Mailing List Archive

rsyslog config file format - please provide feedback
Hi all,

We are nearing the point where a decision about the future config file
format needs to be made. I have blogged the details:

http://rgerhards.blogspot.com/2007/09/rsyslog-config-again.html

I would deeply appreciate any feedback on the samples and format
suggestions.

Best regards,
Rainer Gerhards
rsyslog config file format - please provide feedback [ In reply to ]
On 2007-09-06, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
>
> http://rgerhards.blogspot.com/2007/09/rsyslog-config-again.html
>
> I would deeply appreciate any feedback on the samples and format
> suggestions.

/me thinks you're getting way too little feedback on the blog,
or this list. Unfortunately I don't have much more than simple
preference to contribute here..

XML-based format:

Yikes, you'll need an additional human readable frontend
format that's converted to XML for it to be usable. You
can't expect us poor sysadmins to be editing XML
directly to configure rsyslogd..

syslog-ng like:

Fair enough.. It works for my usage.

Metalog like:

No experience..

Apache like:

Not sure I understand this.. Seems like a mix of option/value
and xml'ish for some functionality.

Programming like..:

Of the samples in the wiki, I most prefer the BASIC-like. It
resembles python to me, and also "mon"'s config format. Very
readable. http://mon.wiki.kernel.org/index.php/Mon_Manual

The c-like with functions seems too complex:

if1:
{
if(%severity < "debug" && lower(substr(%msg, 5, 3)) != "err")
}

action1()
{
action(type=filewrite, file="/var/log/mail.log")
}

rule1()
{
if1()
action1()
action(type=filewrite, file="/var/log/messages.log")
}

rule(if1,action1)
ruleset(rule1, rule(if1, action(type=filewrite, file="/var/log/messages.log")))
rule(action1(),input="$all")
input(type=udp, bind="127.0.0.1")

I can't parse this.. Does rule1() break out of if1() is false?
Then I guess writes to /var/log/messages.log woun't happen if
action1 for some reason failed ? Contrast it to mon's config
translated to syslogging:

# Define some groups of servers:
hostgroup mailservers server1 server2 server3
hostgroup webservers server4 server5

watch mailservers
severity > debug
SUBMSG = lower(substr(%msg, 5, 3))
SUBMSG != "err"
logwrite /var/log/mail.log
logwrite /var/log/messages.log
SUBMSG == "err"
logwrite /var/log/err.log

watch webservers
programname == httpd
severity == crit
cmd wall "httpd critical: $msg"
logwrite /var/log/crit.log
severity < crit
logwrite /var/log/httpd.log


Each indentation means it's depending on the previous
statement being true. You might need to be drinking the python
Kool-Aid to see the beauty :-)


-jf
rsyslog config file format - please provide feedback [ In reply to ]
On Fri, 2007-09-07 at 13:32 +0200, Jan-Frode Myklebust wrote:
> On 2007-09-06, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
> >
> > http://rgerhards.blogspot.com/2007/09/rsyslog-config-again.html
> >
> > I would deeply appreciate any feedback on the samples and format
> > suggestions.
>
> /me thinks you're getting way too little feedback on the blog,
> or this list. Unfortunately I don't have much more than simple
> preference to contribute here..
>
> XML-based format:
>
> Yikes, you'll need an additional human readable frontend
> format that's converted to XML for it to be usable. You
> can't expect us poor sysadmins to be editing XML
> directly to configure rsyslogd..

The nice piece of this is that it is machine parseable easily which
enables lots of useful editors.

>
> syslog-ng like:
>
> Fair enough.. It works for my usage.

The syntax is okay but at that point what distinguishes b/t syslog-ng
and rsyslog?


> Apache like:
>
> Not sure I understand this.. Seems like a mix of option/value
> and xml'ish for some functionality.

This one I'm more interested in. If you think of each log like a vhost
and you define the qualities that are added to that inside the
definition

<Log mylogofsilliness>
Destination /path/to/silly.log
DestinationMode 0640
DestinationOwner root
DestinationGroup log-readers
Include mail.info kern.debug cron.emerg
</Log>

etc, etc, etc

maybe that doesn't make sense, maybe it does - it is pretty easy to
read, though.

-sv
rsyslog config file format - please provide feedback [ In reply to ]
I am replying here, but without a real reply. All feedback is deeply
appreciate, but I'd like to keep silent for the time being to avoid
bringing in my personal bias.

Please keep commenting. I'll do a wrap-up later.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of seth vidal
> Sent: Friday, September 07, 2007 1:41 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog config file format - please provide
> feedback
>
>
> On Fri, 2007-09-07 at 13:32 +0200, Jan-Frode Myklebust wrote:
> > On 2007-09-06, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
> > >
> > > http://rgerhards.blogspot.com/2007/09/rsyslog-config-again.html
> > >
> > > I would deeply appreciate any feedback on the samples and format
> > > suggestions.
> >
> > /me thinks you're getting way too little feedback on the blog,
> > or this list. Unfortunately I don't have much more than simple
> > preference to contribute here..
> >
> > XML-based format:
> >
> > Yikes, you'll need an additional human readable frontend
> > format that's converted to XML for it to be usable. You
> > can't expect us poor sysadmins to be editing XML
> > directly to configure rsyslogd..
>
> The nice piece of this is that it is machine parseable easily which
> enables lots of useful editors.
>
> >
> > syslog-ng like:
> >
> > Fair enough.. It works for my usage.
>
> The syntax is okay but at that point what distinguishes b/t syslog-ng
> and rsyslog?
>
>
> > Apache like:
> >
> > Not sure I understand this.. Seems like a mix of option/value
> > and xml'ish for some functionality.
>
> This one I'm more interested in. If you think of each log like a vhost
> and you define the qualities that are added to that inside the
> definition
>
> <Log mylogofsilliness>
> Destination /path/to/silly.log
> DestinationMode 0640
> DestinationOwner root
> DestinationGroup log-readers
> Include mail.info kern.debug cron.emerg
> </Log>
>
> etc, etc, etc
>
> maybe that doesn't make sense, maybe it does - it is pretty easy to
> read, though.
>
> -sv
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
rsyslog config file format - please provide feedback [ In reply to ]
Hi,

> > > http://rgerhards.blogspot.com/2007/09/rsyslog-config-again.html
> > >
> > > I would deeply appreciate any feedback on the samples and format
> > > suggestions.
> >
> > /me thinks you're getting way too little feedback on the blog,
> > or this list. Unfortunately I don't have much more than simple
> > preference to contribute here..
> >
> > XML-based format:
> >
> > Yikes, you'll need an additional human readable frontend
> > format that's converted to XML for it to be usable. You
> > can't expect us poor sysadmins to be editing XML
> > directly to configure rsyslogd..
>
> The nice piece of this is that it is machine parseable easily which
> enables lots of useful editors.

I don't agree with the original posters comment there also.

As an example, I have been using linuxha.net now for quite some years on many
clusters and from day one, linuxha.net has used XML for all it's configuration
files. I personally find the "standard" that brings to config files much
better than the myriad of conf files I've dealt with the many more years I've
been using UNIX and Linux.

> > syslog-ng like:
> >
> > Fair enough.. It works for my usage.
>
> The syntax is okay but at that point what distinguishes b/t syslog-ng
> and rsyslog?

I've personally never been a fan of the syntax used in this. Sure I know it
now after years for admin work, but I remember the times I needed to learn it
thoroughly, it wasn't as easy as other conf files.

> > Apache like:
> >
> > Not sure I understand this.. Seems like a mix of option/value
> > and xml'ish for some functionality.
>
> This one I'm more interested in. If you think of each log like a
> vhost and you define the qualities that are added to that inside the
> definition
>
> <Log mylogofsilliness>
> Destination /path/to/silly.log
> DestinationMode 0640
> DestinationOwner root
> DestinationGroup log-readers
> Include mail.info kern.debug cron.emerg
> </Log>
>
> etc, etc, etc
>
> maybe that doesn't make sense, maybe it does - it is pretty easy to
> read, though.

I think every sysadmin has setup a web server and delved into the apache-like
configurations with software like apache, proftpd, etc. It's a nice and easy
to understand format which has also proved the test of time.

I'd be happy with either XML or Apache-like, but my bias is towards XML.

Regards,

Michael.

> -sv
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
------- End of Original Message -------