rsyslog – first looks

July 18, 2007

I started to play with rsyslog b/c the decision was made for fedora 8 to go with rsyslog instead of syslog-ng. One of the reasons for this is that rsyslog maintains backward compatibility with the old-style sysklogd syslog.conf format. This file has been in that format since the dawn of time and many would rather it was left alone (despite the format being god-awful). Anyway – let’s talk about rsyslog

rsyslog has a bunch of good features:

1. supports multiple listening ports and destinations – udp and tcp

2. with stunnel it supports encrypted log sending

3. it can take interesting options to put files in new and exciting places.


$template hostsecure, “/var/log/hosts/%HOSTNAME%/secure/%$NOW%”
authpriv.* -?hostsecure

That says:

for anything coming in on facility authpriv – put it in a subdir which maps to something like:


In short, that’s the major feature I need to implement rsyslog in the same way I’ve used syslog-ng. With the above configuration you don’t need a logrotater you can just run:

tmpwatch -f 720 /var/log/hosts

and that will purget all files older than 30 days, automatically. No need to stop the daemon, no need to move files around.

Problems I encountered:

1. some of the features I needed weren’t there at first – for example it didn’t automatically make subdirs for the logs it was making – therefore having a separate dir per host was trickier than it needed to be. Luckily the maintainer was willing to add that in so it’s now available in 1.17.0 and above

2. the config file is not the most obvious. In order to maintain compat with the old format the additional configuration options are a bit ‘hurky’ feeling. a $ precedes all of them which ends up looking like very scary perl with CamelCase. I made a couple of suggestions on maybe a way around this problem but it’s not the end of the world if it doesn’t happen. For example

*.* @@hostname:1514

will log all logs to host: hostname on TCP port 1514

*.* @hostname:1514

will log all logs to host: hostname on UDP port 1514

that feels like a bit of hack to keep compat with the old format.

3. the docs seem to focus on a usage case about which I am less familiar. I tend to use specialized log daemons when I need to:

a. log across a wan, using encryption

b. setup a central log host and need the logs to be sensible

c. need to use SEC or something like it make things behave.

As I refine the config file we’ll use in fedora and elsewhere I’ll update it here:

All in all I think rsyslog is going to be capable. If the config file format changes or is improved with some more obvious examples (and I’ll help with the ones I can) then I think it’ll be good for central log hosts. The maintainer is active and responsive, not to mention helpful. I’ll update more here as I have it.

2 Responses to “rsyslog – first looks”

  1. quaid Says:

    If you are interested, can you create a canonical Wiki page (or add to an existing one?) with a link to your logfile and maybe an RSS feed of you blog with an rsyslog tag? Or something. Another good option is to use *docs* in your commit message when you load the final config file into CVS somewhere. If you get all into it, Docs/Beats/ is open for F8.🙂

    This way we can build up a community of content contributors, which the config file and use cases and improvements to man page is all about, as much as feeding the release notes and Administration Guide of the future.

  2. poswer Says:

    i have using fedora 9 system i configure the syslog server
    /etc/sysconfig/rsyslog.conf set this option SYSLOGD_OPTIONS=”-m 0 -r” after client side fc6 i was edit this file /etc/hosts
    (fc9 ip) mcp loghost

    After i tested client side one service stop and start it not receive the log file server (fc9) what i do can you any one help me.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: