While examining rsyslog configurations on a Debian 6.0.6 system, you might encounter entries like:

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog

The dash prefix (-) before file paths is a legacy but still functional feature that affects how rsyslog handles file writing.

The hyphen indicates asynchronous file writing. When present:

• Rsyslog doesn't block program execution while writing to disk
• Log entries are buffered before being written
• Improves performance at the cost of potential log loss during crashes

In newer rsyslog versions (v7+), this is better expressed using the async parameter:

action(type="omfile" file="/var/log/syslog" async="on")

The legacy dash syntax remains supported for backward compatibility.

Consider these scenarios:

# High reliability (synchronous)
local7.*    /var/log/critical.log

# Better performance (asynchronous)
local7.*    -/var/log/non-critical.log

# Modern hybrid approach
local7.*    action(type="omfile" 
                 file="/var/log/balanced.log"
                 async="on"
                 flushInterval="5"
                 ioBufferSize="64k")

Use synchronous logging (- prefix or async=off) for:

• Security-related logs
• Financial transaction records
• Audit trails

Use asynchronous logging for:

• High-volume debug logs
• Non-critical system messages
• Applications where performance matters most

If you suspect log entries are missing:

1. Check rsyslog's queue statistics: rsyslogd -N1
2. Monitor disk I/O during peak loads
3. Consider reducing the async buffer size

Example debug configuration:

module(load="impstats" interval="10" severity="7")
ruleset(name="debug_ruleset") {
    action(type="omfile" file="/var/log/rsyslog-stats.log")
}

---

When working with rsyslog configurations, you might encounter file paths with a curious hyphen prefix like this:

*.*;auth,authpriv.none          -/var/log/syslog

The hyphen before the file path isn't documented in most man pages, but it serves an important performance optimization purpose in rsyslog.

The hyphen prefix tells rsyslog to use asynchronous file writing for that particular log file. Without the hyphen, rsyslog uses synchronous writing by default.

Here's the key difference:

# Synchronous writing (default)
*.info /var/log/messages

# Asynchronous writing
*.info -/var/log/messages

The asynchronous mode (-) provides better performance because:

• Log entries are buffered before being written to disk
• The rsyslog process doesn't wait for disk I/O to complete
• Reduces blocking when many log messages arrive simultaneously

However, this comes with a trade-off: in case of system crashes, you might lose some buffered log messages that haven't been written to disk yet.

Consider using the hyphen prefix for:

# High-volume logs where performance matters
local7.* -/var/log/boot.log

# Non-critical logs where minor message loss is acceptable
*.debug -/var/log/debug.log

Avoid it for:

# Security-critical logs that must be preserved
auth.* /var/log/auth.log

# Compliance-related logs that need guaranteed delivery
kern.* /var/log/kern.log

In newer rsyslog versions (v7+), you might see more explicit directives instead of the hyphen:

# Equivalent to -/var/log/syslog
*.* action(type="omfile" file="/var/log/syslog" asyncWriting="on")

The hyphen syntax remains supported for backward compatibility, but the newer format provides more configuration options.