Will the journal replace syslog? With the initial journal announcemnet sounding so, how have things evolved 18 month later? A comparison to a well-known journal-like system will be made, and conclusions be drawn on how we expect the journal and rsyslog to cooperate and integrate. This presentation covers a part of my LinuxTag 2013 Berlin presentation.

1. Is systemd journal the end of
syslog?
Rainer Gerhards

2. Rainer Gerhards * http://blog.gerhards.net
Does journal replace syslog?
• The initial announcement sounded a bit in that
way, or was at least interpreted by most
(including me) in that direction.
• Looking at how things have evolved
▫ There of course is overlap between both systems
▫ But there are also (large) regions that do not
overlap
• This is not a new situation, there is some history
lesson...

3. Rainer Gerhards * http://blog.gerhards.net
Windows Event Log!
• The Windows Event Log is in many ways similar
to systemd journal
▫ Binary database with rollover and fast access time
▫ uses a simple structured format that captures core
metadata items (like timestamps, user IDs, …)
▫ uses unique identifiers for different types of log
messages
▫ Files are especially secured by OS

4. Rainer Gerhards * http://blog.gerhards.net
Event Log History
• Introduced with Windows NT 3.1 in 1993
• Greatly enhanced in 2007, starting with
Windows Vista
• Originally single-computer only
• Now provides network functionality
▫ EventLog-to-EventLog push and pull
subscriptions
▫ Can be used to setup log forwarding in the
enterprise

5. Rainer Gerhards * http://blog.gerhards.net
So what does history tell us?
• If such a system can totally replace syslog, there
should be no syslog on Windows at all – and
never have been.
• Well... there are ample of applications
▫ WinSyslog (initial version by me, 1996)
▫ Kiwi Syslog (Solarwinds)
▫ EventReporter (first ever Windows-to-syslog tool,
1997)
▫ rsyslog Windows Agent
▫ Snare
▫ and many more!

6. Rainer Gerhards * http://blog.gerhards.net
Obviously, there must be some
need to syslog technology...
• Face it: syslog is the lingua franca of network
event logging.
▫ If you want to process messages from different
sources, chances are high you will need it.
▫ Even if not syslog (protocol) is used, you usually
need some common denominator
 e.g. Linux does not understand native Windows
EventLog
 Windows neither does understand native journal

7. Rainer Gerhards * http://blog.gerhards.net
A key problem solved by syslog
• You want to integrate all of your systems into a
consolidated log
• This either means
▫ A common protocol
▫ A system that is capable of processing multiple
protocols and somehow “normalize” them
• Syslog is ubiquitous – because a basic client is
dumb easy to implement!

8. Rainer Gerhards * http://blog.gerhards.net
Windows as a sender...
• Early days: missing network functionality was a
problem; brought up the idea of Event Log
forwarding
• Big customers quickly adopted that for
integration into their management system
• Today's hot topics:
▫ local filtering and preprocessing
▫ Ability to extract and properly express OS objects
▫ Support all Windows capabilities
▫ Secure protocol choices

9. Rainer Gerhards * http://blog.gerhards.net
Windows as a receiver...
• Windows acts as syslog server
• Messages are written to
▫ Local files
▫ Windows Event Log (!)
▫ Some other processing (like alerting)
• Typical deployment scenario for SOHO
• But some large Windows-only shops also use it
for integration of non-Windows sources

10. Rainer Gerhards * http://blog.gerhards.net
Conclusion
• As with Windows, we do NOT expect that the
journal will solve all needs
• It will, however, solve some needs, and do so
nicely (e.g. notebooks, SOHO environment)
• Syslog will continue to be used, especially for
demanding enterprise needs.

11. Rainer Gerhards * http://blog.gerhards.net
Questions?
• Find me on Google+
• http://blog.gerhards.net
• http://www.rsyslog.com
• http://www.adiscon.com