Uncategorized

Choosing between syslog-ng vs rsyslog depending on the default logs setup

yeupouLeave a comment

I do not remember why I started using rsyslog instead of syslog-ng. Syslog-ng people provides a comparison page while rsyslog’s point out how their software is rocket-fast. Why changing at all?

From Debian changelog:

rsyslog (8.2210.0-3) unstable; urgency=medium

  * Stop splitting up mail.*
    This avoids having mail related messages duplicated in mail.log and
    mail.{info,warn,err}. (Closes: #508376)
  * Drop catch-all log files /var/log/{messages,debug}
    Avoid unnecessary duplication as those log messages end up in
    /var/log/syslog anyway. (Closes: #580552)
  * Stop splitting lpr facility into its own log file.
    The default printing system CUPS is not using this facility so its
    basically unused nowadays.
  * Stop splitting daemon facility into its own log file.
    The daemon facility is too vaguely defined to be really useful and since
    those log messages end up in /var/log/syslog anyway, stop duplicating
    them.
  * Split cron facility into its own log file /var/log/cron.log.
    The cron facility is widely used and limited enough in scope to have it
    split out separately. (Closes: #625483)
  [...]
 -- Michael Biebl <biebl@debian.org>  Sat, 29 Oct 2022 22:54:41 +0200

All the convenient log splitting there for decades were just deconfigured. No matter if people had fail2ban or similar setup based on them and find a specific interest of parsing rather smaller than bigger logs.

A bug report about how mail.info and mail.log were identifical led maintainer Michael Biebl to explain:

I copied the old sysklogd syslog.conf almost verbatim, to be as compatible as possible and not break any existing setups (like log checkers and stuff, which might look for those files.) So, for lenny, I definitely don’t want to change that. But it is something that could be looked into early during the squeeze cycle. Such a change though should probably be discussed on debian-devel first.

Was it discussed on debian-devel in the end? cron managed to keep its log for now. But a report initially complaining that messages of a certain severity seem discarded by default transformed into a request to remove duplicates. Maintainer Michael Biebl wrote:

I never understood why we had those separate files, and the current rsyslog.conf is basically a result of keeping what the old sysklogd shipped. I need to bring that up on the mailing list, guess.

So I guess it was discussed on the mailing-list, in the end. But was it discussed only for rsyslog and not syslog-ng? In any case, switching to syslog-ng prevents me from bothering changing my setup and allows me to check split logs still easier to read and parse than massive catch-all /var/log/syslog.

Leave a comment