Thursday, June 12, 2008

Fedora 9: Rsyslog - Most Advanced Log Server

Rsyslog is an enhanced syslogd supporting, among others, MySQL, PostgreSQL, failover log destinations, syslog/tcp, fine grain output format control, high precision timestamps, queued operations and the ability to filter on any message part. It is quite compatible to stock sysklogd and can be used as a drop-in replacement. Its advanced features make it suitable for enterprise-class, encryption protected syslog relay chains while at the same time being very easy to setup for the novice user.

With the latest Fedora 9 release, syslog daemon service has been replaced by rsyslogd. The reason for this is that rsyslog is the most advanced logging daemon service which offers a lot of great and beneficial features. While syslog daemon is old, rsyslog supports backward compatibility with syslog with additional specified parameters.

In simple words, Rsyslog simply helps administration of log database and history. Log messages can come from configured servers, hosts and even network devices like firewall, switches and cisco devices that supports logging feature.

Why Rsyslog is the most advanced system log service? Here are a complete list of its advanced features, don't forget the world's first highlights mentioned near ?

Rsyslog Features

* native support for writing to MySQL databases
* native support for writing to Postgres databases
* direct support for Firebird/Interbase, OpenTDS (MS SQL, Sybase), SQLLite, Ingres, Oracle, and mSQL via libdbi, a database abstraction layer (almost as good as native)
* native support for sending mail messages (first seen in 3.17.0)
* support for (plain) tcp based syslog - much better reliability
* support for sending and receiving compressed syslog messages
* support for on-demand on-disk spooling of messages that can not be processed fast enough (a great feature for writing massive amounts of syslog messages to a database)
* support for selectively processing messages only during specific timeframes and spooling them to disk otherwise
* ability to monitor text files and convert their contents into syslog messages (one per line)
* ability to configure backup syslog/database servers - if the primary fails, control is switched to a prioritized list of backups
* support for receiving messages via reliable RFC 3195 delivery (a bit clumpsy to build right now...)
* ability to generate file names and directories (log targets) dynamically, based on many different properties
* control of log output format, including ability to present channel and priority as visible log data
* good timestamp format control; at a minimum, ISO 8601/RFC 3339 second-resolution UTC zone
* ability to reformat message contents and work with substrings
* support for log files larger than 2gb
* support for file size limitation and automatic rollover command execution
* support for running multiple rsyslogd instances on a single machine
* support for TLS-protected syslog (both natively and via stunnel)
* ability to filter on any part of the message, not just facility and severity
* ability to use regular expressions in filters
* support for discarding messages based on filters
* ability to execute shell scripts on received messages
* control of whether the local hostname or the hostname of the origin of the data is shown as the hostname in the output
* ability to preserve the original hostname in NAT environments and relay chains
* ability to limit the allowed network senders
* powerful BSD-style hostname and program name blocks for easy multi-host support
* massively multi-threaded with dynamic work thread pools that start up and shut themselves down on an as-needed basis (great for high log volume on multicore machines)
* very experimental and volatile support for syslog-protocol compliant messages (it is volatile because standardization is currently underway and this is a proof-of-concept implementation to aid this effort)
* world's first implementation of syslog-transport-tls
* the sysklogd's klogd functionality is implemented as the imklog input plug-in. So rsyslog is a full replacement for the sysklogd package
* support for IPv6
* ability to control repeated line reduction ("last message repeated n times") on a per selector-line basis
* supports sub-configuration files, which can be automatically read from directories. Includes are specified in the main configuration file
* supports multiple actions per selector/filter condition
* MySQL and Postgres SQL functionality as a dynamically loadable plug-in
* modular design for inputs and outputs - easily extensible via custom plugins
* an easy-to-write to plugin interface
* ability to send SNMP trap messages
* support for arbitrary complex boolean, string and arithmetic expressions in message filters

World's First
Rsyslog has an interesting number of "world's firsts" - things that were implemented for the first time ever in rsyslog. Some of them are still features not available elsewhere.

* world's first implementation of IETF I-D syslog-protocol (February 2006, version 1.12.2 and above)
* world's first implementation of dynamic syslog on-the-wire compression (December 2006, version 1.13.0 and above)
* world's first open-source implementation of a disk-queueing syslogd (January 2008, version 3.11.0 and above)
* world's first implementation of IETF I-D syslog-transport-tls (May 2008, version 3.19.0 and above)

Rsyslog Installation

# yum -y install rsyslog

# service rsyslogd start

For further and wider readings, see Rsyslog.

0 comments:

Sign up for PayPal and start accepting credit card payments instantly.
ILoveTux - howtos and news | About | Contact | TOS | Policy