Rsyslog – Difference Between $ModLoad and module(load)

I'm on an RHEL 7.7 machine:

Linux myhost 3.10.0-1062.el7.x86_64 #1 SMP Thu Jul 18 20:25:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Running rsyslog-8.24.0-38.el7.x86_64

According to the rsyslog docs (currently in 2021 located at https://www.rsyslog.com/doc/master/configuration/converting_to_new_format.html), $ModLoad is obsolete and replaced by module(load=. So I've tried it and I've noticed they're not equivalent. My question is, why is the new format not acting like the old?

For reference, here's the entry from the documentation:

Converting Module Load

This is very straight-forward. In obsolete legacy format we use:

$ModLoad module-name

This is very simply converted to:

module(load="module-name")

When I do this in my rsyslog.conf file:

$ModLoad imuxsock.so    # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)

restart rsyslog, then do: systemctl restart crond, I notice this in /var/log/messages:

Mar  8 18:16:19 myhost systemd[1]: Started System Logging Service.
Mar  8 18:16:24 myhost systemd[1]: Stopping Command Scheduler...
Mar  8 18:16:24 myhost systemd[1]: Stopped Command Scheduler.
Mar  8 18:16:24 myhost systemd[1]: Started Command Scheduler.

But when convert to the modern configuration, like this:

module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog") # provides kernel logging support (previously done by rklogd)

(changing only those two lines) I see this:

Mar  8 18:18:40 myhost rsyslogd:  [origin software="rsyslogd" swVersion="8.24.0-38.el7" x-pid="28876" x-info="http://www.rsyslog.com"] start

No mention of the crond restart.

I've also tried, just for grins:

module(load="imuxsock.so") # provides support for local system logging (e.g. via logger command)
module(load="imklog.so") # provides kernel logging support (previously done by rklogd)

No difference in behavior.

Edit:
I notice that if a file /etc/rsyslog.d/listen.conf exists, and it contains

$SystemLogSocketName /run/systemd/journal/syslog

then I get the behavior described, along with an error message in /var/log/messages:

Mar  8 18:45:13 myhost rsyslogd: command 'SystemLogSocketName' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.24.0-38.el7 try http://www.rsyslog.com/e/2222 ]

but only if I use the new style of module loading. Which means that it's not "very simply converted", at least in my mind.

If I remove that listen.conf file, then I get no logging of a crond restart in /var/log/messages at all.

Now I wonder how I can get the /var/log/messages logging with the new style module load syntax.

Best Answer

On the whole, rsyslog does a good job allowing legacy options from 20 years ago to co-exist with all the enormous changes made since.

Note that a $ModLoad line can have many other lines providing options for that module. For example, the $SystemLogSocketName option you found corresponds to the imuxsock module() option SysSock.Name=.

You should look at all the other non-commented-out lines beginning $ and convert them to appropriate module parameters.

Best Answer

Related Solutions

Centos – rsyslog-thesql on CentOS 5.3 does not have permission to access the thesql.sock

Remote logging with rsyslog – Cannot load module lmnsd_gtls.so

Related Topic