1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • The impact of removing rsyslog from Trixie

    From Yassine Chaouche@21:1/5 to All on Mon Feb 17 14:40:01 2025
    Hello all,

    I have a couple of bash/awk scripts that read from text log files
    to display summary information about what's going with my services,
    mainly postifx, dovecot, apache and nginx.
    I just read that trixie is removing rsyslog,
    and that reading journals should be done using journalctl by default.

    I was just wondering what other sysadmins think about this?

    In theory, it' just a matter of replacing

    tail -f

    with

    journalctl -f

    in the scripts, but I wanted to make sure I'm not missing something else I should be paying attention to?

    Best,


    --
    yassine -- sysadm
    http://about.me/ychaouche
    Looking for side gigs.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dan Ritter@21:1/5 to Yassine Chaouche on Mon Feb 17 15:40:02 2025
    Yassine Chaouche wrote:
    Hello all,

    I have a couple of bash/awk scripts that read from text log files
    to display summary information about what's going with my services,
    mainly postifx, dovecot, apache and nginx.
    I just read that trixie is removing rsyslog,

    "removing"? Or not installing by default?

    and that reading journals should be done using journalctl by default.

    I was just wondering what other sysadmins think about this?

    I think that 'apt install rsyslog' is a good move for everyone
    who needs real logging.


    -dsr-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Wooledge@21:1/5 to Yassine Chaouche on Mon Feb 17 15:20:01 2025
    On Mon, Feb 17, 2025 at 14:36:35 +0100, Yassine Chaouche wrote:
    I just read that trixie is removing rsyslog,

    [citation needed]

    <https://packages.debian.org/search?keywords=rsyslog> says:

    * trixie (testing) (admin): reliable system and kernel logging daemon
    8.2412.0-1: amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Smith@21:1/5 to Yassine Chaouche on Mon Feb 17 16:30:01 2025
    Hi,

    On Mon, Feb 17, 2025 at 02:36:35PM +0100, Yassine Chaouche wrote:
    I just read that trixie is removing rsyslog,

    I suggest you re-evaluate your news sources, as that is not factually
    correct.

    rsyslog was made non-required in Debian 12 (bookworm). It remains
    packaged in Debian and will still be there in Debian 13. If you need it, install it. I do, so I do.

    Thanks,
    Andy

    --
    https://bitfolk.com/ -- No-nonsense VPS hosting

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Yassine Chaouche@21:1/5 to All on Mon Feb 17 16:50:01 2025
    Le 2/17/25 à 15:16, Dan Ritter a écrit :
    Yassine Chaouche wrote:
    Hello all,

    I have a couple of bash/awk scripts that read from text log files
    to display summary information about what's going with my services,
    mainly postifx, dovecot, apache and nginx.
    I just read that trixie is removing rsyslog,

    "removing"? Or not installing by default?

    and that reading journals should be done using journalctl by default.

    I admit it was poorly worded.
    It is not removed indeed,
    only not installed by default.
    The signal I got is an encouragement to abandon rsyslog which is redundant to journalctl.

    Poor wording aside, my question still holds:
    should I be paying attention to anything in particular?


    Best,

    --
    yassine -- sysadm
    http://about.me/ychaouche
    Looking for side gigs.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Wooledge@21:1/5 to Yassine Chaouche on Mon Feb 17 16:50:02 2025
    On Mon, Feb 17, 2025 at 16:43:49 +0100, Yassine Chaouche wrote:
    I admit it was poorly worded.
    It is not removed indeed,
    only not installed by default.

    In other words, it's exactly the same as Bookworm. No change.

    The signal I got is an encouragement to abandon rsyslog which is redundant to journalctl.

    Poor wording aside, my question still holds:
    should I be paying attention to anything in particular?

    As long as you remember to install rsyslog after the Trixie (or Bookworm) installation, everything should continue to work normally.

    If you're upgrading, then no special steps should be needed for rsyslog
    to continue working. As far as I'm aware, anyway.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Smith@21:1/5 to Yassine Chaouche on Mon Feb 17 17:40:01 2025
    Hi,

    On Mon, Feb 17, 2025 at 04:43:49PM +0100, Yassine Chaouche wrote:
    It is not removed indeed,
    only not installed by default.

    …and also that already happened in Debian 12…

    The signal I got is an encouragement to abandon rsyslog which is
    redundant to journalctl.

    Several syslog daemons are packaged in Debian and some of them,
    particularly rsyslog and syslog-ng, do things that journald does not do.
    So no, not really, no "encouragement".

    The simple fact is that most users don't have complex logging needs and journald which is already installed fulfills those needs, so there is
    literally no need to force the installation of any particular syslog
    daemon any more. But they are there if you need them.

    should I be paying attention to anything in particular?

    If you wish to adapt to a world without a syslogd then your journalctl
    -f will work.

    If the output you are interested in comes from things that are started
    by a systemd unit then you can filter to just those units with --unit
    (or --user-unit).

    You also can have journalctl output in a more structured format if that
    helps processing with other tools.

    Reading things with a more critical eye and not spreading rumours like,
    "we are encouraged to abandon rsyslog which is redundant" would be good.

    Thanks,
    Andy

    --
    https://bitfolk.com/ -- No-nonsense VPS hosting

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From jman@21:1/5 to Andy Smith on Mon Feb 17 22:10:01 2025
    Andy Smith <[email protected]> writes:

    Several syslog daemons are packaged in Debian and some of them,
    particularly rsyslog and syslog-ng, do things that journald does not do.
    So no, not really, no "encouragement".

    The simple fact is that most users don't have complex logging needs and journald which is already installed fulfills those needs, so there is literally no need to force the installation of any particular syslog
    daemon any more. But they are there if you need them.

    I only check logs with journald since long but I am unsure if rsyslog is used. Purging the package
    ("apt purge rsyslog") does not seem to affect any other package.
    If I wanted to remove rsyslog (because I want just one logging system), how do I know if it's used
    anywhere?
    I have run a reverse dependency check:

    $ apt-rdepends --state-follow=Installed --state-show=Installed rsyslog
    ...
    rsyslog
    Depends: libc6 (>= 2.38)
    Depends: libestr0 (>= 0.1.9)
    Depends: libfastjson4 (>= 0.99.8)
    Depends: liblognorm5 (>= 2.0.3)
    Depends: libsystemd0 (>= 246)
    Depends: libuuid1 (>= 2.16)
    Depends: libzstd1 (>= 1.5.5)
    Depends: zlib1g (>= 1:1.1.4)
    ...

    Would these packages be affected?

    I use Debian/Trixie, rsyslog configured as per default installation. What would happen to the
    following files I see mentioned in /etc/rsyslog.conf?
    auth,authpriv.* /var/log/auth.log
    cron.* -/var/log/cron.log
    kern.* -/var/log/kern.log
    mail.* -/var/log/mail.log
    user.* -/var/log/user.log

    Thanks

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Wooledge@21:1/5 to jman on Mon Feb 17 22:20:01 2025
    On Mon, Feb 17, 2025 at 21:41:33 +0100, jman wrote:
    If I wanted to remove rsyslog (because I want just one logging system), how do I know if it's used anywhere?

    Your plain text log files will stop being written to. They'll just sit
    there, frozen in time, forever. Anything that reads them looking for new
    log entries will find none.

    Do you have any kind of automation that reads log files? Like, that
    thing whose name I cannot remember right now, that reads ssh's auth.log
    file looking for repeated failed logins, and updates your firewall rules.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dan Ritter@21:1/5 to Greg Wooledge on Mon Feb 17 23:10:01 2025
    Greg Wooledge wrote:

    Do you have any kind of automation that reads log files? Like, that
    thing whose name I cannot remember right now, that reads ssh's auth.log
    file looking for repeated failed logins, and updates your firewall rules.


    fail2ban

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Charles Curley@21:1/5 to Dan Ritter on Mon Feb 17 23:40:01 2025
    On Mon, 17 Feb 2025 16:52:13 -0500
    Dan Ritter <[email protected]> wrote:

    Greg Wooledge wrote:

    Do you have any kind of automation that reads log files? Like, that
    thing whose name I cannot remember right now, that reads ssh's
    auth.log file looking for repeated failed logins, and updates your
    firewall rules.


    fail2ban



    I can report that fail2ban on Bookworm (1.0.2-2) runs just fine with no
    syslog on the system; journalctl only.

    Several of my systems that run Bookworm and Trixie run fine and dandy
    without rsyslog.

    --
    Does anybody read signatures any more?

    https://charlescurley.com
    https://charlescurley.com/blog/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Yassine Chaouche@21:1/5 to All on Tue Feb 18 11:10:01 2025
    Le 2/17/25 à 22:52, Dan Ritter a écrit :
    Greg Wooledge wrote:

    Do you have any kind of automation that reads log files? Like, that
    thing whose name I cannot remember right now, that reads ssh's auth.log
    file looking for repeated failed logins, and updates your firewall rules.


    fail2ban

    Logcheck could also potentially be impacted,
    it reads from syslog an auth.log by default,
    but if the user changes configuration it can read from any other split log files.

    Best,


    --
    yassine -- sysadm
    http://about.me/ychaouche
    Looking for side gigs.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Smith@21:1/5 to Yassine Chaouche on Tue Feb 18 11:50:02 2025
    Hi,

    On Tue, Feb 18, 2025 at 11:01:43AM +0100, Yassine Chaouche wrote:
    Le 2/17/25 � 22:52, Dan Ritter a �crit�:
    fail2ban

    Logcheck could also potentially be impacted,
    it reads from syslog an auth.log by default,

    The manual pages are right there on your system and on https://manpages.debian.org/ so no need to speculate onto a mailing list
    with hundreds (thousands?) of subscribers, archived forever.

    You can just look and find out that both fail2ban and logcheck grew
    systemd journal support years ago.

    Problems are more likely to be found with things from outside Debian,
    home grown scripts etc.

    Thanks,
    Andy

    --
    https://bitfolk.com/ -- No-nonsense VPS hosting

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Charles Curley@21:1/5 to Yassine Chaouche on Tue Feb 18 17:50:01 2025
    On Tue, 18 Feb 2025 11:01:43 +0100
    Yassine Chaouche <[email protected]> wrote:

    Logcheck could also potentially be impacted,
    it reads from syslog an auth.log by default,
    but if the user changes configuration it can read from any other
    split log files.

    Logcheck works just fine with journalctl only.

    Instead of speculating about these things, how about doing an
    experiment, and see what actually breaks?

    --
    Does anybody read signatures any more?

    https://charlescurley.com
    https://charlescurley.com/blog/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)