Backticks in RainerScript just got smarter: ${VAR} and adjacent text now work

TL;DR
Backticks with echo in RainerScript now support brace-style environment variables (${VAR}) and adjacent text (e.g., `echo sasl.password=${KAFKA_PASSWORD}`). This removes a common pitfall when assembling key=value pairs for modules like omkafka. It’s still a limited, intentional subset—not a full shell. The change was motivated by real-world confusion reported in issue #5827. (GitHub)

What changed (and why)

Previously, backticks did not recognize ${VAR}, and unbraced $VAR sometimes swallowed trailing punctuation, breaking practical use cases (like key=value strings). That led to parsing errors such as “missing equal sign in parameter” when users tried to inject SASL credentials into omkafka via env vars. (GitHub)

The new logic:

• Understands ${VAR} and stops at the closing }.
• For unbraced $VAR, stops at the first non-[A-Za-z0-9_] character and emits that character literally, so patterns like $VAR! work as expected.
• Remains intentionally small: no general shell evaluation (e.g., no $(...)). That’s by design and documented. (rsyslog.com)

Result: patterns admins expect from daily shell usage now behave sensibly inside RainerScript backticks—without turning backticks into a shell. (rsyslog.com)

Practical example: omkafka SASL password from an env var

Before (clunky workaround)
You often had to pre-compose the full key=value into an environment variable and then expand it:

# in a secure environment file or service unit
export SASL_PWDPARAM='sasl.password=${KAFKA_PASSWORD}'
export KAFKA_PASSWORD='supersecret'

# rsyslog.conf
action(
  type="omkafka"
  broker=["kafka.example.com:9093"]
  confParam=[
    "security.protocol=SASL_SSL",
    "sasl.mechanism=SCRAM-SHA-512",
    "sasl.username=myuser",
    `echo $SASL_PWDPARAM`
  ]
)

Users hit errors like “missing equal sign” while trying variations around this approach. (GitHub)

Now (direct and clear)
Compose the key=value inline with ${…}:

export KAFKA_PASSWORD='supersecret'

action(
  type="omkafka"
  broker=["kafka.example.com:9093"]
  confParam=[
    "security.protocol=SASL_SSL",
    "sasl.mechanism=SCRAM-SHA-512",
    "sasl.username=myuser",
    `echo sasl.password=${KAFKA_PASSWORD}`
  ]
)

This matches everyday expectations while staying within RainerScript’s documented backtick subset. For reference, see the omkafka and RainerScript docs. (rsyslog.com)

Availability

• Merged: August 15, 2025.
• Daily stable build: August 16, 2025.
• Scheduled stable build: 8.2508.0 later in August.

If you use the daily stable channel, you can pick it up right away; otherwise you’ll get it with 8.2508.0.

Security & ops notes

• Prefer environment files (e.g., systemd EnvironmentFile=) with strict permissions over hard-coding secrets in rsyslog.conf.
• Remember that process environments are visible to privileged users via /proc; secure the host accordingly.
• This change is backward-compatible, fixing previously broken or surprising edge cases.

Background & related reading

• Issue #5827 – omkafka: unable to use environment variable to password sasl.password (parse error context and motivation). (GitHub)
• RainerScript string constants – canonical reference for backticks and their intentional limitations. (rsyslog.com)
• omkafka module docs – configuration parameters and examples. (rsyslog.com)

If you previously worked around this with pre-composed env vars, you can simplify your configs now. And if you see anything unexpected, please share a minimal snippet—reports like #5827 help us make rsyslog better for everyone. (GitHub)