rsyslog – first looks
July 18, 2007
I started to play with rsyslog b/c the decision was made for fedora 8 to go with rsyslog instead of syslog-ng. One of the reasons for this is that rsyslog maintains backward compatibility with the old-style sysklogd syslog.conf format. This file has been in that format since the dawn of time and many would rather it was left alone (despite the format being god-awful). Anyway – let’s talk about rsyslog
rsyslog has a bunch of good features:
1. supports multiple listening ports and destinations – udp and tcp
2. with stunnel it supports encrypted log sending
3. it can take interesting options to put files in new and exciting places.
$template hostsecure, “/var/log/hosts/%HOSTNAME%/secure/%$NOW%”
for anything coming in on facility authpriv – put it in a subdir which maps to something like:
In short, that’s the major feature I need to implement rsyslog in the same way I’ve used syslog-ng. With the above configuration you don’t need a logrotater you can just run:
tmpwatch -f 720 /var/log/hosts
and that will purget all files older than 30 days, automatically. No need to stop the daemon, no need to move files around.
Problems I encountered:
1. some of the features I needed weren’t there at first – for example it didn’t automatically make subdirs for the logs it was making – therefore having a separate dir per host was trickier than it needed to be. Luckily the maintainer was willing to add that in so it’s now available in 1.17.0 and above
2. the config file is not the most obvious. In order to maintain compat with the old format the additional configuration options are a bit ‘hurky’ feeling. a $ precedes all of them which ends up looking like very scary perl with CamelCase. I made a couple of suggestions on maybe a way around this problem but it’s not the end of the world if it doesn’t happen. For example
will log all logs to host: hostname on TCP port 1514
will log all logs to host: hostname on UDP port 1514
that feels like a bit of hack to keep compat with the old format.
3. the docs seem to focus on a usage case about which I am less familiar. I tend to use specialized log daemons when I need to:
a. log across a wan, using encryption
b. setup a central log host and need the logs to be sensible
c. need to use SEC or something like it make things behave.
As I refine the config file we’ll use in fedora and elsewhere I’ll update it here:
All in all I think rsyslog is going to be capable. If the config file format changes or is improved with some more obvious examples (and I’ll help with the ones I can) then I think it’ll be good for central log hosts. The maintainer is active and responsive, not to mention helpful. I’ll update more here as I have it.