Discussion:
Bug#1023596: bookworm: document changes in default rsyslog configuration
(too old to reply)
Michael Biebl
2022-11-07 11:20:01 UTC
Permalink
Package: release-notes
Severity: normal

The rsyslog configuration changed significantly in bookworm.
Copying the relevant parts from the changelog:

rsyslog (8.2210.0-3) unstable; urgency=medium

* Stop splitting up mail.*
This avoids having mail related messages duplicated in mail.log and
mail.{info,warn,err}. (Closes: #508376)
* Drop catch-all log files /var/log/{messages,debug}
Avoid unnecessary duplication as those log messages end up in
/var/log/syslog anyway. (Closes: #580552)
* Stop splitting lpr facility into its own log file.
The default printing system CUPS is not using this facility so its
basically unused nowadays.
* Stop splitting daemon facility into its own log file.
The daemon facility is too vaguely defined to be really useful and since
those log messages end up in /var/log/syslog anyway, stop duplicating
them.
* Split cron facility into its own log file /var/log/cron.log.
The cron facility is widely used and limited enough in scope to have it
split out separately. (Closes: #625483)
* Update comments in rsyslog.conf
* Enable high precision timestamps with timezone information.
Use the default rsyslog file format, which provides several benefits
like:
- sortable
- time zone information
- sub-second time resolution
(Closes: #475303)

-- Michael Biebl <***@debian.org> Sat, 29 Oct 2022 22:54:41 +0200


Assuming there is no huge backlash regarding those changes and they will
stay as-is, they should probably be documented in the release notes.



Regards,
Michael
RL
2022-11-07 22:20:01 UTC
Permalink
Post by Michael Biebl
The rsyslog configuration changed significantly in bookworm.
Hi, I'd potentially be happy to contribute some text for release-notes
on rsyslog. Some questions based on what i'd want to know as an
interested user:

Are both rsyslog and systemd's journal still both the default in bookworm?

I see rsyslog is still priority: important - any plans to reduce that in
future releases?
Post by Michael Biebl
* Enable high precision timestamps with timezone information.
Use the default rsyslog file format, which provides several benefits
- sortable
- time zone information
- sub-second time resolution
(Closes: #475303)
(this would seem to break every single logcheck rule too)
Post by Michael Biebl
* Stop splitting up mail.*
This avoids having mail related messages duplicated in mail.log and
mail.{info,warn,err}. (Closes: #508376)
I think the impact here depends on the mta:
- debian's default mta is exim4
- postfix is a popular alternative
- /var/log/mail.{info,warn,err}* can be deleted after the upgrade (or is this done by the upgade?)

Details:
For exim4, logging was in /var/log/exim4 (and mail.err was duplicating paniclog,
others not used but are created as empty files)

For postfix, logging was in /var/log/mail.log and duplicated in all/some
of /var/log/syslog and mail.{info,warn,err}* (unchecked - based on the
bug report)

Other mtas are likely to be similar to either exim or postfix - but is
there any mta that only uses mail.*?

(For all these we should be clear that the user dosnt need to delete
anything and should check what is being used)
Post by Michael Biebl
* Stop splitting lpr facility into its own log file.
The default printing system CUPS is not using this facility so its
basically unused nowadays.
Am i right that
- cups is installed by the default gnome desktop task: anyone using that is
not affected as the /var/log/lpr.log is not created
- systems without any printing systems are likely not affected
(lpr.log will not exist)
- people who have installed some alternative printing system (is there any?)
can now delete /var/log/lpr.log* and find log messages about printing
in syslog (or do other systems expect lpr.log to exist?)
Post by Michael Biebl
* Drop catch-all log files /var/log/{messages,debug}
* Stop splitting daemon facility into its own log file.
Similarly (but nothing to do with mtas) users can delete these logs -
the second being /var/log/daemon.log
Post by Michael Biebl
* Split cron facility into its own log file /var/log/cron.log.
The cron facility is widely used and limited enough in scope to have it
split out separately. (Closes: #625483)
This one affects everyone using cron (including anacron). .... but isnt
there some lintian warning that anaccron is no longer installed for
desktop users? (which should be in release-notes i assume)

I assume that for bookwork, systemd timers are not yet ready to replace
cron jobs by default

Regards
Michael Biebl
2022-11-07 23:20:01 UTC
Permalink
Post by RL
Are both rsyslog and systemd's journal still both the default in bookworm?
I see rsyslog is still priority: important - any plans to reduce that in
future releases?
That's actually good point: rsyslog in bookworm has been demoted to prio
optional [1], so is no longer installed by default.

Regards,
Michael

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018788
Justin B Rye
2022-11-08 10:40:01 UTC
Permalink
Post by Michael Biebl
Post by RL
Are both rsyslog and systemd's journal still both the default in bookworm?
I see rsyslog is still priority: important - any plans to reduce that in
future releases?
That's actually good point: rsyslog in bookworm has been demoted to prio
optional [1], so is no longer installed by default.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018788
This doesn't make it any less likely for people dist-upgrading from
bullseye to have it installed, and meanwhile there are plenty of
dependencies that can pull it in as first choice.

So there probably ought to a release-notes entry specifically to
suggest uninstalling (r)syslog where it's redundant, though it can
leave out some fiddly details in favour of a sources.debian.org link
pointing at the changelog (or NEWS file, if that has anything). And
depending on how it interacts with things like logcheck on bullseye,
maybe we'll want the notes to mention the config option that can be
set in advance to hold off the log-format change - the debian-user
mailinglist reckons it's:

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

(in the GLOBAL section of rsyslog.conf).
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Richard Lewis
2022-11-09 22:40:01 UTC
Permalink
Makes sense.

Just wanted to add a link to the related logcheck bug which just got
filed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023755
- even if this gets fixed in logcheck, users of rsyslog need to make
the same change to all locally-written logcheck rules (and there are
probably some installed by other packages) so impact is still worth
documenting in release-notes imo
Richard Lewis
2023-04-10 13:50:01 UTC
Permalink
This bug is now fixed in commit 7122b30d

https://salsa.debian.org/ddp-team/release-notes/-/commit/7122b30dd1a483379759558faa720db7b570010c

(i dont know if the bug should be set closed/pending or if that happens later?)
Debian Bug Tracking System
2023-04-10 17:00:01 UTC
Permalink
Your message dated Mon, 10 Apr 2023 18:47:59 +0200
with message-id <9bd5505d-24a0-5ab8-a6e7-***@debian.org>
and subject line Re: Bug#1023596: bookworm: document changes in default rsyslog configuration
has caused the Debian Bug report #1023596,
regarding bookworm: document changes in default rsyslog configuration
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1023596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023596
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...