LogFwdComp
From CEDPS
Contents |
Comparison of Log Forwarders
syslog-ng, nlforward, and snare
Dang 09:22, 4 December 2006 (PST)
syslog-ng
License: GPL (version 2)
Platforms: *nix
Design target: System messages
Data sources: TCP, UDP, (IPv4 and v6), file, named pipe, Sun STREAMS
Data destinations: all sources except Sun STREAMS, tty, arbitrary program
Data format: syslog-compatible
Filtering: boolean expressions using as values syslog-standard fields ( facility, level / priority, program, host ) as well as regular expressions evaluated on the message part or the result of another filter rule (i.e. filters can be nested).
Additional features: Many options allowing control of source and destination behavior, e.g. TCP flow-control and flushing, destination file owner/group/perms. Very modular config-file. Sources, destinations, and filters are specified separately and then can be combined with "log" statements such that multiple sources can fan-in, have multiple filters applied (the message must match all filters), and then the log message can fan-out to multiple destinations. Multiple files can be created automatically.
Non-features: no built-in support for SSL (can be implemented with stunnel, and this process is well-documented), or built-in support for databases (but again scripts for inserting into MySQL and PostgreSQL are available).
nlforward / netlogd
License: BSD-style
Platforms: *nix, Windows (untested, but Python)
Design target: Application logs
Data sources: TCP, UDP, (IPv4 only), file
Data destinations: TCP, UDP Data format: newline-separated records, NetLogger formats
Filtering: none (though code could easily be added to implement regex filtering)
Additional features: Automatically tails files. Match any file in a directory to a pattern, and forward new files as they appear; time-out old files and free associated state. Emphasis on good performance. Can forward to multiple destinations; netlogd can write to multiple destinations.
Non-features: No syslog compatibility. Hooking together netlogd and nlforward requires an intermediate file. Configuration options are minimal. No built-in support for SSL. No built-in support for databases, although there is old code that did this.
Snare (agents, server)
License: GPL, except for packaged "Snare server" which is proprietary
Platforms: Windows (server); Windows,*nux (agents, i.e. forwarders)
Design target: System events, esp. for security (auditing)
Data sources: Log files
Data destinations: UDP, TCP (purchase only)
Data format: Agents can read "generic" log files with built-in parsers for Apache, Squid, and some Microsoft log formats; adds whitespace-separated header fields. Server reads agent input only.
Filtering: Regular expression matching on the entire log entry
Additional features: Seemingly slick configuration and reporting GUIs. Paid server inserts data into a database. Agents can handle log file rotation (suspend tail and restart when file re-appears).
Non-features: Server only available for Windows. No built-in support for SSL. DB support only if you pay.
