Understanding the Impact of Hyphen (-) Prefix in rsyslog.conf for Performance Optimization


2 views

In traditional syslog implementations (syslogd), the hyphen prefix (-) before a file path in the configuration served a specific purpose. As mentioned in the syslog.conf man page:

# Traditional syslog example
*.info;mail.none;authpriv.none -/var/log/messages

This syntax instructed syslog to omit the fsync() operation after each write to the log file. While this improved performance, it came with the risk of losing log entries during system crashes.

Modern rsyslog maintains backward compatibility but handles the hyphen differently:

  • Legacy Support: rsyslog will accept the hyphen for compatibility but ignores it by default
  • Modern Alternative: The preferred way to control syncing is through the asyncWriting parameter in action objects
# Modern rsyslog equivalent
*.info;mail.none;authpriv.none {
    action(type="omfile" file="/var/log/messages" asyncWriting="on")
}

If you're migrating from syslogd to rsyslog and concerned about performance:

# Recommended performance optimization in rsyslog
template(name="DynFile" type="string" string="/var/log/%programname%.log")

if $programname != '' then {
    action(type="omfile"
           dynaFile="DynFile"
           asyncWriting="on"
           flushInterval="1000"
           ioBufferSize="64k")
}

Key parameters to consider:

  • asyncWriting: Similar to hyphen behavior
  • flushInterval: Milliseconds between syncs
  • ioBufferSize: Size of write buffer

To check if your configuration is working as intended:

# Check rsyslog queue statistics
rsyslogd -N1 | grep -A5 "action"

# Monitor file sync operations
strace -p $(pidof rsyslogd) -e trace=fsync,write

Remember that while async writing improves performance, critical systems might need to balance reliability with speed through appropriate flush intervals.

When examining logging configurations, the hyphen prefix (-) has its roots in traditional syslog implementations. As documented in syslog.conf man pages:

# Traditional syslog example with sync suppression
- /var/log/messages
*.emerg;auth,authpriv.none -/var/log/secure

While rsyslog maintains backward compatibility with syslog.conf syntax, its behavior regarding file syncing has evolved:

  • The '-' prefix is still recognized for legacy configurations
  • Modern rsyslog versions use different mechanisms for performance tuning
  • Async logging can now be controlled via $ActionFileEnableSync directive

Using the hyphen prefix trades reliability for performance:

# Without sync (potential data loss on crash)
-/var/log/highvolume.log

# Equivalent modern rsyslog directive
$ActionFileEnableSync on  # default is off in recent versions

Here's how different versions handle async logging:

# Legacy style (still works)
- /var/log/legacy.log

# Modern explicit control
$ActionQueueType LinkedList   # async processing
$ActionQueueFileName fwdRule1 # unique name
$ActionQueueMaxDiskSpace 1g   # queue size
$ActionQueueSaveOnShutdown on # persistent queue
$ActionQueueTimeoutEnqueue 0  # no delay

For production systems consider:

  1. Use modern queue parameters instead of '-' prefix
  2. Balance performance needs with crash recovery requirements
  3. Test different sync settings under load

Remember that rsyslog's default behavior may vary between versions, so always verify with your specific implementation.