rsyslog.conf question

[Kevin Miller]

I'm running a pretty stock install of rsyslogd on my workstation, and
was experimenting with rsyslogd. I noticed in /etc/rsyslogd.conf that
some paths had a "-" before them and others didn't. For instance, the
snippet below pertains to the mail logging. The first two lines begin
with -/var while the third is just /var (no dash in front).

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

What does the dash do/signify? I don't observe any difference in
behavior. All three files are populated with their respective
facility.priority messages.

I've been reading through the docs but I haven't found anything that
addresses this.

Thanks...

...Kevin
--
Kevin Miller
Juneau, Alaska
http://www.alaska.net/~atftb
"In the history of the world, no one has ever washed a rented car."
- Lawrence Summers

[John F. Morse]

Kevin Miller wrote:
> I'm running a pretty stock install of rsyslogd on my workstation, and
> was experimenting with rsyslogd. I noticed in /etc/rsyslogd.conf that
> some paths had a "-" before them and others didn't. For instance, the
> snippet below pertains to the mail logging. The first two lines begin
> with -/var while the third is just /var (no dash in front).
>
> #
> # Logging for the mail system. Split it up so that
> # it is easy to write scripts to parse these files.
> #
> mail.info -/var/log/mail.info
> mail.warn -/var/log/mail.warn
> mail.err /var/log/mail.err
>
> What does the dash do/signify? I don't observe any difference in
> behavior. All three files are populated with their respective
> facility.priority messages.
>
> I've been reading through the docs but I haven't found anything that
> addresses this.
>
> Thanks...
>
> ...Kevin

See SYSKLOGD(8) under this section:


CONFIGURATION FILE SYNTAX DIFFERENCES

. . .

The - may only be used to prefix a filename if you want to omit
sync’ing the file after every write to it.

This may take some acclimatization for those individuals used
to the
pure BSD behavior but testers have indicated that this syntax is
some‐
what more flexible than the BSD behavior. Note that these
changes
should not affect standard syslog.conf(5) files. You must
specifically
modify the configuration files to obtain the enhanced behavior.


--
John

When a person has -- whether they knew it or not -- already
rejected the Truth, by what means do they discern a lie?

[Richard Kettlewell]

Kevin Miller <atf...@alaska.net> writes:
> I'm running a pretty stock install of rsyslogd on my workstation, and
> was experimenting with rsyslogd. I noticed in /etc/rsyslogd.conf that
> some paths had a "-" before them and others didn't. For instance, the
> snippet below pertains to the mail logging. The first two lines begin
> with -/var while the third is just /var (no dash in front).
>
> #
> # Logging for the mail system. Split it up so that
> # it is easy to write scripts to parse these files.
> #
> mail.info -/var/log/mail.info
> mail.warn -/var/log/mail.warn
> mail.err /var/log/mail.err
>
> What does the dash do/signify? I don't observe any difference in
> behavior. All three files are populated with their respective
> facility.priority messages.
>
> I've been reading through the docs but I haven't found anything that
> addresses this.

This seems to have been omitted from the man page for rsyslog.conf for
some reason, but the effect in syslogd was to suppress synchronous
writes to logfiles. The result is that files listed with the "-" are
more likely to be missing entries after a crash or power failure.

--
http://www.greenend.org.uk/rjk/

[Kevin Miller]

On 05/02/2012 04:47 PM, John F. Morse wrote:
snip

>
> See SYSKLOGD(8) under this section:
>
> CONFIGURATION FILE SYNTAX DIFFERENCES
> . . .
>
> The - may only be used to prefix a filename if you want to omit
> sync’ing the file after every write to it.
>
> This may take some acclimatization for those individuals used to the
> pure BSD behavior but testers have indicated that this syntax is some‐
> what more flexible than the BSD behavior. Note that these changes
> should not affect standard syslog.conf(5) files. You must specifically
> modify the configuration files to obtain the enhanced behavior.

Thanks. The section you snipped pertaining to the other modifiers was
informative too.

I'm not sure what "sync'ing" the file implies though. What is it
sync'ed with?

Best...

[Kevin Miller]

I'm unclear on "synchronous writes" - is that the idea that it's written
to both mail.log and mail.err? (mail.info or mail.warn being skipped
because mail.log already has the entry, and it's of less utility than
the err message)

Thanks...

[Richard Kettlewell]

Kevin Miller <atf...@alaska.net> writes:

> Richard Kettlewell wrote:

>> This seems to have been omitted from the man page for rsyslog.conf for
>> some reason, but the effect in syslogd was to suppress synchronous
>> writes to logfiles. The result is that files listed with the "-" are
>> more likely to be missing entries after a crash or power failure.
>
> I'm unclear on "synchronous writes" - is that the idea that it's
> written to both mail.log and mail.err? (mail.info or mail.warn being
> skipped because mail.log already has the entry, and it's of less
> utility than the err message)

A synchronous write means one that blocks until it's actually hit the
disk. An asynchronous write can hang around in buffer cache for
extended period and the writing application won't know about this.

Since the syslog protocol doesn't include any kind of ack, the blocking
doesn't provide any higher-level synchronization in this case. However
it should nevertheless (usually) reduce the time window in which a crash
can lose logging information. The downside is that it may somewhat
increase the amount of disk IO your system does.

--
http://www.greenend.org.uk/rjk/

[Kevin Miller]

Ah, sort of like needing to umount a thumb drive before you pull it out
or the write may not be complete. Thanks, that makes sense.

Appreciate the help...