[rsyslog] FYI: funding rsyslog development

Champ Clark III [Quadrant] cclark at quadrantsec.com
Fri Nov 25 19:32:20 CET 2011 

On Nov 25, 2011, at 11:47 AM, Rainer Gerhards wrote:
> 
> We'll see how it progresses... As I wrote on my blog initially, it has some
> interesting things. If Lennart could have resisted to make a 14 point bullet
> list and stayed with the three or four issues that are actually a problem,
> the paper would look much more credible. The conclusion is also not necessary
> right: these things could be improved within the existing frameworks.

I've not really seen anything a "like" about the over all proposal (of course IMHO!).  Also,  it doesn't change the fact that other devices (routers/firewall/etc) will continue using syslog.  So,  the entire thing is moot (again, IMHO).
> 
> Yeah, that could work. Maybe I should ask for some proposals ;) (if I start
> with something and that will be a failure, I have definitely lost with my
> peers). I have to admit that I objected this idea for a long time, because I
> thought all features should be available to the general public. I see this is
> not point in your case, but your case is very specific. All things I
> currently see would benefit the general public as well.

In our case (Sagan),  we simply _knew_ based on this organizations usage of OSS in the past,  they'd simply re-package and sell it.   This output plugin is a very nitch plugin and requires you to already have a very expensive product.   We don't want that to happen,  which lead us to a "commerical" plugin.   I should point out,  this plug in is not completed.  We're still developing it and our thoughts are that it won't impact the normal OSS Sagan.  I'd be _very_ surprised if a standard user "asked" for this plugin for free. 
> 
>> You could also start offering service around rsyslog.  That is,  not just
>> development work,  but deployment.   I'm sure there are many organizations
>> that'd like to do very specific things where logs,  but don't know how to
>> deploy rsyslog to do such things.
> 
> We are offering support contracts and some folks have bought them. Those who
> have are very happy (at least I think so and hear so) But they are very few
> in numbers. Deployment services seems to be a bit problematic. Firstly,
> because we are a small shop and have no worldwide presence. At least locally
> I become quite a bit frustrated as I know about a couple of German projects
> where we even weren't asked to provide services (and no bid issued). Not that
> we were too expensive, they had their existing partners (which is fine). I
> have to admit I was a bit upset with one project that happened right in my
> Neighborhood (around 60 miles away) where some specific plugin was developed.
> The consultant that was tasked with this development even asked me to audit
> it (for free, of course) so that he could make sure he could pass it without
> problems to his customers (and, of course, this was never meant to be
> contributed back, just an inhouse solution that gains the company in question
> competitive advantage). There is a reason that my peers get impatient (and me
> upset at times ;)).

Wow..  that is annoying.   I think for smaller deployments,   not being world wide might be a issue.   However,  I have to believe
that rsyslog is being used in much larger deployments around the world.   Getting "in the door" with such organizations is another matter.  Also,  it's likely they already have the deployment working as they want it.

> One non-intrusive thing we will try is to create a special version of our
> Windows tools and make this work very well with rsyslog. That at least is a
> way for those guys in big corporations that want to support us can do so even
> if the company does not understand open source. There is some hope that this
> works, but it is weak as we already offer these tools and tell folks that
> they can use them to help fund the project. Not sure how much more a renamed
> and somewhat streamlined agent for Windows will bring. Bet let's hope for the
> best (bottom line: we try to explore unintrusive ways to find new funding
> streams).

One problem here is that you're working on the "engine" that collects logs.  While it's the most important,  it's not that sexy (from a buyers stand point).  Look at software like Splunk.    That's been an amazing success,  partly because it can create pretty pictures .... and it's useful.  Rsyslog,  by itself,  can't do this and is so embedded on the "back end",  it's not that "sexy" (to most!) 

Perhaps packaging a rsyslog based back end with a nice front end as a "appliance" might work.   Don't get to caught up with the term "appliance".    I'm thinking a pre-configured Linux distro setup for logging and visualization of logs.  Of course,  using the fame you've received for being the author of rsyslog and it being already used by thousands of organizations.  

I'm just pondering on ideas... 

> We will also definitely dual-license the normalizing products. I have great
> hope for them and they are something the market needs (even with journald).
> Dual-licensing ist vital here, as these things most probably go into other
> vendor's products. As I said, others have the same issues: syslog-ng did not
> receive proper funding before going commercial and php-syslog-ng (now
> logzilla) also went commercial because of the missing support. There are

Yes,  but last time I looked,  Logzilla user base had dropped a good bit.  Also,  the last time I looked,  the pricing model was way out of wack (IMHO).   I'd research how successful going commercial turned out for Logzilla.  I don't think it's worked out as well,  however,  I'm not 100% sure.

> numerous other samples. I still try to remain as open and free as possible,
> because I really believe open source has already created a much better world.
> In my personal opinion,  businesses (especially big ones) should help fund
> projects, because they have commercial benefit. The smaller guys, edu, home
> folks and all the rest of the non-profits should reap the benefit of that
> work. To me, this is fair sharing and the way our society should evolve. It's


> a shame that from time to time we receive some contributions from home users
> while the big guys try to avoid spending as much as possible. As much as I
> appreciate the home users contributions as they value my work, I *really*
> think this is the wrong route for a project that brings strong commercial
> benefit to many large for-profit organizations. But enough of that rant ;)

Dual license of the normalization library isn't a bad idea.  I to believe in open source,  but I also like to have a roof over my head and eat food from time to time :)

Were you thinking about normalization licenses for commercial usage?  Sagan already uses the liblognorm for some stuff and it's been a great value for Sagan to sanely be able to normalize syslog input.    Sagan itself is OSS,  however,   we are using Sagan in some commercial (monitoring) settings.   While Sagan can operate without liiblognorm,  it certainly works better with it.    I'm pretty sure the organization I work at would be willing to licenses the normalization library when we use it in commercial setting.    I haven't talked with anyone about it at the office yet so I don't want to make any promises.    I believe I could make an argument for at least funding assisting for liblognorm.   Dual licensing would be important.  IE - one free/OSS and another for commercial usage.  




Champ Clark III
(office) 904.253.7856
(mobile) 850.443.2440 
(SOC) 800.538.9357 ext 101
cclark at quadrantsec.com
www.quadrantsec.com

More information about the rsyslog mailing list