Rainer Gerhards

2025-10-172025-10-17

Looking for an Alternative to Kiwi Syslog? Try WinSyslog.

Lately, I’ve been getting a steady stream of questions from admins searching for a dependable Windows syslog server. Many of them mention frustration with recent Kiwi Syslog versions — unclear message parsing, configuration quirks, or just a feeling that things have become harder than they should be. There seems to be especially a lot of frustration with the “Kiwi Syslog Server NG” version, based on the mails I get.

Since the topic keeps coming up, let me share the same recommendation I give privately.

2025-10-142025-10-14

From Stream to Lake: Thinking About rsyslog as the River System Behind Your Data

I recently had a discussion about data lakes. It made me realize that people often picture them as the starting point of data collection — as if all information somehow appears in the lake. In reality, no lake exists without rivers. And in the world of IT systems, rsyslog is part of that river system.

rsyslog is the river system that feeds your data lake. (Image: Rainer Gerhards via AI)

2025-09-232025-10-09

Revisiting old style Windows Log Schema Mapping

Windows logs provide a wealth of information that must be made usable for Observability. As you may know, I work on normalizing these logs for quite some while, I even created liblognorm for that purpose. Ingesting them properly is important for schema mapping, e.g. to Elastic Cloud.

2025-09-182025-09-18

Outdated readthedocs problem solved!

I am glad to tell that I finally managed to solve an issue that caused confusion for years. Someone had cloned and published the rsyslog documentation at readthedocs. Unfortunately, it was not maintained afterwards and also looked like an official rsyslog doc. That added a lot to the “rsyslog’s doc is bad and inconsistent” feel inside the community. This could now be resolved, and current, official doc is now available at readthedocs. I am very happy and glad for readthedocs staff members who helped us to finally resolve the issue.

The current rsyslog documentation is finally shown at readthedocs. (Screenshot: 2025-09-18, Rainer Gerhards)

2025-09-102025-09-10

Status update: omhttp, CI, backlog, and containers

Time goes fast, it is Sep 10 already. Mid August I said we will do a great refactoring of omhttp within a week or two. Well, that did not work out as planned. We still made solid progress, but more pressing work put it on hold for a bit. Time for a small update of what is happening in rsyslog.

Symbol image for “Status Update” type of postings. (Image: Rainer Gerhards via AI)

2025-08-272025-08-27

rsyslog becoming target for social engineering PRs? Lessons learned.

In the past days I noticed PR patterns that do not look right. This is a smell, not a verdict. The upside is real: rsyslog is interesting enough to attract attention. That is actually great news. Now we have the problem ourselves, and that is the moment to engineer the right guardrails without losing our welcoming tone. You need to be a target in order to gain sufficient experience to tackle that hard problem.

IT Security (Symbol Image: Rainer Gerhards via AI)

2025-08-262025-08-26

Sluggish Responses – And How We Plan to Do Better

TL;DR

My responses to PRs and issues were sluggish, especially during the pandemic. I am sorry, and thank you for sticking with us.
We aim for reasonable, not instant, turnaround.
Expect a quick maintainer look at every PR within 3 business days.
Full review typically follows once CI is green and AI review items are addressed or explained.
We will not mass-close old issues. We are revisiting them with AI assist and closing for the right reasons.
We are formalizing labels and dashboards to make navigation easier. Details will follow in a short, separate post.
Suggestions are welcome.

I want to be very honest with you: my responses to pull requests and issues have been sluggish for quite some time. This affected the whole rsyslog project, because in the end it always comes back to the limited capacity of the maintainers – and most often, that means me.

We are working hard to change this. It will not mean ultra-fast turnaround times, but it will mean reasonable turnaround times. We have already made important steps, and AI will play a key role in improving this going forward. Still, this is work in progress, and I welcome your suggestions.

2025-08-242025-08-24

An old and possibly important text rediscovered…

Seventeen years old, raw “armchair philosophy” — but surprisingly close to what I still believe today.

While reflecting on my current work, I remembered a text I had written in April 2008 during a discussion with a friend in biology. It’s an unfinished “armchair philosophy” piece — raw, dense, and hard to read — but it still reflects many of my core beliefs about IT systems. I’m publishing it unchanged as an archival entry, because the foundations it sketches are still relevant today.

2025-08-232025-08-23

Why I’m Trying Rsyslog Channels on WhatsApp and Telegram

I’ve long had mixed feelings about messengers – especially WhatsApp—because of privacy concerns. At the same time, as a councilman in my village, WhatsApp is essentially unavoidable in Germany. Announcements, e.g. from Public bodies and personal conversations – much of the day-to-day information flow runs through it. So I use it in that local role and follow announcement channels from government institutions. It also the tool to go for one-on-one conversations with my fellow citizens.

Welcome/Subscription page of my Telegram rsyslog channel. (Screenshot: Rainer Gerhards)

(Side note: for genuinely private conversations with security-aware folks, I prefer Threema. I’m well aware of the privacy trade-offs.)

2025-08-212025-08-21

When Humans and AIs Overthink: a “complex” rsyslog crash that wasn’t

I chased a rare crash in highly-threaded code. It popped up now and then; earlier fixes didn’t stick. I suspected an advanced concurrency issue. I also asked Gemini, Copilot/Codex, and Claude for help. They agreed with me: surely something subtle—epoll, re-queueing, ownership flags…

Human and AI thought bubbles full of tangled lines; a small check mark off to the side. — My AI use on images as inferior, as you can see here. I hope you like that fact ;-)

We were all wrong—and, importantly, I was wrong in the same way the AIs were. Their analyses reinforced my initial hypothesis. The fact that the static analyzer reported nothing reinforced it even more—after all, that’s “proven non-AI tech.” In hindsight, if I had thought earlier about the limits of these tools (AI and non-AI), I might have changed direction sooner—but I was also primed by experience: in this part of the codebase, bugs are almost always complex.