Rsyslog log format change proposal
Currently Fedora uses RSYSLOG_TraditionalFileFormat as a default format for timestamps in its logs. There is missing year and timezone. This proposal aims to change this by adopting ISO 8601 and RFC 3339 compliant timestamp format known as RSYSLOG_FileFormat instead of current RSYSLOG_TraditionalFileFormat.
- Name: Radovan Sroka
- Email: email@example.com
- Name: Roman Pavelka
- Email: firstname.lastname@example.org
- Release notes owner:
Currently Fedora, RHEL and CentOS use RSYSLOG_TraditionalFileFormat for log’s timestamp, so timestamps in files like /var/log/messages, /var/log/cron and /var/log/secure looks like e.g.:
May 29 13:37:50 localhost systemd: Starting Fingerprint Authentication Daemon...
We are suggesting new RSYSLOG_FileFormat that looks like e.g.:
2017-05-29T13:40:50.976409+02:00 localhost systemd: Stopping System Logging Service...
This format has few disadvantages
- Does not include year which sometimes may be needed, mostly when doing long term analysis or some investigation.
- Does not include timezone which may be important piece when working with system scattered around the globe.
- It is not standard format. Standards are ISO 8601 and more strict RFC 3339
I would propose to change this to defaults to standard format with timezone included.
Benefit to Fedora
Compliance to international standard, more information available in logs.
- Proposal owners: rsroka, rpavelka
- Other developers: none
All necessary changes are here:
$ diff rsyslog.conf.orig rsyslog.conf -u --- rsyslog.conf.orig 2017-05-26 16:31:09.768671818 +0200 +++ rsyslog.conf 2017-05-26 16:30:36.093682748 +0200 @@ -30,7 +30,7 @@ global(workDirectory="/var/lib/rsyslog") # Use default timestamp format -module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") +module(load="builtin:omfile" Template="RSYSLOG_FileFormat") # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf
- Release engineering: none
Someone parsing logs would need update his/her scripts or revert configuration to traditional one.
How To Test
Restart rsyslog by “systemctl restart rsyslog” and check “sudo tail /var/log/messages”, timestamp should be in ISO 8601 format, e.g.: 2017-05-26T16:25:47.125900+02:00
Regular users should not experience any change. Administrators would benefit from more information provided, especially when maintaining a system scattered in more timezones or doing long-term analysis.
- Contingency mechanism: Rsyslog maintainer will either change the configuration or keep the original.
- Contingency deadline: Fedora 27 Beta freeze
- Blocks release? No
- Blocks product? No
N/A (not a System Wide Change)