Syslog is terrible

&gt; A popular sentiment is that binary logs are evil and the only way to properly log information is by using plain text.<p>&gt; I don’t particularly care about the argument between plain text versus binary logs. However, if your reasoning for not wanting to use binary logs is because they are opaque and can be corrupted then you should take a close look at your log rotation or archival process. If you are archiving logs by first compressing them using something like gzip, you no longer have plain text log files.<p>I found quite a few people disliked binary log files due to concerns around their portability. Specifically when they depend on a platform-specific utility to read them. If they are compressed using a standard algorithm, it alleviates concerns about portability.

<i>If you are archiving logs by first compressing them using something like gzip, you no longer have plain text log files.</i><p>Well yeah, but that&#x27;s because I&#x27;m already done parsing the log and&#x2F;or using it for debugging. If I wasn&#x27;t done with it, I wouldn&#x27;t have archived it.<p>But I know that when I pull a 3 year old log out of the archive, I can gunzip it and will still be able to read it, no matter how much the file format has changed since then, and I don&#x27;t have to dig up a 3 year old magic decoder program (that may only run on one operating system) to be able to see what&#x27;s in the file.

First,<p>The article seems to mostly complain about text logs VS structured logs. That is unrelated to syslog because it is simply a log transport mechanism.<p>Applications should send structured logs. (e.g. JSON messages). The message may be delivered by whatever means (e.g. syslog).<p>---<p>Second,<p>I am surprised that the article doesn&#x27;t mention the issues with syslog not being defined properly and suffering from interoperability issues.<p>Truth is: &quot;syslog&quot; refers to multiples, incompatible protocols that evolved other time. See two independent specifications for example:<p><a href="https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;rfc5424" rel="nofollow">https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;rfc5424</a> and <a href="https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;rfc3164" rel="nofollow">https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;rfc3164</a><p>Applications, libraries and middleware (graylog&#x2F;ELK&#x2F;rsyslog&#x2F;syslog-ng&#x2F;fluentd) have interoperability issues because of the different syslog protocols. Just because two things are speaking &quot;syslog&quot; doesn&#x27;t mean they speak the same &quot;syslog&quot;.<p>Switches&#x2F;routers&#x2F;appliances cause even more issue because the custom implementations tend to not format messages perfectly for any of the RFC. ^^

I went in to this article thinking, &quot;this guy is stupid.&quot; I came away thinking, &quot;syslog is stupid.&quot;

Using DAQ&#x27;s properly eliminate process blocking when using TCP delivery and there are connectivity issues. You can do TLS encryption natively. Rsyslog action templates are complex but extremely powerful. After reading this post I just wonder if you have ever read the Rsyslog documentation or done any large scale deployments with it? Our network is handling over 50k log messages a second using Rsyslog and while it&#x27;s not perfect I can&#x27;t think of any other standards based system I could rely on.

OpenBSD&#x27;s sendsyslog(2) made syslog_r(3) really cheap and usable virtually everywhere, also solved fd exhaustion issues.. and despite any protocol quirks.. syslog has a standard place in Unix arcana.<p>It would be great of other systems adopted this.<p><a href="http:&#x2F;&#x2F;man.openbsd.org&#x2F;OpenBSD-current&#x2F;man2&#x2F;sendsyslog.2" rel="nofollow">http:&#x2F;&#x2F;man.openbsd.org&#x2F;OpenBSD-current&#x2F;man2&#x2F;sendsyslog.2</a>

At least we have wtmp&#x2F;utmp that can be reliably parsed, unless musl libc is used.

An aside: I like writing the log message in logfmt: <a href="https:&#x2F;&#x2F;brandur.org&#x2F;logfmt" rel="nofollow">https:&#x2F;&#x2F;brandur.org&#x2F;logfmt</a>

So syslog supports structured logs via JSON natively now.