Syslog vs. journald

Syslog: An overview

Syslog is the traditional and most widely used protocol for standardized message logging. It was originally developed in the 1980s and defines the format, severity levels, and facility codes for log messages.

It exists as a vendor-neutral standard that defines how a log should be formatted and transported regardless of the program that handles it. Therefore, syslog messages are typically in plaintext and easily readable across different operating systems and network devices.

Syslogd: The traditional syslog daemon

Syslogd was the foundational program for implementing the syslog protocol across Unix and early Linux systems. Its primary function was to read log messages and route them to specific plaintext files within the /var/log/ directory. The messages were then routed based on the message's facility and severity levels.

While it provided an initial logging mechanism, its reliance on the UDP protocol for network transport created the risk of data loss during transit. It also lacked sophisticated filtering capabilities that led to excessive noise and high volumes of log data. Thus, it eventually turned obsolete, and modern Linux distributions started replacing it with next-generation daemons such as rsyslog and syslog-ng.

Modern syslog daemons: Syslog-ng and rsyslog

As the original syslogd program had significant limitations, it was replaced by next-generation daemons. The two most common daemons are as follows:

Syslog-ng

Syslog-ng, or syslog next-generation, is a powerful, highly flexible syslog daemon known for its clear, object-oriented configuration structure and robust routing capabilities. It distinguishes itself from traditional syslog with object-oriented configuration, which defines reusable components or blocks, such as sources, filters, and destinations. These blocks are then linked with log statements, which makes complex data flows easy to audit and manage.

Syslog-ng also includes powerful parsers that transform unstructured, plaintext syslog messages into structured formats such as JSON, providing actionable insights to analytics platforms and SIEM tools. It uses UDP as well as the secure TCP protocol for log transmission while supporting TLS encryption to secure the log pipeline from end to end.

Rsyslog

Rsyslog is the default syslog daemon on most Linux distributions. It is known for its high-performance, modular logging and strong compatibility. Rsyslog, also known as a rocket-fast system for log processing, leverages a modular architecture, utilizing dedicated input modules (im*) and output modules (om*) to connect to any source and any destination.

For log formatting, rsyslog supports the original BSD syslog format as well as the modern IETF syslog protocol, which includes fields for structured data. It also uses templates that allow highly customizable output, enabling structured logging formats like JSON for easy integration with modern log analysis systems. It utilizes RELP, an application layer protocol built on top of TCP for guaranteed log delivery to ensure no packets are lost during transit.

These modern daemons have also become critical components of Linux logging systems, containing advanced capabilities like real-time filtering, disk queuing, and secure network forwarding.

What is journald?

Journald, also known as systemd-journald, is the centralized logging component of the systemd suite. It collects and stores logging data from all system components in a single, unified place called the systemd journal. It captures logs from the kernel (kmsg), the initial boot process (initrd), standard syslog calls, and systemd service unit.

It stores logs in a structured, indexed, binary format rather than plaintext files like syslog. This allows for fast querying and avoids the need for manual log rotation. Logs are typically stored persistently in the /var/log/journal/ directory. It uses journalctl, a powerful command-line utility, to access and filter the logs. It is compatible with modern syslog systems and can also forward logs to legacy syslog daemons like syslog-ng and rsyslog.

How syslog and journald work together

Linux systems using systemd operate in a collaborative and layered architecture that leverages the integral journald service as well as modern syslog daemons like syslog-ng and rsyslog. The interaction between journald and the syslog daemons allows the system to benefit from journald's structured, high-performance local collection while utilizing the advanced filtering and network forwarding capabilities of the syslog daemons. This layered architecture involves the following components in their respective roles.

Journald as the primary collector

All log messages generated by the kernel and services running under systemd and applications are first directed to the journald service. Journald collects these logs in a structured, binary format and stores them in its own repository which is /var/log/journal/.

Journald as the forwarder

As journald collects logs, it simultaneously writes them to a specific Unix domain socket, typically located at /run/systemd/journal/syslog. This socket acts as a message conduit that forwards logs to the daemon.

Modern daemons as log receivers

Syslog-ng and ryslog are the common daemons configured to read from the forwarding socket. Rsyslog uses its imjournal input module to monitor the socket, whereas syslog-ng uses its systemd-journal source to fetch the logs. Once the modern syslog daemons (rsyslog or syslog-ng) receive the logs, they are filtered, processed, and routed to their final destinations. The destinations include local text files (/var/log/messages or /var/log/auth.log), where the logs are written, syslog servers for storage, or SIEM tools for analysis.

Journald vs. syslog: A comparison

Here are some major differences between journald and syslog (daemons such as syslog-ng and rsyslog).

The role of journald in syslog monitoring

Journald can be leveraged using its command-line utility, journalctl, to access journald logs for carrying out the following functions:

Local system troubleshooting

It's used to quickly diagnose recent issues on the host machine proactively using structured querying. This helps monitor system health and gather information on host system telemetry, which are critical for syslog management.

Structured filtering

It's used to filter logs using specific metadata fields, like _COMM (command name), _PID (process ID), or _UNIT (systemd service name). This helps filter and fetch only the required data, reducing noise and optimizing syslog analysis.

Log management (OS level)

It's used to access logs directly from systemd services, the kernel, and the initial boot process for syslog security monitoring. It also allows for separating and viewing logs from previous system boots when persistent storage is enabled, allowing log retention and storage for syslog audits.

The role of syslog daemons in syslog monitoring

Syslog daemons such as syslog-ng and rsyslog support the following features for efficient syslog monitoring:

Structured log processing

Daemons can ingest logs from diverse sources, such as the systemd journald, syslog agents, forwarders, and relays, and convert unstructured log data into structured formats like JSON. This standardization is crucial, as it enables central monitoring tools to parse and analyze data regardless of its original format. The daemons also allow for advanced, granular log filtering based on facility and severity, as well as message content, which ensures noise reduction and bandwidth optimization on the log receiver side. This ensures syslog servers and SIEM tools receive only useful information critical for security monitoring.

Centralized log forwarding

Syslog daemons act as efficient log forwarders that collect, store, parse, index, and forward logs from various sources to a central log management or SIEM tool for syslog analysis and monitoring. They can also perform pre-processing actions like message rewriting to mask sensitive data or drop irrelevant logs entirely before forwarding, which saves bandwidth and reduces storage costs on the central server. They also ensure reliable log delivery utilizing the TCP or TLS protocol, RELP, and disk queuing, such that no logs are lost during transit.

Syslog server functionality

Daemons in receiver mode act as efficient syslog servers that collect, filter, and rewrite logs for syslog analysis. With command-line utilities like grep, daemons help search and query logs, allowing for enhanced syslog monitoring and management. Further, they also store, archive, and retain logs for compliance auditing.

EventLog Analyzer as the central destination

While journald excels at local collection and syslog daemons handle forwarding, neither provides the correlation, dashboards, or compliance reporting that security teams need. ManageEngine EventLog Analyzer acts as the central destination and comprehensive hub for all syslog data, seamlessly leveraging the capabilities of Linux logging systems. It collects, parses, and normalizes log data forwarded from daemons like rsyslog and syslog-ng, which includes processed logs from journald.

EventLog Analyzer also eliminates the local limitations of journalctl and basic grep searches with advanced search and filtering options. It also offers dashboards, reports, detection rules, and an alerting module for compliance auditing, enabling monitoring not possible with only syslog daemons and journald in place.

Some of the advanced features of EventLog Analyzer include:

• Unified visibility: Consolidate syslog and journald events into a single, searchable dashboard.
• Real-time threat correlation: Operate beyond simple searching to correlate multiple events and detects complex, multi-stage attacks in real time.
• Actionable security: Transform raw log entries into cohesive, actionable security analytics data for threat investigation and response.
• Automated compliance: Generate prebuilt reports for standards like HIPAA, the PCI DSS, and the GDPR with log archival and retention features.

What's next?

Frequently asked questions