1004 lines
35 KiB
HTML
1004 lines
35 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of RSYSLOG.CONF</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>RSYSLOG.CONF</H1>
|
|
Section: Linux System Administration (5)<BR>Updated: 22 October 2012<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
rsyslog.conf - <A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A>(8) configuration file
|
|
<A NAME="lbAC"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
The
|
|
<I>rsyslog.conf</I>
|
|
|
|
file is the main configuration file for the
|
|
<B><A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A></B>(8)
|
|
|
|
which logs system messages on *nix systems. This file specifies rules
|
|
for logging. For special features see the
|
|
<B><A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A></B>(8)
|
|
|
|
manpage. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf file. So if you migrate
|
|
from sysklogd you can rename it and it should work.
|
|
<P>
|
|
<B>Note that this version of rsyslog ships with extensive documentation in HTML format.</B>
|
|
|
|
This is provided in the ./doc subdirectory and probably
|
|
in a separate package if you installed rsyslog via a packaging system.
|
|
To use rsyslog's advanced features, you
|
|
<B>need</B>
|
|
|
|
to look at the HTML documentation, because the man pages only cover
|
|
basic aspects of operation.
|
|
<P>
|
|
<P>
|
|
<A NAME="lbAD"> </A>
|
|
<H2>MODULES</H2>
|
|
|
|
<P>
|
|
Rsyslog has a modular design. Consequently, there is a growing number
|
|
of modules. See the HTML documentation for their full description.
|
|
<P>
|
|
<DL COMPACT>
|
|
<DT id="1"><I>omsnmp</I>
|
|
|
|
<DD>
|
|
SNMP trap output module
|
|
<DT id="2"><I>omgssapi</I>
|
|
|
|
<DD>
|
|
Output module for GSS-enabled syslog
|
|
<DT id="3"><I>ommysql</I>
|
|
|
|
<DD>
|
|
Output module for MySQL
|
|
<DT id="4"><I>omrelp</I>
|
|
|
|
<DD>
|
|
Output module for the reliable RELP protocol (prevents message loss).
|
|
For details, see below at imrelp and the HTML documentation.
|
|
It can be used like this:
|
|
<DT id="5"><DD>
|
|
*.* :omrelp:server:port
|
|
<DT id="6"><DD>
|
|
*.* :omrelp:192.168.0.1:2514 # actual sample
|
|
<DT id="7"><I>ompgsql</I>
|
|
|
|
<DD>
|
|
Output module for PostgreSQL
|
|
<DT id="8"><I>omlibdbi</I>
|
|
|
|
<DD>
|
|
Generic database output module (Firebird/Interbase, MS SQL, Sybase,
|
|
SQLite, Ingres, Oracle, mSQL)
|
|
<DT id="9"><I>imfile</I>
|
|
|
|
<DD>
|
|
Input module for text files
|
|
<DT id="10"><I>imudp</I>
|
|
|
|
<DD>
|
|
Input plugin for UDP syslog. Replaces the deprecated -r option. Can be
|
|
used like this:
|
|
<DT id="11"><DD>
|
|
$ModLoad imudp
|
|
<DT id="12"><DD>
|
|
$UDPServerRun 514
|
|
<DT id="13"><I>imtcp</I>
|
|
|
|
<DD>
|
|
Input plugin for plain TCP syslog. Replaces the deprecated -t
|
|
option. Can be used like this:
|
|
<DT id="14"><DD>
|
|
$ModLoad imtcp
|
|
<DT id="15"><DD>
|
|
$InputTCPServerRun 514
|
|
<DT id="16"><DT><I>imrelp</I>
|
|
|
|
<DD>
|
|
<DD>
|
|
Input plugin for the RELP protocol. RELP can be used instead
|
|
of UDP or plain TCP syslog to provide reliable delivery of
|
|
syslog messages. Please note that plain TCP syslog does NOT
|
|
provide truly reliable delivery, with it messages may be lost
|
|
when there is a connection problem or the server shuts down.
|
|
RELP prevents message loss in those cases.
|
|
It can be used like this:
|
|
<DT id="17"><DD>
|
|
$ModLoad imrelp
|
|
<DT id="18"><DD>
|
|
$InputRELPServerRun 2514
|
|
<DT id="19"><I>imgssapi</I>
|
|
|
|
<DD>
|
|
Input plugin for plain TCP and GSS-enable syslog
|
|
<DT id="20"><I>immark</I>
|
|
|
|
<DD>
|
|
Support for mark messages
|
|
<DT id="21"><I>imklog</I>
|
|
|
|
<DD>
|
|
Kernel logging. To include kernel log messages, you need to do
|
|
<DT id="22"><DD>
|
|
$ModLoad imklog
|
|
<P>
|
|
Please note that the klogd daemon is no longer necessary and consequently
|
|
no longer provided by the rsyslog package.
|
|
<DT id="23"><I>imuxsock</I>
|
|
|
|
<DD>
|
|
Unix sockets, including the system log socket. You need to specify
|
|
<DT id="24"><DD>
|
|
$ModLoad imuxsock
|
|
<P>
|
|
in order to receive log messages from local system processes. This
|
|
config directive should only left out if you know exactly what you
|
|
are doing.
|
|
<P>
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAE"> </A>
|
|
<H2>BASIC STRUCTURE</H2>
|
|
|
|
<P>
|
|
Lines starting with a hash mark ('#') and empty lines are ignored.
|
|
Rsyslog.conf should contain following sections (sorted by recommended order in file):
|
|
<P>
|
|
<DL COMPACT>
|
|
<DT id="25">Global directives<DD>
|
|
Global directives set some global properties of whole rsyslog daemon, for example size of main
|
|
message queue ($MainMessageQueueSize), loading external modules ($ModLoad) and so on.
|
|
All global directives need to be specified on a line by their own and must start with
|
|
a dollar-sign. The complete list of global directives can be found in HTML documentation in doc
|
|
directory or online on web pages.
|
|
<P>
|
|
<DT id="26">Templates<DD>
|
|
Templates allow you to specify format of the logged message. They are also used for dynamic
|
|
file name generation. They have to be defined before they are used in rules. For more info
|
|
about templates see TEMPLATES section of this manpage.
|
|
<P>
|
|
<DT id="27">Output channels<DD>
|
|
Output channels provide an umbrella for any type of output that the user might want.
|
|
They have to be defined before they are used in rules. For more info about output channels
|
|
see OUTPUT CHANNELS section of this manpage.
|
|
<P>
|
|
<DT id="28">Rules (selector + action)<DD>
|
|
Every rule line consists of two fields, a selector field and an action field. These
|
|
two fields are separated by one or more spaces or tabs. The selector field specifies
|
|
a pattern of facilities and priorities belonging to the specified action.
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAF"> </A>
|
|
<H2>SELECTORS</H2>
|
|
|
|
<P>
|
|
The selector field itself again consists of two parts, a facility and a
|
|
priority, separated by a period ('.'). Both parts are case insensitive and can
|
|
also be specified as decimal numbers, but don't do that, you have been warned.
|
|
Both facilities and priorities are described in <A HREF="/cgi-bin/man/man2html?3+syslog">syslog</A>(3). The names mentioned
|
|
below correspond to the similar LOG_-values in /usr/include/syslog.h.
|
|
<P>
|
|
The facility is one of the following keywords: auth, authpriv, cron, daemon,
|
|
kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and
|
|
local0 through local7. The keyword security should not be used anymore and mark
|
|
is only for internal use and therefore should not be used in applications.
|
|
Anyway, you may want to specify and redirect these messages here. The facility
|
|
specifies the subsystem that produced the message, i.e. all mail programs log
|
|
with the mail facility (LOG_MAIL) if they log using syslog.
|
|
<P>
|
|
The priority is one of the following keywords, in ascending order: debug, info,
|
|
notice, warning, warn (same as warning), err, error (same as err), crit, alert,
|
|
emerg, panic (same as emerg). The keywords error, warn and panic are deprecated
|
|
and should not be used anymore. The priority defines the severity of the message.
|
|
<P>
|
|
The behavior of the original BSD syslogd is that all messages of the specified
|
|
priority and higher are logged according to the given action. Rsyslogd behaves
|
|
the same, but has some extensions.
|
|
<P>
|
|
In addition to the above mentioned names the <A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A>(8) understands the
|
|
following extensions: An asterisk ('*') stands for all facilities or all
|
|
priorities, depending on where it is used (before or after the period). The
|
|
keyword none stands for no priority of the given facility.
|
|
<P>
|
|
You can specify multiple facilities with the same priority pattern in one
|
|
statement using the comma (',') operator. You may specify as much facilities as
|
|
you want. Remember that only the facility part from such a statement is taken, a
|
|
priority part would be skipped.
|
|
<P>
|
|
Multiple selectors may be specified for a single action using the semicolon
|
|
(';') separator. Remember that each selector in the selector field is capable
|
|
to overwrite the preceding ones. Using this behavior you can exclude some
|
|
priorities from the pattern.
|
|
<P>
|
|
Rsyslogd has a syntax extension to the original BSD source, that makes its use
|
|
more intuitively. You may precede every priority with an equals sign ('=') to
|
|
specify only this single priority and not any of the above. You may also (both
|
|
is valid, too) precede the priority with an exclamation mark ('!') to ignore
|
|
all that priorities, either exact this one or this and any higher priority. If
|
|
you use both extensions then the exclamation mark must occur before the equals
|
|
sign, just use it intuitively.
|
|
<P>
|
|
<A NAME="lbAG"> </A>
|
|
<H2>ACTIONS</H2>
|
|
|
|
The action field of a rule describes what to do with the message. In general, message content
|
|
is written to a kind of "logfile". But also other actions might be done, like writing to a
|
|
database table or forwarding to another host.
|
|
<P>
|
|
<A NAME="lbAH"> </A>
|
|
<H3>Regular file</H3>
|
|
|
|
Typically messages are logged to real files. The file has to be specified with full pathname,
|
|
beginning with a slash ('/').
|
|
<P>
|
|
<B>Example:</B>
|
|
|
|
<DL COMPACT><DT id="29"><DD>
|
|
*.* /var/log/traditionalfile.log;RSYSLOG_TraditionalFileFormat # log to a file in the traditional format
|
|
</DL>
|
|
|
|
<P>
|
|
Note: if you would like to use high-precision timestamps in your log files,
|
|
just remove the ";RSYSLOG_TraditionalFormat". That will select the default
|
|
template, which, if not changed, uses RFC 3339 timestamps.
|
|
<P>
|
|
<B>Example:</B>
|
|
|
|
<DL COMPACT><DT id="30"><DD>
|
|
*.* /var/log/file.log # log to a file with RFC3339 timestamps
|
|
</DL>
|
|
|
|
<P>
|
|
By default, files are not synced after each write. To enable syncing
|
|
of log files globally, use either the "$ActionFileEnableSync"
|
|
directive or the "sync" parameter to omfile. Enabling this option
|
|
degrades performance and it is advised not to enable syncing unless
|
|
you know what you are doing.
|
|
To selectively disable syncing for certain files, you may prefix the
|
|
file path with a minus sign ("-").
|
|
<P>
|
|
<A NAME="lbAI"> </A>
|
|
<H3>Named pipes</H3>
|
|
|
|
This version of <A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A>(8) has support for logging output to named pipes (fifos). A fifo or
|
|
named pipe can be used as a destination for log messages by prepending a pipe symbol ('|')
|
|
to the name of the file. This is handy for debugging. Note that the fifo must be created with
|
|
the <A HREF="/cgi-bin/man/man2html?1+mkfifo">mkfifo</A>(1) command before <A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A>(8) is started.
|
|
<P>
|
|
<A NAME="lbAJ"> </A>
|
|
<H3>Terminal and console</H3>
|
|
|
|
If the file you specified is a tty, special tty-handling is done, same with /dev/console.
|
|
<P>
|
|
<A NAME="lbAK"> </A>
|
|
<H3>Remote machine</H3>
|
|
|
|
There are three ways to forward message: the traditional UDP transport, which is extremely
|
|
lossy but standard, the plain TCP based transport which loses messages only during certain
|
|
situations but is widely available and the RELP transport which does not lose messages
|
|
but is currently available only as part of rsyslogd 3.15.0 and above.
|
|
<P>
|
|
To forward messages to another host via UDP, prepend the hostname with the at sign ("@").
|
|
To forward it via plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend the
|
|
string ":omrelp:" in front of the hostname.
|
|
<P>
|
|
<B>Example:</B>
|
|
|
|
<DL COMPACT><DT id="31"><DD>
|
|
*.* @192.168.0.1
|
|
</DL>
|
|
|
|
<P>
|
|
In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destination
|
|
port defaults to 514. Due to the nature of UDP, you will probably lose some messages in transit.
|
|
If you expect high traffic volume, you can expect to lose a quite noticeable number of messages
|
|
(the higher the traffic, the more likely and severe is message loss).
|
|
<P>
|
|
Sockets for forwarded messages can be bound to a specific device using the "device" option for
|
|
the omfwd module.
|
|
<P>
|
|
<B>Example:</B>
|
|
|
|
<DL COMPACT><DT id="32"><DD>
|
|
action(type="omfwd" Target="192.168.0.1" Device="eth0" Port=514 Protocol="udp")
|
|
</DL>
|
|
|
|
<P>
|
|
In the example above, messages are forwarded via UDP to the machine 192.168.0.1 at port 514 over
|
|
the device eth0. TCP can be used by setting Protocol to "tcp" in the above example.
|
|
<P>
|
|
For Linux with VRF support, the device option is used to specify the VRF to send messages.
|
|
<P>
|
|
<B>If you would like to prevent message loss, use RELP:</B>
|
|
|
|
<DL COMPACT><DT id="33"><DD>
|
|
*.* :omrelp:192.168.0.1:2514
|
|
</DL>
|
|
|
|
<P>
|
|
Note that a port number was given as there is no standard port for relp.
|
|
<P>
|
|
Keep in mind that you need to load the correct input and output plugins (see "Modules" above).
|
|
<P>
|
|
Please note that rsyslogd offers a variety of options in regarding to remote
|
|
forwarding. For full details, please see the HTML documentation.
|
|
<P>
|
|
<A NAME="lbAL"> </A>
|
|
<H3>List of users</H3>
|
|
|
|
Usually critical messages are also directed to ``root'' on that machine. You
|
|
can specify a list
|
|
of users that shall get the message by simply writing ":omusrmsg:" followed
|
|
by the login name. You may specify more than one
|
|
user by separating them with commas (','). If they're logged in they
|
|
get the message (for example: ":omusrmsg:root,user1,user2").
|
|
<P>
|
|
<A NAME="lbAM"> </A>
|
|
<H3>Everyone logged on</H3>
|
|
|
|
Emergency messages often go to all users currently online to notify them that something strange
|
|
is happening with the system. To specify this <A HREF="/cgi-bin/man/man2html?1+wall">wall</A>(1)-feature use an ":omusrmsg:*".
|
|
<P>
|
|
<A NAME="lbAN"> </A>
|
|
<H3>Database table</H3>
|
|
|
|
This allows logging of the message to a database table.
|
|
By default, a MonitorWare-compatible schema is required for this to work. You can
|
|
create that schema with the createDB.SQL file that came with the rsyslog package. You can also
|
|
use any other schema of your liking - you just need to define a proper template and assign this
|
|
template to the action.
|
|
<P>
|
|
See the HTML documentation for further details on database logging.
|
|
<P>
|
|
<A NAME="lbAO"> </A>
|
|
<H3>Discard</H3>
|
|
|
|
If the discard action is carried out, the received message is immediately discarded. Discard
|
|
can be highly effective if you want to filter out some annoying messages that otherwise would
|
|
fill your log files. To do that, place the discard actions early in your log files.
|
|
This often plays well with property-based filters, giving you great freedom in specifying
|
|
what you do not want.
|
|
<P>
|
|
Discard is just the single 'stop' command with no further parameters.
|
|
<P>
|
|
<B>Example:</B>
|
|
|
|
<DL COMPACT><DT id="34"><DD>
|
|
*.* stop # discards everything.
|
|
</DL>
|
|
|
|
<P>
|
|
<P>
|
|
<A NAME="lbAP"> </A>
|
|
<H3>Output channel</H3>
|
|
|
|
Binds an output channel definition (see there for details) to this action. Output channel actions
|
|
must start with a $-sign, e.g. if you would like to bind your output channel definition "mychannel"
|
|
to the action, use "$mychannel". Output channels support template definitions like all all other
|
|
actions.
|
|
<P>
|
|
<A NAME="lbAQ"> </A>
|
|
<H3>Shell execute</H3>
|
|
|
|
This executes a program in a subshell. The program is passed the template-generated message as the
|
|
only command line parameter. Rsyslog waits until the program terminates and only then continues to run.
|
|
<P>
|
|
<B>Example:</B>
|
|
|
|
<DL COMPACT><DT id="35"><DD>
|
|
^program-to-execute;template
|
|
</DL>
|
|
|
|
<P>
|
|
The program-to-execute can be any valid executable. It receives the template string as a single parameter
|
|
(argv[1]).
|
|
<P>
|
|
<A NAME="lbAR"> </A>
|
|
<H2>FILTER CONDITIONS</H2>
|
|
|
|
Rsyslog offers three different types "filter conditions":
|
|
<P>
|
|
<BR> * "traditional" severity and facility based selectors
|
|
<P>
|
|
<BR> * property-based filters
|
|
<P>
|
|
<BR> * expression-based filters
|
|
|
|
<P>
|
|
<A NAME="lbAS"> </A>
|
|
<H3>Selectors</H3>
|
|
|
|
<B>Selectors are the traditional way of filtering syslog messages. </B>
|
|
|
|
They have been kept in rsyslog with their original syntax, because it is well-known, highly
|
|
effective and also needed for compatibility with stock syslogd configuration files. If you just
|
|
need to filter based on priority and facility, you should do this with selector lines. They are
|
|
not second-class citizens in rsyslog and offer the best performance for this job.
|
|
<P>
|
|
<A NAME="lbAT"> </A>
|
|
<H3>Property-Based Filters</H3>
|
|
|
|
Property-based filters are unique to rsyslogd. They allow to filter on any property, like HOSTNAME,
|
|
syslogtag and msg.
|
|
<P>
|
|
A property-based filter must start with a colon in column 0. This tells rsyslogd that it is the new
|
|
filter type. The colon must be followed by the property name, a comma, the name of the compare
|
|
operation to carry out, another comma and then the value to compare against. This value must be quoted.
|
|
There can be spaces and tabs between the commas. Property names and compare operations are
|
|
case-sensitive, so "msg" works, while "MSG" is an invalid property name. In brief, the syntax is as follows:
|
|
<P>
|
|
<DL COMPACT><DT id="36"><DD>
|
|
:property, [!]compare-operation, "value"
|
|
</DL>
|
|
|
|
<P>
|
|
The following compare-operations are currently supported:
|
|
<P>
|
|
<DL COMPACT><DT id="37"><DD>
|
|
<B>contains</B>
|
|
|
|
<DL COMPACT><DT id="38"><DD>
|
|
Checks if the string provided in value is contained in the property
|
|
</DL>
|
|
|
|
<P>
|
|
<B>isequal</B>
|
|
|
|
<DL COMPACT><DT id="39"><DD>
|
|
Compares the "value" string provided and the property contents. These two values must be exactly equal to match.
|
|
</DL>
|
|
|
|
<P>
|
|
<B>startswith</B>
|
|
|
|
<DL COMPACT><DT id="40"><DD>
|
|
Checks if the value is found exactly at the beginning of the property value
|
|
</DL>
|
|
|
|
<P>
|
|
<B>regex</B>
|
|
|
|
<DL COMPACT><DT id="41"><DD>
|
|
Compares the property against the provided regular expression.
|
|
</DL>
|
|
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAU"> </A>
|
|
<H3>Expression-Based Filters</H3>
|
|
|
|
See the HTML documentation for this feature.
|
|
<P>
|
|
<P>
|
|
<A NAME="lbAV"> </A>
|
|
<H2>TEMPLATES</H2>
|
|
|
|
<P>
|
|
Every output in rsyslog uses templates - this holds true for files, user
|
|
messages and so on. Templates compatible with the stock syslogd
|
|
formats are hardcoded into rsyslogd. If no template is specified, we use
|
|
one of these hardcoded templates. Search for "template_" in syslogd.c and
|
|
you will find the hardcoded ones.
|
|
<P>
|
|
A template consists of a template directive, a name, the actual template text
|
|
and optional options. A sample is:
|
|
<P>
|
|
<DL COMPACT><DT id="42"><DD>
|
|
<B>$template MyTemplateName,\\7Text %property% some more text\\n,<options></B>
|
|
|
|
</DL>
|
|
|
|
<P>
|
|
The "$template" is the template directive. It tells rsyslog that this line
|
|
contains a template. The backslash is an escape character. For example, \7 rings the
|
|
bell (this is an ASCII value), \n is a new line. The set in rsyslog is a bit restricted
|
|
currently.
|
|
<P>
|
|
All text in the template is used literally, except for things within percent
|
|
signs. These are properties and allow you access to the contents of the syslog
|
|
message. Properties are accessed via the property replacer and it can for example
|
|
pick a substring or do date-specific formatting. More on this is the PROPERTY REPLACER
|
|
section of this manpage.
|
|
<P>
|
|
To escape:
|
|
<P>
|
|
<BR> % = \%
|
|
<P>
|
|
<BR> \ = \\ --> '\' is used to escape (as in C)
|
|
<P>
|
|
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
|
|
<P>
|
|
Properties can be accessed by the property replacer (see there for details).
|
|
<P>
|
|
<B>Please note that templates can also by used to generate selector lines with dynamic file names.</B>
|
|
|
|
For example, if you would like to split syslog messages from different hosts
|
|
to different files (one per host), you can define the following template:
|
|
<P>
|
|
<DL COMPACT><DT id="43"><DD>
|
|
<B>$template DynFile,/var/log/system-%HOSTNAME%.log</B>
|
|
|
|
</DL>
|
|
|
|
<BR>
|
|
This template can then be used when defining an output selector line. It will
|
|
result in something like "/var/log/system-localhost.log"
|
|
<P>
|
|
<A NAME="lbAW"> </A>
|
|
<H3>Template options</H3>
|
|
|
|
The <options> part is optional. It carries options influencing the template as whole.
|
|
See details below. Be sure NOT to mistake template options with property options - the
|
|
later ones are processed by the property replacer and apply to a SINGLE property, only
|
|
(and not the whole template).
|
|
<P>
|
|
Template options are case-insensitive. Currently defined are:
|
|
<P>
|
|
<DL COMPACT><DT id="44"><DD>
|
|
<DL COMPACT>
|
|
<DT id="45">sql<DD>
|
|
format the string suitable for a SQL statement in MySQL format. This will replace single
|
|
quotes ("'") and the backslash character by their backslash-escaped counterpart
|
|
("'" and "\") inside each field. Please note that in MySQL configuration, the NO_BACKSLASH_ESCAPES
|
|
mode must be turned off for this format to work (this is the default).
|
|
<P>
|
|
<DT id="46">stdsql<DD>
|
|
format the string suitable for a SQL statement that is to be sent to a standards-compliant
|
|
sql server. This will replace single quotes ("'") by two single quotes ("''") inside each field.
|
|
You must use stdsql together with MySQL if in MySQL configuration the NO_BACKSLASH_ESCAPES
|
|
is turned on.
|
|
</DL>
|
|
</DL>
|
|
|
|
<P>
|
|
Either the
|
|
<B>sql</B>
|
|
|
|
or
|
|
<B>stdsql </B>
|
|
|
|
option
|
|
<B>MUST </B>
|
|
|
|
be specified when a template is used for writing to a database,
|
|
otherwise injection might occur. Please note that due to the unfortunate fact
|
|
that several vendors have violated the sql standard and introduced their own
|
|
escape methods, it is impossible to have a single option doing all the work.
|
|
So you yourself must make sure you are using the right format.
|
|
<B>If you choose the wrong one, you are still vulnerable to sql injection.</B>
|
|
|
|
<P>
|
|
Please note that the database writer *checks* that the sql option is present
|
|
in the template. If it is not present, the write database action is disabled.
|
|
This is to guard you against accidental forgetting it and then becoming
|
|
vulnerable to SQL injection. The sql option can also be useful with files -
|
|
especially if you want to import them into a database on another machine for
|
|
performance reasons. However, do NOT use it if you do not have a real need for
|
|
it - among others, it takes some toll on the processing time. Not much, but on
|
|
a really busy system you might notice it ;)
|
|
<P>
|
|
The default template for the write to database action has the sql option set.
|
|
<P>
|
|
<A NAME="lbAX"> </A>
|
|
<H3>Template examples</H3>
|
|
|
|
Please note that the samples are split across multiple lines. A template MUST
|
|
NOT actually be split across multiple lines.
|
|
<P>
|
|
A template that resembles traditional syslogd file output:
|
|
<P>
|
|
<DL COMPACT><DT id="47"><DD>
|
|
$template TraditionalFormat,"%timegenerated% %HOSTNAME%
|
|
<P>
|
|
%syslogtag%%msg:::drop-last-lf%\n"
|
|
</DL>
|
|
|
|
<P>
|
|
A template that tells you a little more about the message:
|
|
<P>
|
|
<DL COMPACT><DT id="48"><DD>
|
|
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,
|
|
<P>
|
|
%syslogtag%,%msg%\n"
|
|
</DL>
|
|
|
|
<P>
|
|
A template for RFC 3164 format:
|
|
<P>
|
|
<DL COMPACT><DT id="49"><DD>
|
|
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
|
|
</DL>
|
|
|
|
<P>
|
|
A template for the format traditionally used for user messages:
|
|
<P>
|
|
<DL COMPACT><DT id="50"><DD>
|
|
$template usermsg," XXXX%syslogtag%%msg%\n\r"
|
|
</DL>
|
|
|
|
<P>
|
|
And a template with the traditional wall-message format:
|
|
<P>
|
|
<DL COMPACT><DT id="51"><DD>
|
|
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%"
|
|
</DL>
|
|
|
|
<P>
|
|
<B>A template that can be used for writing to a database (please note the SQL template option)</B>
|
|
|
|
<P>
|
|
<DL COMPACT><DT id="52"><DD>
|
|
|
|
$template MySQLInsert,"insert iut, message, receivedat values
|
|
('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')
|
|
into systemevents\r\n", SQL
|
|
<P>
|
|
NOTE 1: This template is embedded into core application under name
|
|
<B>StdDBFmt</B>
|
|
|
|
, so you don't need to define it.
|
|
<P>
|
|
NOTE 2: You have to have MySQL module installed to use this template.
|
|
|
|
</DL>
|
|
|
|
<P>
|
|
<A NAME="lbAY"> </A>
|
|
<H2>OUTPUT CHANNELS</H2>
|
|
|
|
<P>
|
|
Output Channels are a new concept first introduced in rsyslog 0.9.0. As of this writing,
|
|
it is most likely that they will be replaced by something different in the future.
|
|
So if you use them, be prepared to change you configuration file syntax when you upgrade
|
|
to a later release.
|
|
<P>
|
|
Output channels are defined via an $outchannel directive. It's syntax is as follows:
|
|
<P>
|
|
<DL COMPACT><DT id="53"><DD>
|
|
<B>$outchannel name,file-name,max-size,action-on-max-size</B>
|
|
|
|
</DL>
|
|
|
|
<P>
|
|
name is the name of the output channel (not the file), file-name is the file name to be
|
|
written to, max-size the maximum allowed size and action-on-max-size a command to be issued
|
|
when the max size is reached. This command always has exactly one parameter. The binary is
|
|
that part of action-on-max-size before the first space, its parameter is everything behind
|
|
that space.
|
|
<P>
|
|
Keep in mind that $outchannel just defines a channel with "name". It does not activate it.
|
|
To do so, you must use a selector line (see below). That selector line includes the channel
|
|
name plus ":omfile:$" in front of it. A sample might be:
|
|
<P>
|
|
<DL COMPACT><DT id="54"><DD>
|
|
*.* :omfile:$mychannel
|
|
</DL>
|
|
|
|
<P>
|
|
<A NAME="lbAZ"> </A>
|
|
<H2>PROPERTY REPLACER</H2>
|
|
|
|
The property replacer is a core component in rsyslogd's output system. A syslog message has
|
|
a number of well-defined properties (see below). Each of this properties can be accessed and
|
|
manipulated by the property replacer. With it, it is easy to use only part of a property value
|
|
or manipulate the value, e.g. by converting all characters to lower case.
|
|
<P>
|
|
<A NAME="lbBA"> </A>
|
|
<H3>Accessing Properties</H3>
|
|
|
|
Syslog message properties are used inside templates. They are accessed by putting them between
|
|
percent signs. Properties can be modified by the property replacer. The full syntax is as follows:
|
|
<P>
|
|
<DL COMPACT><DT id="55"><DD>
|
|
<B>%propname:fromChar:toChar:options%</B>
|
|
|
|
</DL>
|
|
|
|
<P>
|
|
propname is the name of the property to access.
|
|
<B>It is case-sensitive.</B>
|
|
|
|
<P>
|
|
<A NAME="lbBB"> </A>
|
|
<H3>Available Properties</H3>
|
|
|
|
<DL COMPACT>
|
|
<DT id="56"><B>msg</B>
|
|
|
|
<DD>
|
|
the MSG part of the message (aka "the message" ;))
|
|
<DT id="57"><B>rawmsg</B>
|
|
|
|
<DD>
|
|
the message exactly as it was received from the socket. Should be useful for debugging.
|
|
<DT id="58"><B>HOSTNAME</B>
|
|
|
|
<DD>
|
|
hostname from the message
|
|
<DT id="59"><B>FROMHOST</B>
|
|
|
|
<DD>
|
|
hostname of the system the message was received from (in a relay chain, this is the system immediately
|
|
in front of us and not necessarily the original sender)
|
|
<DT id="60"><B>syslogtag</B>
|
|
|
|
<DD>
|
|
TAG from the message
|
|
<DT id="61"><B>programname</B>
|
|
|
|
<DD>
|
|
the "static" part of the tag, as defined by BSD syslogd. For example, when TAG is "named[12345]",
|
|
programname is "named".
|
|
<DT id="62"><B>PRI</B>
|
|
|
|
<DD>
|
|
PRI part of the message - undecoded (single value)
|
|
<DT id="63"><B>PRI-text</B>
|
|
|
|
<DD>
|
|
the PRI part of the message in a textual form (e.g. "syslog.info")
|
|
<DT id="64"><B>IUT</B>
|
|
|
|
<DD>
|
|
the monitorware InfoUnitType - used when talking to a MonitorWare backend (also for phpLogCon)
|
|
<DT id="65"><B>syslogfacility</B>
|
|
|
|
<DD>
|
|
the facility from the message - in numerical form
|
|
<DT id="66"><B>syslogfacility-text</B>
|
|
|
|
<DD>
|
|
the facility from the message - in text form
|
|
<DT id="67"><B>syslogseverity</B>
|
|
|
|
<DD>
|
|
severity from the message - in numerical form
|
|
<DT id="68"><B>syslogseverity-text</B>
|
|
|
|
<DD>
|
|
severity from the message - in text form
|
|
<DT id="69"><B>timegenerated</B>
|
|
|
|
<DD>
|
|
timestamp when the message was RECEIVED. Always in high resolution
|
|
<DT id="70"><B>timereported</B>
|
|
|
|
<DD>
|
|
timestamp from the message. Resolution depends on what was provided in the message (in most cases, only seconds)
|
|
<DT id="71"><B>TIMESTAMP</B>
|
|
|
|
<DD>
|
|
alias for timereported
|
|
<DT id="72"><B>PROTOCOL-VERSION</B>
|
|
|
|
<DD>
|
|
The contents of the PROTOCOL-VERSION field from IETF draft draft-ietf-syslog-protocol
|
|
<DT id="73"><B>STRUCTURED-DATA</B>
|
|
|
|
<DD>
|
|
The contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocol
|
|
<DT id="74"><B>APP-NAME</B>
|
|
|
|
<DD>
|
|
The contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol
|
|
<DT id="75"><B>PROCID</B>
|
|
|
|
<DD>
|
|
The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol
|
|
<DT id="76"><B>MSGID</B>
|
|
|
|
<DD>
|
|
The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol
|
|
<DT id="77"><B>$NOW</B>
|
|
|
|
<DD>
|
|
The current date stamp in the format YYYY-MM-DD
|
|
<DT id="78"><B>$YEAR</B>
|
|
|
|
<DD>
|
|
The current year (4-digit)
|
|
<DT id="79"><B>$MONTH</B>
|
|
|
|
<DD>
|
|
The current month (2-digit)
|
|
<DT id="80"><B>$DAY</B>
|
|
|
|
<DD>
|
|
The current day of the month (2-digit)
|
|
<DT id="81"><B>$HOUR</B>
|
|
|
|
<DD>
|
|
The current hour in military (24 hour) time (2-digit)
|
|
<DT id="82"><B>$MINUTE</B>
|
|
|
|
<DD>
|
|
The current minute (2-digit)
|
|
<P>
|
|
</DL>
|
|
<P>
|
|
|
|
Properties starting with a $-sign are so-called system properties. These do NOT stem from the
|
|
message but are rather internally-generated.
|
|
<P>
|
|
<A NAME="lbBC"> </A>
|
|
<H3>Character Positions</H3>
|
|
|
|
FromChar and toChar are used to build substrings. They specify the offset within the string that
|
|
should be copied. Offset counting starts at 1, so if you need to obtain the first 2 characters of
|
|
the message text, you can use this syntax: "%msg:1:2%". If you do not wish to specify from and to,
|
|
but you want to specify options, you still need to include the colons. For example, if you would
|
|
like to convert the full message text to lower case, use "%msg:::lowercase%". If you would like to
|
|
extract from a position until the end of the string, you can place a dollar-sign ("$") in toChar
|
|
(e.g. %msg:10:$%, which will extract from position 10 to the end of the string).
|
|
<P>
|
|
There is also support for
|
|
<B>regular expressions.</B>
|
|
|
|
To use them, you need to place a "R" into FromChar.
|
|
This tells rsyslog that a regular expression instead of position-based extraction is desired. The
|
|
actual regular expression
|
|
<B>must </B>
|
|
|
|
then be provided in toChar. The regular expression must be followed
|
|
by the string "--end". It denotes the end of the regular expression and will not become part of it.
|
|
If you are using regular expressions, the property replacer will return the part of the property text
|
|
that matches the regular expression. An example for a property replacer sequence with a regular
|
|
expression is: "%msg:R:.*Sev:. \(.*\) \[.*--end%"
|
|
<P>
|
|
Also, extraction can be done based on so-called "fields". To do so, place a "F" into FromChar. A field
|
|
in its current definition is anything that is delimited by a delimiter character. The delimiter by
|
|
default is TAB (US-ASCII value 9). However, if can be changed to any other US-ASCII character by
|
|
specifying a comma and the decimal US-ASCII value of the delimiter immediately after the "F". For example,
|
|
to use comma (",") as a delimiter, use this field specifier: "F,44". If your syslog data is delimited,
|
|
this is a quicker way to extract than via regular expressions (actually, a *much* quicker way). Field
|
|
counting starts at 1. Field zero is accepted, but will always lead to a "field not found" error. The same
|
|
happens if a field number higher than the number of fields in the property is requested. The field number
|
|
must be placed in the "ToChar" parameter. An example where the 3rd field (delimited by TAB) from the msg
|
|
property is extracted is as follows: "%msg:F:3%". The same example with semicolon as delimiter is
|
|
"%msg:F,59:3%".
|
|
<P>
|
|
Please note that the special characters "F" and "R" are case-sensitive. Only upper case works, lower case
|
|
will return an error. There are no white spaces permitted inside the sequence (that will lead to error
|
|
messages and will NOT provide the intended result).
|
|
<P>
|
|
<A NAME="lbBD"> </A>
|
|
<H3>Property Options</H3>
|
|
|
|
Property options are case-insensitive. Currently, the following options are defined:
|
|
<DL COMPACT>
|
|
<DT id="83">uppercase<DD>
|
|
convert property to lowercase only
|
|
<DT id="84">lowercase<DD>
|
|
convert property text to uppercase only
|
|
<DT id="85">drop-last-lf<DD>
|
|
The last LF in the message (if any), is dropped. Especially useful for PIX.
|
|
<DT id="86">date-mysql<DD>
|
|
format as mysql date
|
|
<DT id="87">date-rfc3164<DD>
|
|
format as RFC 3164 date
|
|
<DT id="88">date-rfc3339<DD>
|
|
format as RFC 3339 date
|
|
<DT id="89">escape-cc<DD>
|
|
replace control characters (ASCII value 127 and values less then 32) with an escape sequence. The sequence is "#<charval>" where charval is the 3-digit decimal value of the control character. For example, a tabulator would be replaced by "#009".
|
|
<DT id="90">space-cc<DD>
|
|
replace control characters by spaces
|
|
<DT id="91">drop-cc<DD>
|
|
drop control characters - the resulting string will neither contain control characters, escape sequences nor any other replacement character like space.
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbBE"> </A>
|
|
<H2>QUEUED OPERATIONS</H2>
|
|
|
|
Rsyslogd supports queued operations to handle offline outputs
|
|
(like remote syslogd's or database servers being down). When running in
|
|
queued mode, rsyslogd buffers messages to memory and optionally to disk
|
|
(on an as-needed basis). Queues survive rsyslogd restarts.
|
|
<P>
|
|
It is highly suggested to use remote forwarding and database writing
|
|
in queued mode, only.
|
|
<P>
|
|
To learn more about queued operations, see the HTML documentation.
|
|
<P>
|
|
<A NAME="lbBF"> </A>
|
|
<H2>FILES</H2>
|
|
|
|
|
|
<DL COMPACT>
|
|
<DT id="92"><I>/etc/rsyslog.conf</I>
|
|
|
|
<DD>
|
|
Configuration file for
|
|
<B>rsyslogd</B>
|
|
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbBG"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A></B>(8),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?1+logger">logger</A></B>(1),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?3+syslog">syslog</A></B>(3)
|
|
|
|
<P>
|
|
The complete documentation can be found in the doc folder of the rsyslog distribution or online at
|
|
<P>
|
|
<DL COMPACT><DT id="93"><DD>
|
|
<B><A HREF="https://www.rsyslog.com/doc/">https://www.rsyslog.com/doc/</A></B>
|
|
|
|
<P>
|
|
</DL>
|
|
|
|
Please note that the man page reflects only a subset of the configuration options. Be sure to read
|
|
the HTML documentation for all features and details. This is especially vital if you plan to set
|
|
up a more-then-extremely-simple system.
|
|
<P>
|
|
<A NAME="lbBH"> </A>
|
|
<H2>AUTHORS</H2>
|
|
|
|
<B>rsyslogd</B>
|
|
|
|
is taken from sysklogd sources, which have been heavily modified
|
|
by Rainer Gerhards (<A HREF="mailto:rgerhards@adiscon.com">rgerhards@adiscon.com</A>) and others.
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="94"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="95"><A HREF="#lbAC">DESCRIPTION</A><DD>
|
|
<DT id="96"><A HREF="#lbAD">MODULES</A><DD>
|
|
<DT id="97"><A HREF="#lbAE">BASIC STRUCTURE</A><DD>
|
|
<DT id="98"><A HREF="#lbAF">SELECTORS</A><DD>
|
|
<DT id="99"><A HREF="#lbAG">ACTIONS</A><DD>
|
|
<DL>
|
|
<DT id="100"><A HREF="#lbAH">Regular file</A><DD>
|
|
<DT id="101"><A HREF="#lbAI">Named pipes</A><DD>
|
|
<DT id="102"><A HREF="#lbAJ">Terminal and console</A><DD>
|
|
<DT id="103"><A HREF="#lbAK">Remote machine</A><DD>
|
|
<DT id="104"><A HREF="#lbAL">List of users</A><DD>
|
|
<DT id="105"><A HREF="#lbAM">Everyone logged on</A><DD>
|
|
<DT id="106"><A HREF="#lbAN">Database table</A><DD>
|
|
<DT id="107"><A HREF="#lbAO">Discard</A><DD>
|
|
<DT id="108"><A HREF="#lbAP">Output channel</A><DD>
|
|
<DT id="109"><A HREF="#lbAQ">Shell execute</A><DD>
|
|
</DL>
|
|
<DT id="110"><A HREF="#lbAR">FILTER CONDITIONS</A><DD>
|
|
<DL>
|
|
<DT id="111"><A HREF="#lbAS">Selectors</A><DD>
|
|
<DT id="112"><A HREF="#lbAT">Property-Based Filters</A><DD>
|
|
<DT id="113"><A HREF="#lbAU">Expression-Based Filters</A><DD>
|
|
</DL>
|
|
<DT id="114"><A HREF="#lbAV">TEMPLATES</A><DD>
|
|
<DL>
|
|
<DT id="115"><A HREF="#lbAW">Template options</A><DD>
|
|
<DT id="116"><A HREF="#lbAX">Template examples</A><DD>
|
|
</DL>
|
|
<DT id="117"><A HREF="#lbAY">OUTPUT CHANNELS</A><DD>
|
|
<DT id="118"><A HREF="#lbAZ">PROPERTY REPLACER</A><DD>
|
|
<DL>
|
|
<DT id="119"><A HREF="#lbBA">Accessing Properties</A><DD>
|
|
<DT id="120"><A HREF="#lbBB">Available Properties</A><DD>
|
|
<DT id="121"><A HREF="#lbBC">Character Positions</A><DD>
|
|
<DT id="122"><A HREF="#lbBD">Property Options</A><DD>
|
|
</DL>
|
|
<DT id="123"><A HREF="#lbBE">QUEUED OPERATIONS</A><DD>
|
|
<DT id="124"><A HREF="#lbBF">FILES</A><DD>
|
|
<DT id="125"><A HREF="#lbBG">SEE ALSO</A><DD>
|
|
<DT id="126"><A HREF="#lbBH">AUTHORS</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:04 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|