1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<title>rsyslog history</title></head>
<body>
<h1>RSyslog - History</h1>
<b>Rsyslog is a GPL-ed, enhanced syslogd. Among others, it offers support for
reliable syslog over TCP, writing to
MySQL databases and fully configurable output formats (including great timestamps).</b>
Rsyslog was initiated by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a>.
If you are interested to learn why Rainer initiated the project, you
may want to read his blog posting on "<a href="http://rgerhards.blogspot.com/2007/08/why-does-world-need-another-syslogd.html">why
the world needs another syslogd</a>".<p>Rsyslog has
been forked in <b>2004</b> from the <a href="http://www.infodrom.org/projects/sysklogd/">sysklogd standard package</a>.
The goal of the
rsyslog project is to provide a feature-richer and reliable
syslog daemon while retaining drop-in replacement capabilities to stock
syslogd. By "reliable", we mean support for reliable transmission
modes like TCP or <a href="http://www.monitorware.com/Common/en/glossary/rfc3195.php">RFC 3195</a>
(syslog-reliable). We do NOT imply that the sysklogd package is unreliable.</p>
<p>The name "rsyslog" stems back to the
planned support for syslog-reliable. Ironically, the initial release
of rsyslog did NEITHER support syslog-reliable NOR tcp based syslog.
Instead, it contained enhanced configurability and other enhancements
(like database support). The reason for this is that full support for
RFC 3195 would require even more changes and especially fundamental
architectural
changes. Also, questions asked on the loganalysis list and at other
places indicated that RFC3195 is NOT a prime priority for users, but
rather better control over the output format. So there we were, with
a rsyslogd that covers a lot of enhancements, but not a single one
of these that made its name ;) Since version 0.9.2, receiving syslog
messages via plain tcp is finally supported, a bit later sending via
TCP, too. Starting with 1.11.0, RFC 3195 is finally supported at the
receiving side (a.k.a. "listener"). Support for sending via RFC 3195 is
still due. Anyhow, rsyslog has come much closer to what it name
promises.</p>
<p>
The database support was initially included so that our web-based syslog
interface could be used. This is another open source project which can be found
under <a href="http://www.phplogcon.org">http://www.phplogcon.org</a>. We highly recommend having a look at
it. It might not work for you if you expect thousands of messages per
second (because your database won't be able to provide adequate performance),
but in many cases it is a very handy analysis and troubleshooting tool.
In the mean time, of course, lots of people have found many applications for
writing to databases, so the prime focus is no longer on phpLogcon.
</p>
<p>Rsyslogd supports an enhanced syslog.conf file format, and also works
with the standard syslog.conf. In theory, it should be possible to simply replace
the syslogd binary with the one that comes with rsyslog. Of course, in order
to use any of the new features, you must re-write your syslog.conf. To learn
how to do this, please review our commented <a href="sample.conf.php">sample.conf</a>
file. It outlines the enhancements over stock syslogd. Discussion has often
arisen of whether having an "old syslogd" logfile format is good or evil. So
far, this has not been solved (but Rainer likes the idea of a new format), so we
need to live with it for the time being. It is planned to be reconsidered in the
3.x release time frame.
</p><p>If you are interested in the <a href="http://en.wikipedia.org/wiki/IHE">IHE</a>
environment, you might be interested to hear that rsyslog supports message with
sizes of 32k and more. This feature has been tested, but by default is turned off
(as it has some memory footprint that we didn't want to put on users not
actually requiring it). Search the file syslogd.c and search for "IHE" - you
will find easy and precise instructions on what you need to change (it's just
one line of code!). Please note that RFC 3195/COOKED supports 1K message sizes
only. It'll probably support longer messages in the future, but it is our
believe that using larger messages with current RFC 3195 is a violation of the
standard.</p><p>In <b>February 2007</b>, 1.13.1 was released and served for quite a
while as a stable reference. Unfortunately, it was not later released as stable,
so the stable build became quite outdated.</p><p>In <b>June 2007</b>, Peter Vrabec from Red Hat helped us to create
RPM files for Fedora as well as supporting IPv6. There also seemed to be some
interest from the Red Hat community. This interest and new ideas resulted in a
very busy time with many great additions.</p><p>In <b>July 2007</b>, Andrew
Pantyukhin added BSD ports files for rsyslog and liblogging. We were strongly
encouraged by this too. It looks like rsyslog is getting more and more momentum.
Let's see what comes next...</p><p>Also in <b>July 2007</b> (and beginning of
August), Rainer remodeled the output part of rsyslog. It got a clean object model
and is now prepared for a plug-in architecture. During that time, some base
ideas for the overall new object model appeared.</p><p>In <b>August 2007</b>
community involvement grew more and more. Also, more packages appeared. We were
quite happy about that. To facilitate user contributions, we set up a
<a href="http://wiki.rsyslog.com/">wiki</a> on August 10th, 2007. Also in August
2007, rsyslog 1.18.2 appeared, which is deemed to be quite close to the final
2.0.0 release. With its appearance, the pace of changes was deliberately reduced,
in order to allow it to mature (see Rainers's
<a href="http://rgerhards.blogspot.com/2007/07/pace-of-changes-in-rsyslog.html">
blog post</a> on this topic, written a bit early, but covering the essence).</p><p>
In <b>November 2007</b>, rsyslog became the default syslogd in Fedora 8.
Obviously, that was something we *really* liked. Community involvement also is
still growing. There is one sad thing to note: ever since summer, there is an
extremely hard to find segfault bug. It happens on very rare occasions only and
never in lab. We are hunting this bug for month now, but still could not get
hold of it. Unfortunately, this also affects the new features schedule. It makes
limited sense to implement new features if problems with existing ones are not
really understood.</p><p><b>December 2007</b> showed the appearance of a postgres
output module, contributed by sur5r. With 1.20.0, December is also the first
time since the bug hunt that we introduce other new features. It has been decided
that we carefully will add features in order to not affect the overall project
by these rare bugs. Still, the bug hunt is top priority, but we need to have more
data to analyze. At then end of December, it looked like the bug was found (a
race condition), but further confirmation from the field is required before
declaring victory. December also brings the initial development on <b>rsyslog v3</b>,
resulting in loadable input modules, now running on a separate thread each.</p><p>On
<b>January, 2nd 2008</b>, rsyslog 1.21.2 is re-released as rsyslog v2.0.0
stable. This is a major milestone as far as the stable build is concerned. v3 is
not yet officially announced. Other than the stable v2 build, v3 will not be
backwards compatibile (including missing compatibility to stock sysklogd) for
quite a while. Config file changes are required and some command line options do
no longer work due to the new design.</p><p>On <span style="font-weight: bold;">January, 31st 2008</span>
the new massively-multithreaded queue engine was released for the first
time. It was a major milestone, implementing a feature I dreamed of for
more than a year.</p><p>End of <span style="font-weight: bold;">February 2008</span>
saw the first note about RainerScript, a way to configure rsyslogd via
a script-language like configuration format. This effort evolved out of
the need to have complex expression support, which was also the first
use case. On February, 28th rsyslog 3.12.0 was released, the first
version to contain expression support. This also meant that rsyslog
from that date on supported all syslog-ng major features, but had a
number of major features exlusive to it. With 3.12.0, I consider
rsyslog fully superior to syslog-ng (except for platform support).</p>
<p>Following the Fedora Developer's conference in Brno <b>2012</b>, rsyslog
got very serious on implementing <b>structured logging</b> in
project Lumberjack (CEE) style. Project Lumberjack was a much broader
effort and brought closer collaboration with the syslog-ng folks, which
helped to maintain and improve interoperability. In the
<b>late winter/spring/summer 2012</b> timeframe numerous engine enhancements
were made and plugins written (among them the first "official" interfaces
to the Linux audit subsystem). At the end of the year, this culminated in the
rsyslog 7, which not only implemented Lumberjack but also was the first one
to support full condition nesting in rsyslog.conf (and a ton of other features as
well).
<p>In <b>spring 2013</b> major new security features were engineered,
namely anonymization support, as well as log file signing and
encryption capabilities.
<p>Be sure to visit Rainer's <a href="http://rgerhards.blogspot.com/">syslog blog</a>
to get some more insight into the development and futures of rsyslog and syslog in general.
Don't be shy to post to either the blog or the
<a href="http://www.rsyslog.com/PNphpBB2.phtml">rsyslog forums</a>.</p>
<h2>Some useful links</h2>
<ul>
<li><a href="http://www.rsyslog.com/Topic4.phtml">the rsyslog change log</a></li>
</ul>
</body></html>
|