Understanding the Default Configuration

When you open /etc/rsyslog.conf on a freshly installed Linux system, you might see a configuration that looks very different from the examples in this guide. Lines such as $FileOwner or *.* /var/log/syslog can look unusual or even cryptic to new users.

This layout comes from how many Linux distributions package rsyslog. It’s not the default style of rsyslog itself, but a compatibility choice made by the distribution to keep older tools and setups working smoothly.

Why It Looks Different

Distributions like Ubuntu, Debian, or RHEL ship rsyslog with a mixed configuration style:

  • Legacy lines such as $FileCreateMode or *.* are left over from older syslog systems.

  • Modern modules (e.g., module(load="imuxsock")) are included to add newer rsyslog features.

rsyslog supports both styles, so the system works out of the box. For new configurations, we recommend modern RainerScript syntax, as shown throughout this guide.

Why We Don’t Show *.* in Examples

In older configurations, you will often see a line like:

*.* /var/log/syslog

This means: “Send all messages, regardless of facility or priority, to /var/log/syslog.”

Modern RainerScript configurations do not need this line because logging everything to /var/log/syslog is already the default behavior. You can add explicit filters if needed, but a *.* filter is no longer necessary.

For example:

action(type="omfile" file="/var/log/syslog")

is enough to log all messages to /var/log/syslog.

How to Work with the Default Config

  • Keep the distribution’s default files as they are. They ensure that standard system logging works correctly.

  • Add your own rules in separate files under /etc/rsyslog.d/. This avoids conflicts with distro updates.

For example, create /etc/rsyslog.d/10-myapp.conf:

# Log all messages from facility 'local3' to a custom log file.
if ($syslogfacility-text == "local3") then {
    action(
        type="omfile"
        file="/var/log/myapp.log"
    )
}

Should You Convert the Old Lines?

No, you don’t need to convert them. rsyslog understands both styles. Over time, you might choose to migrate to RainerScript for clarity, but it is not required.

Key Takeaways

  • The default configuration is shaped by distribution choices, not by rsyslog itself.

  • Modern RainerScript is easier to read and is used in all new examples.

  • You can safely add your own rules in modern style without touching the existing legacy lines.

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.