Syslog - Is it a good idea to dump all of your applications' logs to Syslog?

Question

I am developing many applications that working together and now having discussion how to consolidate logs. What I am seeing from many applications, they all dump logs to /var/log/ or any directory related to application itself.

Ex. /var/log/hadoop, /var/log/access_log, etc.

But my colleague said "just put everything in Syslog". So, everything is centralised and easy to troubleshoot. We don't have to know where log is setting in each application.

So, what is the advantage of using syslog over putting log file in your own application? Is it just developer centric to put log file in /var/log/ or any directory of their choices? or it is actually the best practice over syslog?

Answer 1

When you send your logs to syslog, logs can be processed by the syslog daemon (rsyslog for instance) in various ways:

• You can write filters to process each piece of log differently (by the producing app, by the severity/facility, ...)
• You can easily forward logs to some central log server, with integrity and confidentiality (TLS)
• You have properly identified fields that caracterize each line (timestamp, appname, process id, ...)
• You can anyway write logs to /var/log/... if you wish
• You get buffers with rsyslog, to avoid any log loss
• You can use reliable protocols for log forwarding (eg. RELP)
• You can parse the message it self to extract more metadata
• You can send logs to some Elasticsearch database
• Processing is done more or less synchronously
• You don't have to parse stupid flat log files when you want to analyze them
• Logs with sensitive information don't have to be written in clear to the local filesystem

In fact I don't see any good reason to write logs directly to some file.