Will the journal replace syslog? With the initial journal announcemnet sounding so, how have things evolved 18 month later? A comparison to a well-known journal-like system will be made, and conclusions be drawn on how we expect the journal and rsyslog to cooperate and integrate. This presentation covers a part of my LinuxTag 2013 Berlin presentation.
Citation preview
1. Is systemd journal the end ofsyslog?Rainer Gerhards
2. Rainer Gerhards * http://blog.gerhards.netDoes journal
replace syslog? The initial announcement sounded a bit in thatway,
or was at least interpreted by most(including me) in that
direction. Looking at how things have evolved There of course is
overlap between both systems But there are also (large) regions
that do notoverlap This is not a new situation, there is some
historylesson... 3. Rainer Gerhards *
http://blog.gerhards.netWindows Event Log! The Windows Event Log is
in many ways similarto systemd journal Binary database with
rollover and fast access time uses a simple structured format that
captures coremetadata items (like timestamps, user IDs, ) uses
unique identifiers for different types of logmessages Files are
especially secured by OS 4. Rainer Gerhards *
http://blog.gerhards.netEvent Log History Introduced with Windows
NT 3.1 in 1993 Greatly enhanced in 2007, starting withWindows Vista
Originally single-computer only Now provides network functionality
EventLog-to-EventLog push and pullsubscriptions Can be used to
setup log forwarding in theenterprise 5. Rainer Gerhards *
http://blog.gerhards.netSo what does history tell us? If such a
system can totally replace syslog, thereshould be no syslog on
Windows at all andnever have been. Well... there are ample of
applications WinSyslog (initial version by me, 1996) Kiwi Syslog
(Solarwinds) EventReporter (first ever Windows-to-syslog tool,1997)
rsyslog Windows Agent Snare and many more! 6. Rainer Gerhards *
http://blog.gerhards.netObviously, there must be someneed to syslog
technology... Face it: syslog is the lingua franca of networkevent
logging. If you want to process messages from differentsources,
chances are high you will need it. Even if not syslog (protocol) is
used, you usuallyneed some common denominator e.g. Linux does not
understand native WindowsEventLog Windows neither does understand
native journal 7. Rainer Gerhards * http://blog.gerhards.netA key
problem solved by syslog You want to integrate all of your systems
into aconsolidated log This either means A common protocol A system
that is capable of processing multipleprotocols and somehow
normalize them Syslog is ubiquitous because a basic client isdumb
easy to implement! 8. Rainer Gerhards *
http://blog.gerhards.netWindows as a sender... Early days: missing
network functionality was aproblem; brought up the idea of Event
Logforwarding Big customers quickly adopted that forintegration
into their management system Todays hot topics: local filtering and
preprocessing Ability to extract and properly express OS objects
Support all Windows capabilities Secure protocol choices 9. Rainer
Gerhards * http://blog.gerhards.netWindows as a receiver... Windows
acts as syslog server Messages are written to Local files Windows
Event Log (!) Some other processing (like alerting) Typical
deployment scenario for SOHO But some large Windows-only shops also
use itfor integration of non-Windows sources 10. Rainer Gerhards *
http://blog.gerhards.netConclusion As with Windows, we do NOT
expect that thejournal will solve all needs It will, however, solve
some needs, and do sonicely (e.g. notebooks, SOHO environment)
Syslog will continue to be used, especially fordemanding enterprise
needs. 11. Rainer Gerhards * http://blog.gerhards.netQuestions?
Find me on Google+ http://blog.gerhards.net http://www.rsyslog.com
http://www.adiscon.com
