ✔ | ✔ |
| Support for discarding messages based on a filter | ✔ | ✔ | ✔ |
| Support for limiting the rate of messages sent to a destination | - | ✔ | ✔ |
| Support for a sorting messages to different destinations, all unfiltered messages are collected in a fallback destination | - | ✔ | ✔ |
| Collect per-destination, per-source and global statistics | - | ✔ | ✔ | The statistics can be requested any time using a unix-domain socket | - | ✔ | ✔ |
| Features | |||
| Create files and directories automatically, based on message content | - | ✔ | ✔ |
| Create tables, columns and indexes automatically in SQL databases, based on message content | - | ✔ | ✔ |
| Customizable message format using templates and macros | - | ✔ | ✔ |
| Segment and modify message content | - | ✔ | ✔ |
| Support for automatic log rotation by adding timestamps to logfile and database table names | - | ✔ | ✔ |
| Restart destination programs if they exit | - | ✔ | ✔ |
| Restart source programs if they exit | - | ✔ | ✔ |
| Support for buffering messages to hard disk to avoid losing messages in case the destination becomes unreachable | - | - | ✔ |
| Contents of the disk buffer are persistent and saved across syslog-ng restarts | - | - | ✔ |
| Support for mutual, X.509 based authentication when using TLS | - | ✔ | ✔ |
| Support for network link compression when using TLS | - | ✔ | ✔ |
| Support for log files over 2GB | ✔ | ✔ | ✔ |
| Support for spoofing the source IP address when forwarding messages using UDP | - | ✔ | ✔ |
| Multithreaded when using the SQL destination | - | ✔ | ✔ |
| Support for IPv6 | depends on the OS | ✔ | ✔ |
| Send and receive messages from multicast addresses | - | ✔ | ✔ |
| Timestamps may include fractions of a second | - | ✔ | ✔ |
| Can operate as client, relay, or server | ✔ | ✔ | ✔ |
| Other features | |||
| Portability: supports a wide variety of UNIX platforms (Linux, BSDs, Solaris, HP-UX, AIX) | ✔ | ✔ | ✔ |
| Vivid and helpful community on the mailing list | - | ✔ | ✔ |
| Professional-grade documentation | ✔ | ✔ | ✔ |
| Commercial support available | only from some OS vendors | ✔ | ✔ |
| Proven track record (over 10 years of existence and use) | ✔ | ✔ | ✔ |