suzanne.soy/man-pages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gh-pages
man-pages/man5/rsyslog.conf.5.html
Suzanne Soy 4c89183f2b Added man pages from my system
2021-03-31 01:06:50 +01:00

1004 lines
35 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of RSYSLOG.CONF</TITLE>
</HEAD><BODY>
<H1>RSYSLOG.CONF</H1>
Section: Linux System Administration (5)<BR>Updated: 22 October 2012<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
rsyslog.conf - <A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A>(8) configuration file
<A NAME="lbAC">&nbsp;</A>
<H2>DESCRIPTION</H2>
The
<I>rsyslog.conf</I>
file is the main configuration file for the
<B><A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A></B>(8)
which logs system messages on *nix systems. This file specifies rules
for logging. For special features see the
<B><A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A></B>(8)
manpage. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf file. So if you migrate
from sysklogd you can rename it and it should work.
<P>
<B>Note that this version of rsyslog ships with extensive documentation in HTML format.</B>
This is provided in the ./doc subdirectory and probably
in a separate package if you installed rsyslog via a packaging system.
To use rsyslog's advanced features, you
<B>need</B>
to look at the HTML documentation, because the man pages only cover
basic aspects of operation.
<P>
<P>
<A NAME="lbAD">&nbsp;</A>
<H2>MODULES</H2>
<P>
Rsyslog has a modular design. Consequently, there is a growing number
of modules. See the HTML documentation for their full description.
<P>
<DL COMPACT>
<DT id="1"><I>omsnmp</I>
<DD>
SNMP trap output module
<DT id="2"><I>omgssapi</I>
<DD>
Output module for GSS-enabled syslog
<DT id="3"><I>ommysql</I>
<DD>
Output module for MySQL
<DT id="4"><I>omrelp</I>
<DD>
Output module for the reliable RELP protocol (prevents message loss).
For details, see below at imrelp and the HTML documentation.
It can be used like this:
<DT id="5"><DD>
*.* :omrelp:server:port
<DT id="6"><DD>
*.* :omrelp:192.168.0.1:2514 # actual sample
<DT id="7"><I>ompgsql</I>
<DD>
Output module for PostgreSQL
<DT id="8"><I>omlibdbi</I>
<DD>
Generic database output module (Firebird/Interbase, MS SQL, Sybase,
SQLite, Ingres, Oracle, mSQL)
<DT id="9"><I>imfile</I>
<DD>
Input module for text files
<DT id="10"><I>imudp</I>
<DD>
Input plugin for UDP syslog. Replaces the deprecated -r option. Can be
used like this:
<DT id="11"><DD>
$ModLoad imudp
<DT id="12"><DD>
$UDPServerRun 514
<DT id="13"><I>imtcp</I>
<DD>
Input plugin for plain TCP syslog. Replaces the deprecated -t
option. Can be used like this:
<DT id="14"><DD>
$ModLoad imtcp
<DT id="15"><DD>
$InputTCPServerRun 514
<DT id="16"><DT><I>imrelp</I>
<DD>
<DD>
Input plugin for the RELP protocol. RELP can be used instead
of UDP or plain TCP syslog to provide reliable delivery of
syslog messages. Please note that plain TCP syslog does NOT
provide truly reliable delivery, with it messages may be lost
when there is a connection problem or the server shuts down.
RELP prevents message loss in those cases.
It can be used like this:
<DT id="17"><DD>
$ModLoad imrelp
<DT id="18"><DD>
$InputRELPServerRun 2514
<DT id="19"><I>imgssapi</I>
<DD>
Input plugin for plain TCP and GSS-enable syslog
<DT id="20"><I>immark</I>
<DD>
Support for mark messages
<DT id="21"><I>imklog</I>
<DD>
Kernel logging. To include kernel log messages, you need to do
<DT id="22"><DD>
$ModLoad imklog
<P>
Please note that the klogd daemon is no longer necessary and consequently
no longer provided by the rsyslog package.
<DT id="23"><I>imuxsock</I>
<DD>
Unix sockets, including the system log socket. You need to specify
<DT id="24"><DD>
$ModLoad imuxsock
<P>
in order to receive log messages from local system processes. This
config directive should only left out if you know exactly what you
are doing.
<P>
<P>
</DL>
<A NAME="lbAE">&nbsp;</A>
<H2>BASIC STRUCTURE</H2>
<P>
Lines starting with a hash mark ('#') and empty lines are ignored.
Rsyslog.conf should contain following sections (sorted by recommended order in file):
<P>
<DL COMPACT>
<DT id="25">Global directives<DD>
Global directives set some global properties of whole rsyslog daemon, for example size of main
message queue ($MainMessageQueueSize), loading external modules ($ModLoad) and so on.
All global directives need to be specified on a line by their own and must start with
a dollar-sign. The complete list of global directives can be found in HTML documentation in doc
directory or online on web pages.
<P>
<DT id="26">Templates<DD>
Templates allow you to specify format of the logged message. They are also used for dynamic
file name generation. They have to be defined before they are used in rules. For more info
about templates see TEMPLATES section of this manpage.
<P>
<DT id="27">Output channels<DD>
Output channels provide an umbrella for any type of output that the user might want.
They have to be defined before they are used in rules. For more info about output channels
see OUTPUT CHANNELS section of this manpage.
<P>
<DT id="28">Rules (selector + action)<DD>
Every rule line consists of two fields, a selector field and an action field. These
two fields are separated by one or more spaces or tabs. The selector field specifies
a pattern of facilities and priorities belonging to the specified action.
<P>
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>SELECTORS</H2>
<P>
The selector field itself again consists of two parts, a facility and a
priority, separated by a period ('.'). Both parts are case insensitive and can
also be specified as decimal numbers, but don't do that, you have been warned.
Both facilities and priorities are described in <A HREF="/cgi-bin/man/man2html?3+syslog">syslog</A>(3). The names mentioned
below correspond to the similar LOG_-values in /usr/include/syslog.h.
<P>
The facility is one of the following keywords: auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and
local0 through local7. The keyword security should not be used anymore and mark
is only for internal use and therefore should not be used in applications.
Anyway, you may want to specify and redirect these messages here. The facility
specifies the subsystem that produced the message, i.e. all mail programs log
with the mail facility (LOG_MAIL) if they log using syslog.
<P>
The priority is one of the following keywords, in ascending order: debug, info,
notice, warning, warn (same as warning), err, error (same as err), crit, alert,
emerg, panic (same as emerg). The keywords error, warn and panic are deprecated
and should not be used anymore. The priority defines the severity of the message.
<P>
The behavior of the original BSD syslogd is that all messages of the specified
priority and higher are logged according to the given action. Rsyslogd behaves
the same, but has some extensions.
<P>
In addition to the above mentioned names the <A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A>(8) understands the
following extensions: An asterisk ('*') stands for all facilities or all
priorities, depending on where it is used (before or after the period). The
keyword none stands for no priority of the given facility.
<P>
You can specify multiple facilities with the same priority pattern in one
statement using the comma (',') operator. You may specify as much facilities as
you want. Remember that only the facility part from such a statement is taken, a
priority part would be skipped.
<P>
Multiple selectors may be specified for a single action using the semicolon
(';') separator. Remember that each selector in the selector field is capable
to overwrite the preceding ones. Using this behavior you can exclude some
priorities from the pattern.
<P>
Rsyslogd has a syntax extension to the original BSD source, that makes its use
more intuitively. You may precede every priority with an equals sign ('=') to
specify only this single priority and not any of the above. You may also (both
is valid, too) precede the priority with an exclamation mark ('!') to ignore
all that priorities, either exact this one or this and any higher priority. If
you use both extensions then the exclamation mark must occur before the equals
sign, just use it intuitively.
<P>
<A NAME="lbAG">&nbsp;</A>
<H2>ACTIONS</H2>
The action field of a rule describes what to do with the message. In general, message content
is written to a kind of &quot;logfile&quot;. But also other actions might be done, like writing to a
database table or forwarding to another host.
<P>
<A NAME="lbAH">&nbsp;</A>
<H3>Regular file</H3>
Typically messages are logged to real files. The file has to be specified with full pathname,
beginning with a slash ('/').
<P>
<B>Example:</B>
<DL COMPACT><DT id="29"><DD>
*.* /var/log/traditionalfile.log;RSYSLOG_TraditionalFileFormat # log to a file in the traditional format
</DL>
<P>
Note: if you would like to use high-precision timestamps in your log files,
just remove the &quot;;RSYSLOG_TraditionalFormat&quot;. That will select the default
template, which, if not changed, uses RFC 3339 timestamps.
<P>
<B>Example:</B>
<DL COMPACT><DT id="30"><DD>
*.* /var/log/file.log # log to a file with RFC3339 timestamps
</DL>
<P>
By default, files are not synced after each write. To enable syncing
of log files globally, use either the &quot;$ActionFileEnableSync&quot;
directive or the &quot;sync&quot; parameter to omfile. Enabling this option
degrades performance and it is advised not to enable syncing unless
you know what you are doing.
To selectively disable syncing for certain files, you may prefix the
file path with a minus sign (&quot;-&quot;).
<P>
<A NAME="lbAI">&nbsp;</A>
<H3>Named pipes</H3>
This version of <A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A>(8) has support for logging output to named pipes (fifos). A fifo or
named pipe can be used as a destination for log messages by prepending a pipe symbol ('|')
to the name of the file. This is handy for debugging. Note that the fifo must be created with
the <A HREF="/cgi-bin/man/man2html?1+mkfifo">mkfifo</A>(1) command before <A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A>(8) is started.
<P>
<A NAME="lbAJ">&nbsp;</A>
<H3>Terminal and console</H3>
If the file you specified is a tty, special tty-handling is done, same with /dev/console.
<P>
<A NAME="lbAK">&nbsp;</A>
<H3>Remote machine</H3>
There are three ways to forward message: the traditional UDP transport, which is extremely
lossy but standard, the plain TCP based transport which loses messages only during certain
situations but is widely available and the RELP transport which does not lose messages
but is currently available only as part of rsyslogd 3.15.0 and above.
<P>
To forward messages to another host via UDP, prepend the hostname with the at sign (&quot;@&quot;).
To forward it via plain tcp, prepend two at signs (&quot;@@&quot;). To forward via RELP, prepend the
string &quot;:omrelp:&quot; in front of the hostname.
<P>
<B>Example:</B>
<DL COMPACT><DT id="31"><DD>
*.* @192.168.0.1
</DL>
<P>
In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destination
port defaults to 514. Due to the nature of UDP, you will probably lose some messages in transit.
If you expect high traffic volume, you can expect to lose a quite noticeable number of messages
(the higher the traffic, the more likely and severe is message loss).
<P>
Sockets for forwarded messages can be bound to a specific device using the &quot;device&quot; option for
the omfwd module.
<P>
<B>Example:</B>
<DL COMPACT><DT id="32"><DD>
action(type=&quot;omfwd&quot; Target=&quot;192.168.0.1&quot; Device=&quot;eth0&quot; Port=514 Protocol=&quot;udp&quot;)
</DL>
<P>
In the example above, messages are forwarded via UDP to the machine 192.168.0.1 at port 514 over
the device eth0. TCP can be used by setting Protocol to &quot;tcp&quot; in the above example.
<P>
For Linux with VRF support, the device option is used to specify the VRF to send messages.
<P>
<B>If you would like to prevent message loss, use RELP:</B>
<DL COMPACT><DT id="33"><DD>
*.* :omrelp:192.168.0.1:2514
</DL>
<P>
Note that a port number was given as there is no standard port for relp.
<P>
Keep in mind that you need to load the correct input and output plugins (see &quot;Modules&quot; above).
<P>
Please note that rsyslogd offers a variety of options in regarding to remote
forwarding. For full details, please see the HTML documentation.
<P>
<A NAME="lbAL">&nbsp;</A>
<H3>List of users</H3>
Usually critical messages are also directed to ``root'' on that machine. You
can specify a list
of users that shall get the message by simply writing &quot;:omusrmsg:&quot; followed
by the login name. You may specify more than one
user by separating them with commas (','). If they're logged in they
get the message (for example: &quot;:omusrmsg:root,user1,user2&quot;).
<P>
<A NAME="lbAM">&nbsp;</A>
<H3>Everyone logged on</H3>
Emergency messages often go to all users currently online to notify them that something strange
is happening with the system. To specify this <A HREF="/cgi-bin/man/man2html?1+wall">wall</A>(1)-feature use an &quot;:omusrmsg:*&quot;.
<P>
<A NAME="lbAN">&nbsp;</A>
<H3>Database table</H3>
This allows logging of the message to a database table.
By default, a MonitorWare-compatible schema is required for this to work. You can
create that schema with the createDB.SQL file that came with the rsyslog package. You can also
use any other schema of your liking - you just need to define a proper template and assign this
template to the action.
<P>
See the HTML documentation for further details on database logging.
<P>
<A NAME="lbAO">&nbsp;</A>
<H3>Discard</H3>
If the discard action is carried out, the received message is immediately discarded. Discard
can be highly effective if you want to filter out some annoying messages that otherwise would
fill your log files. To do that, place the discard actions early in your log files.
This often plays well with property-based filters, giving you great freedom in specifying
what you do not want.
<P>
Discard is just the single 'stop' command with no further parameters.
<P>
<B>Example:</B>
<DL COMPACT><DT id="34"><DD>
*.* stop # discards everything.
</DL>
<P>
<P>
<A NAME="lbAP">&nbsp;</A>
<H3>Output channel</H3>
Binds an output channel definition (see there for details) to this action. Output channel actions
must start with a $-sign, e.g. if you would like to bind your output channel definition &quot;mychannel&quot;
to the action, use &quot;$mychannel&quot;. Output channels support template definitions like all all other
actions.
<P>
<A NAME="lbAQ">&nbsp;</A>
<H3>Shell execute</H3>
This executes a program in a subshell. The program is passed the template-generated message as the
only command line parameter. Rsyslog waits until the program terminates and only then continues to run.
<P>
<B>Example:</B>
<DL COMPACT><DT id="35"><DD>
^program-to-execute;template
</DL>
<P>
The program-to-execute can be any valid executable. It receives the template string as a single parameter
(argv[1]).
<P>
<A NAME="lbAR">&nbsp;</A>
<H2>FILTER CONDITIONS</H2>
Rsyslog offers three different types &quot;filter conditions&quot;:
<P>
<BR>&nbsp;&nbsp;&nbsp;*&nbsp;&quot;traditional&quot;&nbsp;severity&nbsp;and&nbsp;facility&nbsp;based&nbsp;selectors
<P>
<BR>&nbsp;&nbsp;&nbsp;*&nbsp;property-based&nbsp;filters
<P>
<BR>&nbsp;&nbsp;&nbsp;*&nbsp;expression-based&nbsp;filters
<P>
<A NAME="lbAS">&nbsp;</A>
<H3>Selectors</H3>
<B>Selectors are the traditional way of filtering syslog messages. </B>
They have been kept in rsyslog with their original syntax, because it is well-known, highly
effective and also needed for compatibility with stock syslogd configuration files. If you just
need to filter based on priority and facility, you should do this with selector lines. They are
not second-class citizens in rsyslog and offer the best performance for this job.
<P>
<A NAME="lbAT">&nbsp;</A>
<H3>Property-Based Filters</H3>
Property-based filters are unique to rsyslogd. They allow to filter on any property, like HOSTNAME,
syslogtag and msg.
<P>
A property-based filter must start with a colon in column 0. This tells rsyslogd that it is the new
filter type. The colon must be followed by the property name, a comma, the name of the compare
operation to carry out, another comma and then the value to compare against. This value must be quoted.
There can be spaces and tabs between the commas. Property names and compare operations are
case-sensitive, so &quot;msg&quot; works, while &quot;MSG&quot; is an invalid property name. In brief, the syntax is as follows:
<P>
<DL COMPACT><DT id="36"><DD>
:property, [!]compare-operation, &quot;value&quot;
</DL>
<P>
The following compare-operations are currently supported:
<P>
<DL COMPACT><DT id="37"><DD>
<B>contains</B>
<DL COMPACT><DT id="38"><DD>
Checks if the string provided in value is contained in the property
</DL>
<P>
<B>isequal</B>
<DL COMPACT><DT id="39"><DD>
Compares the &quot;value&quot; string provided and the property contents. These two values must be exactly equal to match.
</DL>
<P>
<B>startswith</B>
<DL COMPACT><DT id="40"><DD>
Checks if the value is found exactly at the beginning of the property value
</DL>
<P>
<B>regex</B>
<DL COMPACT><DT id="41"><DD>
Compares the property against the provided regular expression.
</DL>
<P>
</DL>
<A NAME="lbAU">&nbsp;</A>
<H3>Expression-Based Filters</H3>
See the HTML documentation for this feature.
<P>
<P>
<A NAME="lbAV">&nbsp;</A>
<H2>TEMPLATES</H2>
<P>
Every output in rsyslog uses templates - this holds true for files, user
messages and so on. Templates compatible with the stock syslogd
formats are hardcoded into rsyslogd. If no template is specified, we use
one of these hardcoded templates. Search for &quot;template_&quot; in syslogd.c and
you will find the hardcoded ones.
<P>
A template consists of a template directive, a name, the actual template text
and optional options. A sample is:
<P>
<DL COMPACT><DT id="42"><DD>
<B>$template MyTemplateName,\\7Text %property% some more text\\n,&lt;options&gt;</B>
</DL>
<P>
The &quot;$template&quot; is the template directive. It tells rsyslog that this line
contains a template. The backslash is an escape character. For example, \7 rings the
bell (this is an ASCII value), \n is a new line. The set in rsyslog is a bit restricted
currently.
<P>
All text in the template is used literally, except for things within percent
signs. These are properties and allow you access to the contents of the syslog
message. Properties are accessed via the property replacer and it can for example
pick a substring or do date-specific formatting. More on this is the PROPERTY REPLACER
section of this manpage.
<P>
To escape:
<P>
<BR>&nbsp;&nbsp;&nbsp;%&nbsp;=&nbsp;\%
<P>
<BR>&nbsp;&nbsp;&nbsp;\&nbsp;=&nbsp;\\&nbsp;--&gt;&nbsp;'\'&nbsp;is&nbsp;used&nbsp;to&nbsp;escape&nbsp;(as&nbsp;in&nbsp;C)
<P>
$template TraditionalFormat,&quot;%timegenerated% %HOSTNAME% %syslogtag%%msg%\n&quot;
<P>
Properties can be accessed by the property replacer (see there for details).
<P>
<B>Please note that templates can also by used to generate selector lines with dynamic file names.</B>
For example, if you would like to split syslog messages from different hosts
to different files (one per host), you can define the following template:
<P>
<DL COMPACT><DT id="43"><DD>
<B>$template DynFile,/var/log/system-%HOSTNAME%.log</B>
</DL>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;
This template can then be used when defining an output selector line. It will
result in something like &quot;/var/log/system-localhost.log&quot;
<P>
<A NAME="lbAW">&nbsp;</A>
<H3>Template options</H3>
The &lt;options&gt; part is optional. It carries options influencing the template as whole.
See details below. Be sure NOT to mistake template options with property options - the
later ones are processed by the property replacer and apply to a SINGLE property, only
(and not the whole template).
<P>
Template options are case-insensitive. Currently defined are:
<P>
<DL COMPACT><DT id="44"><DD>
<DL COMPACT>
<DT id="45">sql<DD>
format the string suitable for a SQL statement in MySQL format. This will replace single
quotes (&quot;'&quot;) and the backslash character by their backslash-escaped counterpart
(&quot;'&quot; and &quot;\&quot;) inside each field. Please note that in MySQL configuration, the NO_BACKSLASH_ESCAPES
mode must be turned off for this format to work (this is the default).
<P>
<DT id="46">stdsql<DD>
format the string suitable for a SQL statement that is to be sent to a standards-compliant
sql server. This will replace single quotes (&quot;'&quot;) by two single quotes (&quot;''&quot;) inside each field.
You must use stdsql together with MySQL if in MySQL configuration the NO_BACKSLASH_ESCAPES
is turned on.
</DL>
</DL>
<P>
Either the
<B>sql</B>
or
<B>stdsql </B>
option
<B>MUST </B>
be specified when a template is used for writing to a database,
otherwise injection might occur. Please note that due to the unfortunate fact
that several vendors have violated the sql standard and introduced their own
escape methods, it is impossible to have a single option doing all the work.
So you yourself must make sure you are using the right format.
<B>If you choose the wrong one, you are still vulnerable to sql injection.</B>
<P>
Please note that the database writer *checks* that the sql option is present
in the template. If it is not present, the write database action is disabled.
This is to guard you against accidental forgetting it and then becoming
vulnerable to SQL injection. The sql option can also be useful with files -
especially if you want to import them into a database on another machine for
performance reasons. However, do NOT use it if you do not have a real need for
it - among others, it takes some toll on the processing time. Not much, but on
a really busy system you might notice it ;)
<P>
The default template for the write to database action has the sql option set.
<P>
<A NAME="lbAX">&nbsp;</A>
<H3>Template examples</H3>
Please note that the samples are split across multiple lines. A template MUST
NOT actually be split across multiple lines.
<P>
A template that resembles traditional syslogd file output:
<P>
<DL COMPACT><DT id="47"><DD>
$template TraditionalFormat,&quot;%timegenerated% %HOSTNAME%
<P>
%syslogtag%%msg:::drop-last-lf%\n&quot;
</DL>
<P>
A template that tells you a little more about the message:
<P>
<DL COMPACT><DT id="48"><DD>
$template precise,&quot;%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,
<P>
%syslogtag%,%msg%\n&quot;
</DL>
<P>
A template for RFC 3164 format:
<P>
<DL COMPACT><DT id="49"><DD>
$template RFC3164fmt,&quot;&lt;%PRI%&gt;%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%&quot;
</DL>
<P>
A template for the format traditionally used for user messages:
<P>
<DL COMPACT><DT id="50"><DD>
$template usermsg,&quot; XXXX%syslogtag%%msg%\n\r&quot;
</DL>
<P>
And a template with the traditional wall-message format:
<P>
<DL COMPACT><DT id="51"><DD>
$template wallmsg,&quot;\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%&quot;
</DL>
<P>
<B>A template that can be used for writing to a database (please note the SQL template option)</B>
<P>
<DL COMPACT><DT id="52"><DD>
$template MySQLInsert,&quot;insert iut, message, receivedat values
('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')
into systemevents\r\n&quot;, SQL
<P>
NOTE 1: This template is embedded into core application under name
<B>StdDBFmt</B>
, so you don't need to define it.
<P>
NOTE 2: You have to have MySQL module installed to use this template.
</DL>
<P>
<A NAME="lbAY">&nbsp;</A>
<H2>OUTPUT CHANNELS</H2>
<P>
Output Channels are a new concept first introduced in rsyslog 0.9.0. As of this writing,
it is most likely that they will be replaced by something different in the future.
So if you use them, be prepared to change you configuration file syntax when you upgrade
to a later release.
<P>
Output channels are defined via an $outchannel directive. It's syntax is as follows:
<P>
<DL COMPACT><DT id="53"><DD>
<B>$outchannel name,file-name,max-size,action-on-max-size</B>
</DL>
<P>
name is the name of the output channel (not the file), file-name is the file name to be
written to, max-size the maximum allowed size and action-on-max-size a command to be issued
when the max size is reached. This command always has exactly one parameter. The binary is
that part of action-on-max-size before the first space, its parameter is everything behind
that space.
<P>
Keep in mind that $outchannel just defines a channel with &quot;name&quot;. It does not activate it.
To do so, you must use a selector line (see below). That selector line includes the channel
name plus &quot;:omfile:$&quot; in front of it. A sample might be:
<P>
<DL COMPACT><DT id="54"><DD>
*.* :omfile:$mychannel
</DL>
<P>
<A NAME="lbAZ">&nbsp;</A>
<H2>PROPERTY REPLACER</H2>
The property replacer is a core component in rsyslogd's output system. A syslog message has
a number of well-defined properties (see below). Each of this properties can be accessed and
manipulated by the property replacer. With it, it is easy to use only part of a property value
or manipulate the value, e.g. by converting all characters to lower case.
<P>
<A NAME="lbBA">&nbsp;</A>
<H3>Accessing Properties</H3>
Syslog message properties are used inside templates. They are accessed by putting them between
percent signs. Properties can be modified by the property replacer. The full syntax is as follows:
<P>
<DL COMPACT><DT id="55"><DD>
<B>%propname:fromChar:toChar:options%</B>
</DL>
<P>
propname is the name of the property to access.
<B>It is case-sensitive.</B>
<P>
<A NAME="lbBB">&nbsp;</A>
<H3>Available Properties</H3>
<DL COMPACT>
<DT id="56"><B>msg</B>
<DD>
the MSG part of the message (aka &quot;the message&quot; ;))
<DT id="57"><B>rawmsg</B>
<DD>
the message exactly as it was received from the socket. Should be useful for debugging.
<DT id="58"><B>HOSTNAME</B>
<DD>
hostname from the message
<DT id="59"><B>FROMHOST</B>
<DD>
hostname of the system the message was received from (in a relay chain, this is the system immediately
in front of us and not necessarily the original sender)
<DT id="60"><B>syslogtag</B>
<DD>
TAG from the message
<DT id="61"><B>programname</B>
<DD>
the &quot;static&quot; part of the tag, as defined by BSD syslogd. For example, when TAG is &quot;named[12345]&quot;,
programname is &quot;named&quot;.
<DT id="62"><B>PRI</B>
<DD>
PRI part of the message - undecoded (single value)
<DT id="63"><B>PRI-text</B>
<DD>
the PRI part of the message in a textual form (e.g. &quot;syslog.info&quot;)
<DT id="64"><B>IUT</B>
<DD>
the monitorware InfoUnitType - used when talking to a MonitorWare backend (also for phpLogCon)
<DT id="65"><B>syslogfacility</B>
<DD>
the facility from the message - in numerical form
<DT id="66"><B>syslogfacility-text</B>
<DD>
the facility from the message - in text form
<DT id="67"><B>syslogseverity</B>
<DD>
severity from the message - in numerical form
<DT id="68"><B>syslogseverity-text</B>
<DD>
severity from the message - in text form
<DT id="69"><B>timegenerated</B>
<DD>
timestamp when the message was RECEIVED. Always in high resolution
<DT id="70"><B>timereported</B>
<DD>
timestamp from the message. Resolution depends on what was provided in the message (in most cases, only seconds)
<DT id="71"><B>TIMESTAMP</B>
<DD>
alias for timereported
<DT id="72"><B>PROTOCOL-VERSION</B>
<DD>
The contents of the PROTOCOL-VERSION field from IETF draft draft-ietf-syslog-protocol
<DT id="73"><B>STRUCTURED-DATA</B>
<DD>
The contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocol
<DT id="74"><B>APP-NAME</B>
<DD>
The contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol
<DT id="75"><B>PROCID</B>
<DD>
The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol
<DT id="76"><B>MSGID</B>
<DD>
The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol
<DT id="77"><B>$NOW</B>
<DD>
The current date stamp in the format YYYY-MM-DD
<DT id="78"><B>$YEAR</B>
<DD>
The current year (4-digit)
<DT id="79"><B>$MONTH</B>
<DD>
The current month (2-digit)
<DT id="80"><B>$DAY</B>
<DD>
The current day of the month (2-digit)
<DT id="81"><B>$HOUR</B>
<DD>
The current hour in military (24 hour) time (2-digit)
<DT id="82"><B>$MINUTE</B>
<DD>
The current minute (2-digit)
<P>
</DL>
<P>
Properties starting with a $-sign are so-called system properties. These do NOT stem from the
message but are rather internally-generated.
<P>
<A NAME="lbBC">&nbsp;</A>
<H3>Character Positions</H3>
FromChar and toChar are used to build substrings. They specify the offset within the string that
should be copied. Offset counting starts at 1, so if you need to obtain the first 2 characters of
the message text, you can use this syntax: &quot;%msg:1:2%&quot;. If you do not wish to specify from and to,
but you want to specify options, you still need to include the colons. For example, if you would
like to convert the full message text to lower case, use &quot;%msg:::lowercase%&quot;. If you would like to
extract from a position until the end of the string, you can place a dollar-sign (&quot;$&quot;) in toChar
(e.g. %msg:10:$%, which will extract from position 10 to the end of the string).
<P>
There is also support for
<B>regular expressions.</B>
To use them, you need to place a &quot;R&quot; into FromChar.
This tells rsyslog that a regular expression instead of position-based extraction is desired. The
actual regular expression
<B>must </B>
then be provided in toChar. The regular expression must be followed
by the string &quot;--end&quot;. It denotes the end of the regular expression and will not become part of it.
If you are using regular expressions, the property replacer will return the part of the property text
that matches the regular expression. An example for a property replacer sequence with a regular
expression is: &quot;%msg:R:.*Sev:. \(.*\) \[.*--end%&quot;
<P>
Also, extraction can be done based on so-called &quot;fields&quot;. To do so, place a &quot;F&quot; into FromChar. A field
in its current definition is anything that is delimited by a delimiter character. The delimiter by
default is TAB (US-ASCII value 9). However, if can be changed to any other US-ASCII character by
specifying a comma and the decimal US-ASCII value of the delimiter immediately after the &quot;F&quot;. For example,
to use comma (&quot;,&quot;) as a delimiter, use this field specifier: &quot;F,44&quot;. If your syslog data is delimited,
this is a quicker way to extract than via regular expressions (actually, a *much* quicker way). Field
counting starts at 1. Field zero is accepted, but will always lead to a &quot;field not found&quot; error. The same
happens if a field number higher than the number of fields in the property is requested. The field number
must be placed in the &quot;ToChar&quot; parameter. An example where the 3rd field (delimited by TAB) from the msg
property is extracted is as follows: &quot;%msg:F:3%&quot;. The same example with semicolon as delimiter is
&quot;%msg:F,59:3%&quot;.
<P>
Please note that the special characters &quot;F&quot; and &quot;R&quot; are case-sensitive. Only upper case works, lower case
will return an error. There are no white spaces permitted inside the sequence (that will lead to error
messages and will NOT provide the intended result).
<P>
<A NAME="lbBD">&nbsp;</A>
<H3>Property Options</H3>
Property options are case-insensitive. Currently, the following options are defined:
<DL COMPACT>
<DT id="83">uppercase<DD>
convert property to lowercase only
<DT id="84">lowercase<DD>
convert property text to uppercase only
<DT id="85">drop-last-lf<DD>
The last LF in the message (if any), is dropped. Especially useful for PIX.
<DT id="86">date-mysql<DD>
format as mysql date
<DT id="87">date-rfc3164<DD>
format as RFC 3164 date
<DT id="88">date-rfc3339<DD>
format as RFC 3339 date
<DT id="89">escape-cc<DD>
replace control characters (ASCII value 127 and values less then 32) with an escape sequence. The sequence is &quot;#&lt;charval&gt;&quot; where charval is the 3-digit decimal value of the control character. For example, a tabulator would be replaced by &quot;#009&quot;.
<DT id="90">space-cc<DD>
replace control characters by spaces
<DT id="91">drop-cc<DD>
drop control characters - the resulting string will neither contain control characters, escape sequences nor any other replacement character like space.
<P>
</DL>
<A NAME="lbBE">&nbsp;</A>
<H2>QUEUED OPERATIONS</H2>
Rsyslogd supports queued operations to handle offline outputs
(like remote syslogd's or database servers being down). When running in
queued mode, rsyslogd buffers messages to memory and optionally to disk
(on an as-needed basis). Queues survive rsyslogd restarts.
<P>
It is highly suggested to use remote forwarding and database writing
in queued mode, only.
<P>
To learn more about queued operations, see the HTML documentation.
<P>
<A NAME="lbBF">&nbsp;</A>
<H2>FILES</H2>
<DL COMPACT>
<DT id="92"><I>/etc/rsyslog.conf</I>
<DD>
Configuration file for
<B>rsyslogd</B>
<P>
</DL>
<A NAME="lbBG">&nbsp;</A>
<H2>SEE ALSO</H2>
<B><A HREF="/cgi-bin/man/man2html?8+rsyslogd">rsyslogd</A></B>(8),
<B><A HREF="/cgi-bin/man/man2html?1+logger">logger</A></B>(1),
<B><A HREF="/cgi-bin/man/man2html?3+syslog">syslog</A></B>(3)
<P>
The complete documentation can be found in the doc folder of the rsyslog distribution or online at
<P>
<DL COMPACT><DT id="93"><DD>
<B><A HREF="https://www.rsyslog.com/doc/">https://www.rsyslog.com/doc/</A></B>
<P>
</DL>
Please note that the man page reflects only a subset of the configuration options. Be sure to read
the HTML documentation for all features and details. This is especially vital if you plan to set
up a more-then-extremely-simple system.
<P>
<A NAME="lbBH">&nbsp;</A>
<H2>AUTHORS</H2>
<B>rsyslogd</B>
is taken from sysklogd sources, which have been heavily modified
by Rainer Gerhards (<A HREF="mailto:rgerhards@adiscon.com">rgerhards@adiscon.com</A>) and others.
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="94"><A HREF="#lbAB">NAME</A><DD>
<DT id="95"><A HREF="#lbAC">DESCRIPTION</A><DD>
<DT id="96"><A HREF="#lbAD">MODULES</A><DD>
<DT id="97"><A HREF="#lbAE">BASIC STRUCTURE</A><DD>
<DT id="98"><A HREF="#lbAF">SELECTORS</A><DD>
<DT id="99"><A HREF="#lbAG">ACTIONS</A><DD>
<DL>
<DT id="100"><A HREF="#lbAH">Regular file</A><DD>
<DT id="101"><A HREF="#lbAI">Named pipes</A><DD>
<DT id="102"><A HREF="#lbAJ">Terminal and console</A><DD>
<DT id="103"><A HREF="#lbAK">Remote machine</A><DD>
<DT id="104"><A HREF="#lbAL">List of users</A><DD>
<DT id="105"><A HREF="#lbAM">Everyone logged on</A><DD>
<DT id="106"><A HREF="#lbAN">Database table</A><DD>
<DT id="107"><A HREF="#lbAO">Discard</A><DD>
<DT id="108"><A HREF="#lbAP">Output channel</A><DD>
<DT id="109"><A HREF="#lbAQ">Shell execute</A><DD>
</DL>
<DT id="110"><A HREF="#lbAR">FILTER CONDITIONS</A><DD>
<DL>
<DT id="111"><A HREF="#lbAS">Selectors</A><DD>
<DT id="112"><A HREF="#lbAT">Property-Based Filters</A><DD>
<DT id="113"><A HREF="#lbAU">Expression-Based Filters</A><DD>
</DL>
<DT id="114"><A HREF="#lbAV">TEMPLATES</A><DD>
<DL>
<DT id="115"><A HREF="#lbAW">Template options</A><DD>
<DT id="116"><A HREF="#lbAX">Template examples</A><DD>
</DL>
<DT id="117"><A HREF="#lbAY">OUTPUT CHANNELS</A><DD>
<DT id="118"><A HREF="#lbAZ">PROPERTY REPLACER</A><DD>
<DL>
<DT id="119"><A HREF="#lbBA">Accessing Properties</A><DD>
<DT id="120"><A HREF="#lbBB">Available Properties</A><DD>
<DT id="121"><A HREF="#lbBC">Character Positions</A><DD>
<DT id="122"><A HREF="#lbBD">Property Options</A><DD>
</DL>
<DT id="123"><A HREF="#lbBE">QUEUED OPERATIONS</A><DD>
<DT id="124"><A HREF="#lbBF">FILES</A><DD>
<DT id="125"><A HREF="#lbBG">SEE ALSO</A><DD>
<DT id="126"><A HREF="#lbBH">AUTHORS</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:04 GMT, March 31, 2021
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink