[rsyslog-notify] Forum Thread: Re: syslog server ignoring locally generated messages - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Wed Feb 11 15:46:42 CET 2015 

User: dlang 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25239#p25239

Message: 
----------
[quote="xdaxdb":9lzbz7h1]I'm trying to embrace the newer syntax... I'm
curious why the default rsyslog.conf still ships with the older syntax. It
may just be the package that ships with Red Hat Linux though I'm not sure.
It had me wondering if for some reason I had to use the old format for the
version I am using but everything I am reading suggests that I do not.
[/quote:9lzbz7h1]
the upstream rsyslog doesn't ship a default rsyslog.conf, that's created by
the distros.

As to why they haven't changed it, because it still works :-)

for that matter, for the simple stuff that the distros are doing in the
default, it's simpler than the new format, and if you are just writing
things to local files, using the old format means that you have 20 years of
documentation and examples available.

[quote="xdaxdb":9lzbz7h1]I have come across numerous instances on the web
where Rainer is warning against using the old syntax or asking people why
they are still using it. I think most administrators only look at
rsyslog.conf enough to do a basic config an simply modify the default
rsyslog.conf enough to achieve what they need. If they do decide to do
something a little more advanced they don't want to go too far out of their
comfort zone and still stick to the old syntax.[/quote:9lzbz7h1]

exactly. and the fact that the rsyslog.conf is so similar to syslog.conf is
one of the reasons why the distros were willing to switch from sysklog to
rsyslog in the first place, instead of going to syslog-ng which had a very
different syntax.

The problem is that advanced stuff doesn't always fit well into the old
syntax, and so when you start doing the more advanced stuff, it really
helps to do it in the new syntax.

There's also the problem that none of the major distros ever shipped
rsyslog 6.x, and they almost missed 7.x (I think 8.0 came out within a
couple weeks of the cutoff for the first distro to ship 7.x), so there was
a long time that people couldn't use the new syntax without upgrading
outside their package manager

RHEL 5 came with rsyslog 3.x and it wasn't until RHEL 5.9 or so that RedHat
even offered a newer syslog package, and that was 5.x  when upstream was
already on 7.x. We commonly get questions from people using CentOS and RHEL
6 which come with rsyslog 5.x and they get annoyed that we can't solve
their problem with that ancient version.

[quote="xdaxdb":9lzbz7h1]If you want people to stop using it I think you
will have to force it on them via the default rsyslog.conf file. Myself
being not very familiar with compiling software and building packages I
don't really know who would be responsible for that, the project or the
distribution.[/quote:9lzbz7h1]
It's the distro that provides the default configuration. but as I said
above, for the default config, the old syntax is actually better than the
new one. We aren't trying to kill off all use of the old style, just where
it's less confusing to use the new style

compare

/var/log/messages
with
action(type="omfile" file="/var/log/messages")

or

@1.2.3.4
vs
action(type='omfwd' port='514' target='1.2.3.4' protocol='udp')

it's when you start adding options to the simple things that it gets messy.
And even then, some options are nicer in the old format. Consider writing
files with specific permissions. With the old style you specify it once and
it applies to everything after it in the file. with the new style you have
to specify it as part of each action. If you are wanting everything written
with the same permission, and put the config for it early in the config
file, the old style is easier, but if you want to write different things
with different permissions, or don't realize that the order things appear
in the config file matter, then the old style is incredibly messy.

rulesets are one of the things that is just insanely bad in the old style
config.

Queues are another. People continually make the mistake of thinking that a
set of queue statements in the old style config create a queue for
everything after that, while in the new style they are part of the action()
or ruleset() statement so it's blindingly obvious that they only apply to
the one statement.

The good news is that more people are able to use the new configs without
having to upgrade outside their distro now

More information about the rsyslog-notify mailing list