3. Understanding the Default Configuration¶

Why your distro’s default rsyslog config looks “old”, what those lines mean, and how to safely add modern snippets alongside it.

3.1. Goal¶

Understand why the configuration you see in /etc/rsyslog.conf may look different from these tutorials, and learn the safe way to extend it without breaking your distribution’s setup.

3.2. Why it looks different¶

When you open /etc/rsyslog.conf on a freshly installed system, you might see directives like:

*.* /var/log/syslog
$FileCreateMode 0640

These come from how Linux distributions ship rsyslog. It is a compatibility choice to preserve behavior from older syslog systems. At the same time, the distro config often loads modern modules such as:

module(load="imuxsock")
module(load="imjournal")

This mix of legacy and modern syntax can look confusing. The key point: both styles work. For new configs, always use RainerScript.

Want to know what a legacy line like $FileCreateMode actually does? You don’t need to learn all of these right now, but if you’re curious, try the AI rsyslog assistant. It can explain individual directives in detail and suggest the modern equivalent.

3.3. How inputs are handled¶

Ubuntu/Debian usually load imjournal (reads from systemd’s journal).
RHEL/CentOS/Rocky/Alma often use imuxsock (reads from the traditional syslog socket).
Some distros load both for maximum compatibility.

That is why you should not reload those same inputs again in your snippets — the distro already set them up.

But if you need to use a new kind of input, such as monitoring a text file with imfile or receiving logs over TCP with imtcp, then you do load that module yourself. Adding new inputs is normal; reloading the already configured system inputs is unnecessary.

3.4. Safe way to add your rules¶

Leave ``/etc/rsyslog.conf`` as it is. Do not try to “modernize” the legacy lines — rsyslog understands them.

Add your own rules under ``/etc/rsyslog.d/*.conf`` in RainerScript syntax. Example:

# Log all messages from facility 'local3' to a custom log file
if ($syslogfacility-text == "local3") then {
    action(type="omfile" file="/var/log/myapp.log")
}

3.5. Should you convert legacy lines?¶

No — there is no need. Over time you may choose to migrate, but rsyslog will happily run mixed syntax.

3.6. Verification checkpoint¶

By the end of this tutorial you should:

Recognize legacy lines like *.* /var/log/syslog.
Understand why they exist in distro configs.
Know that you should not remove or convert them.
Be confident adding new modern rules in /etc/rsyslog.d/.

3.7. See also / Next steps¶

Your First Configuration – your first modern snippet.
The Message Pipeline: Inputs → Rulesets → Actions – learn how inputs, rulesets, and actions fit together.
Existing page: Understanding the Default Configuration – neutral reference version.

Tip

🎬 Video idea (2–3 min): open /etc/rsyslog.conf, highlight the mix of old and new lines, explain why it’s safe, then add a small snippet under /etc/rsyslog.d/ to show the correct workflow.

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project