"The rocket-fast system for log processing": rsyslog
-
I have been using rsyslog for many years now to provide a centralized logging service to the enterprise. Previously I have used syslog-ng. Since the Linux distributions used at work switched to rsyslog. I went along.
I have set up the syslog/rsyslog services and they just ran. For years, I just let them be. But as complexity grew in these services, I started to encounter problems. Thus this blog entry. I expect more to follow.
Rsyslog Configuration
First thing to discuss is the rsyslog configuration.
Traditionally, syslog configuration uses a legacy syntax. Both rsyslog and syslog-ng support those. The legacy syntax starts simple but it brings along some complexity of its own. Here is a few examples from Ubuntu:
auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslogYou can kind of guess what those lines mean.
Rsyslog, on the other hand, has a new RainerScript system for configuration, which I use quite extensively in work. More on that later.
Performance
Another learning experience for me is about rsyslog performance. It had worked wonderfully for me for years without looking under the hood...until something (or, a combination of things) happened.
Troubleshooting
Troubleshooting rsyslog issues is still new to me -- even though I have been using the software, but I have not actually run into many problems until recently. It is of interest to me to write down the experiences.
That's it for today. Have a nice weenend!
