478 lines
13 KiB
HTML
478 lines
13 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of RSYSLOGD</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>RSYSLOGD</H1>
|
|
Section: Linux System Administration (8)<BR>Updated: 28 May 2014<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
rsyslogd - reliable and extended syslogd
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<B>rsyslogd</B>
|
|
|
|
[<B> -d </B>]
|
|
|
|
[<B> -D </B>]
|
|
|
|
[<B> -f </B>
|
|
|
|
<I>config file</I>
|
|
|
|
]
|
|
[<B> -i </B>
|
|
|
|
<I>pid file</I>
|
|
|
|
]
|
|
[<B> -n </B>]
|
|
|
|
[<B> -N </B>
|
|
|
|
<I>level</I>
|
|
|
|
]
|
|
[<B> -o </B>
|
|
|
|
<I>fullconf</I>
|
|
|
|
]
|
|
[<B> -C </B>]
|
|
|
|
[<B> -v </B>]
|
|
|
|
<P>
|
|
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
<B>Rsyslogd</B>
|
|
|
|
is a system utility providing support for message logging.
|
|
Support of both internet and
|
|
unix domain sockets enables this utility to support both local
|
|
and remote logging.
|
|
<P>
|
|
<B>Note that this version of rsyslog ships with extensive documentation in HTML format.</B>
|
|
|
|
This is provided in the ./doc subdirectory and probably
|
|
in a separate package if you installed rsyslog via a packaging system.
|
|
To use rsyslog's advanced features, you
|
|
<B>need</B>
|
|
|
|
to look at the HTML documentation, because the man pages only covers
|
|
basic aspects of operation.
|
|
<B>For details and configuration examples, see the rsyslog.conf (5)</B>
|
|
|
|
<B>man page and the online documentation at <A HREF="https://www.rsyslog.com/doc/">https://www.rsyslog.com/doc/</A></B>
|
|
|
|
<P>
|
|
<B><A HREF="/cgi-bin/man/man2html?8+Rsyslogd">Rsyslogd</A></B>(8)
|
|
|
|
is derived from the sysklogd package which in turn is derived from the
|
|
stock BSD sources.
|
|
<P>
|
|
<B>Rsyslogd</B>
|
|
|
|
provides a kind of logging that many modern programs use. Every logged
|
|
message contains at least a time and a hostname field, normally a
|
|
program name field, too, but that depends on how trusty the logging
|
|
program is. The rsyslog package supports free definition of output formats
|
|
via templates. It also supports precise timestamps and writing directly
|
|
to databases. If the database option is used, tools like phpLogCon can
|
|
be used to view the log data.
|
|
<P>
|
|
While the
|
|
<B>rsyslogd</B>
|
|
|
|
sources have been heavily modified a couple of notes
|
|
are in order. First of all there has been a systematic attempt to
|
|
ensure that rsyslogd follows its default, standard BSD behavior. Of course,
|
|
some configuration file changes are necessary in order to support the
|
|
template system. However, rsyslogd should be able to use a standard
|
|
syslog.conf and act like the original syslogd. However, an original syslogd
|
|
will not work correctly with a rsyslog-enhanced configuration file. At
|
|
best, it will generate funny looking file names.
|
|
The second important concept to note is that this version of rsyslogd
|
|
interacts transparently with the version of syslog found in the
|
|
standard libraries. If a binary linked to the standard shared
|
|
libraries fails to function correctly we would like an example of the
|
|
anomalous behavior.
|
|
<P>
|
|
The main configuration file
|
|
<I>/etc/rsyslog.conf</I>
|
|
|
|
or an alternative file, given with the
|
|
<B>-f</B>
|
|
|
|
option, is read at startup. Any lines that begin with the hash mark
|
|
(``#'') and empty lines are ignored. If an error occurs during parsing
|
|
the error element is ignored. It is tried to parse the rest of the line.
|
|
<P>
|
|
<P>
|
|
|
|
<A NAME="lbAE"> </A>
|
|
<H2>OPTIONS</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="1"><B>-D</B>
|
|
|
|
<DD>
|
|
Runs the Bison config parser in debug mode. This may help when hard to find
|
|
syntax errors are reported. Please note that the output generated is deeply
|
|
technical and orignally targeted towards developers.
|
|
<DT id="2"><B>-d</B>
|
|
|
|
<DD>
|
|
Turns on debug mode. See the DEBUGGING section for more information.
|
|
<DT id="3"><B>-f </B><I>config file</I>
|
|
|
|
<DD>
|
|
Specify an alternative configuration file instead of
|
|
<I>/etc/rsyslog.conf</I>,
|
|
|
|
which is the default.
|
|
<DT id="4"><B>-i </B><I>pid file</I>
|
|
|
|
<DD>
|
|
Specify an alternative pid file instead of the default one.
|
|
This option must be used if multiple instances of rsyslogd should
|
|
run on a single machine. To disable writing a pid file, use
|
|
the reserved name "NONE" (all upper case!), so "-iNONE".
|
|
<DT id="5"><B>-n</B>
|
|
|
|
<DD>
|
|
Avoid auto-backgrounding. This is needed especially if the
|
|
<B>rsyslogd</B>
|
|
|
|
is started and controlled by
|
|
<B><A HREF="/cgi-bin/man/man2html?8+init">init</A></B>(8).
|
|
|
|
<DT id="6"><B>-N level</B>
|
|
|
|
<DD>
|
|
Do a config check. Do NOT run in regular mode, just check configuration
|
|
file correctness.
|
|
This option is meant to verify a config file. To do so, run rsyslogd
|
|
interactively in foreground, specifying -f <config-file> and -N level.
|
|
The level argument modifies behaviour. Currently, 0 is the same as
|
|
not specifying the -N option at all (so this makes limited sense) and
|
|
1 actually activates the code. Later, higher levels will mean more
|
|
verbosity (this is a forward-compatibility option).
|
|
<DT id="7"><B>-o fullconf</B>
|
|
|
|
<DD>
|
|
Generates a consolidated config file
|
|
<I>fullconf</I>
|
|
|
|
that contains all of rsyslog's configuration in a single file. Include
|
|
files are exploded into that file in exactly the way rsyslog sees them.
|
|
This option is useful for troubleshooting, especially if problems with
|
|
the order of action processing is suspected. It may also be used to
|
|
check for "unexepectedly" included config content.
|
|
<DT id="8"><B>-C</B>
|
|
|
|
<DD>
|
|
This prevents rsyslogd from changing to the root directory. This
|
|
is almost never a good idea in production use. This option was introduced
|
|
in support of the internal testbed.
|
|
<DT id="9"><B>-v</B>
|
|
|
|
<DD>
|
|
Print version and exit.
|
|
</DL>
|
|
<P>
|
|
|
|
<A NAME="lbAF"> </A>
|
|
<H2>SIGNALS</H2>
|
|
|
|
<B>Rsyslogd</B>
|
|
|
|
reacts to a set of signals. You may easily send a signal to
|
|
<B>rsyslogd</B>
|
|
|
|
using the following:
|
|
<DL COMPACT>
|
|
<DT id="10"><DD>
|
|
<PRE>
|
|
kill -SIGNAL $(cat /var/run/rsyslogd.pid)
|
|
</PRE>
|
|
|
|
</DL>
|
|
<P>
|
|
|
|
Note that -SIGNAL must be replaced with the actual signal
|
|
you are trying to send, e.g. with HUP. So it then becomes:
|
|
<DL COMPACT>
|
|
<DT id="11"><DD>
|
|
<PRE>
|
|
kill -HUP $(cat /var/run/rsyslogd.pid)
|
|
</PRE>
|
|
|
|
</DL>
|
|
<P>
|
|
|
|
<DL COMPACT>
|
|
<DT id="12"><B>HUP</B>
|
|
|
|
<DD>
|
|
This lets
|
|
<B>rsyslogd</B>
|
|
|
|
perform close all open files.
|
|
<DT id="13"><B>TERM , INT , QUIT</B>
|
|
|
|
<DD>
|
|
<B>Rsyslogd</B>
|
|
|
|
will die.
|
|
<DT id="14"><B>USR1</B>
|
|
|
|
<DD>
|
|
Switch debugging on/off. This option can only be used if
|
|
<B>rsyslogd</B>
|
|
|
|
is started with the
|
|
<B>-d</B>
|
|
|
|
debug option.
|
|
<DT id="15"><B>CHLD</B>
|
|
|
|
<DD>
|
|
Wait for childs if some were born, because of wall'ing messages.
|
|
</DL>
|
|
<P>
|
|
|
|
<A NAME="lbAG"> </A>
|
|
<H2>SECURITY THREATS</H2>
|
|
|
|
There is the potential for the rsyslogd daemon to be
|
|
used as a conduit for a denial of service attack.
|
|
A rogue program(mer) could very easily flood the rsyslogd daemon with
|
|
syslog messages resulting in the log files consuming all the remaining
|
|
space on the filesystem. Activating logging over the inet domain
|
|
sockets will of course expose a system to risks outside of programs or
|
|
individuals on the local machine.
|
|
<P>
|
|
There are a number of methods of protecting a machine:
|
|
<DL COMPACT>
|
|
<DT id="16">1.<DD>
|
|
Implement kernel firewalling to limit which hosts or networks have
|
|
access to the 514/UDP socket.
|
|
<DT id="17">2.<DD>
|
|
Logging can be directed to an isolated or non-root filesystem which,
|
|
if filled, will not impair the machine.
|
|
<DT id="18">3.<DD>
|
|
The ext2 filesystem can be used which can be configured to limit a
|
|
certain percentage of a filesystem to usage by root only. <B>NOTE</B>
|
|
that this will require rsyslogd to be run as a non-root process.
|
|
<B>ALSO NOTE</B> that this will prevent usage of remote logging on the default port since
|
|
rsyslogd will be unable to bind to the 514/UDP socket.
|
|
<DT id="19">4.<DD>
|
|
Disabling inet domain sockets will limit risk to the local machine.
|
|
</DL>
|
|
<A NAME="lbAH"> </A>
|
|
<H3>Message replay and spoofing</H3>
|
|
|
|
If remote logging is enabled, messages can easily be spoofed and replayed.
|
|
As the messages are transmitted in clear-text, an attacker might use
|
|
the information obtained from the packets for malicious things. Also, an
|
|
attacker might replay recorded messages or spoof a sender's IP address,
|
|
which could lead to a wrong perception of system activity. These can
|
|
be prevented by using GSS-API authentication and encryption. Be sure
|
|
to think about syslog network security before enabling it.
|
|
<P>
|
|
|
|
<A NAME="lbAI"> </A>
|
|
<H2>DEBUGGING</H2>
|
|
|
|
When debugging is turned on using the
|
|
<B>-d</B>
|
|
|
|
option,
|
|
<B>rsyslogd</B>
|
|
|
|
produces debugging information according to the
|
|
<B>RSYSLOG_DEBUG</B>
|
|
|
|
environment variable and the signals received. When run in foreground,
|
|
the information is written to stdout. An additional output file can be
|
|
specified using the
|
|
<B>RSYSLOG_DEBUGLOG</B>
|
|
|
|
environment variable.
|
|
<A NAME="lbAJ"> </A>
|
|
<H2>FILES</H2>
|
|
|
|
|
|
<DL COMPACT>
|
|
<DT id="20"><I>/etc/rsyslog.conf</I>
|
|
|
|
<DD>
|
|
Configuration file for
|
|
<B>rsyslogd</B>.
|
|
|
|
See
|
|
<B><A HREF="/cgi-bin/man/man2html?5+rsyslog.conf">rsyslog.conf</A></B>(5)
|
|
|
|
for exact information.
|
|
<DT id="21"><I>/dev/log</I>
|
|
|
|
<DD>
|
|
The Unix domain socket to from where local syslog messages are read.
|
|
<DT id="22"><I>/var/run/rsyslogd.pid</I>
|
|
|
|
<DD>
|
|
The file containing the process id of
|
|
<B>rsyslogd</B>.
|
|
|
|
<DT id="23"><I>prefix/lib/rsyslog</I>
|
|
|
|
<DD>
|
|
Default directory for
|
|
<B>rsyslogd</B>
|
|
|
|
modules. The
|
|
<I>prefix</I>
|
|
|
|
is specified during compilation (e.g. /usr/local).
|
|
</DL>
|
|
<A NAME="lbAK"> </A>
|
|
<H2>ENVIRONMENT</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="24"><B>RSYSLOG_DEBUG</B>
|
|
|
|
<DD>
|
|
Controls runtime debug support. It contains an option string with the
|
|
following options possible (all are case insensitive):
|
|
<P>
|
|
<DL COMPACT><DT id="25"><DD>
|
|
<DL COMPACT>
|
|
<DT id="26">Debug<DD>
|
|
Turns on debugging and prevents forking. This is processed earlier
|
|
in the startup than command line options (i.e. -d) and as such
|
|
enables earlier debugging output. Mutually exclusive with DebugOnDemand.
|
|
<DT id="27">DebugOnDemand<DD>
|
|
Enables debugging but turns off debug output. The output can be toggled
|
|
by sending SIGUSR1. Mutually exclusive with Debug.
|
|
<DT id="28">LogFuncFlow<DD>
|
|
Print out the logical flow of functions (entering and exiting them)
|
|
<DT id="29">FileTrace<DD>
|
|
Specifies which files to trace LogFuncFlow. If not set (the
|
|
default), a LogFuncFlow trace is provided for all files. Set to
|
|
limit it to the files specified.FileTrace may be specified multiple
|
|
times, one file each (e.g. export RSYSLOG_DEBUG="LogFuncFlow
|
|
FileTrace=vm.c FileTrace=expr.c"
|
|
<DT id="30">PrintFuncDB<DD>
|
|
Print the content of the debug function database whenever debug
|
|
information is printed (e.g. abort case)!
|
|
<DT id="31">PrintAllDebugInfoOnExit<DD>
|
|
Print all debug information immediately before rsyslogd exits
|
|
(currently not implemented!)
|
|
<DT id="32">PrintMutexAction<DD>
|
|
Print mutex action as it happens. Useful for finding deadlocks and
|
|
such.
|
|
<DT id="33">NoLogTimeStamp<DD>
|
|
Do not prefix log lines with a timestamp (default is to do that).
|
|
<DT id="34">NoStdOut<DD>
|
|
Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG is not
|
|
set, this means no messages will be displayed at all.
|
|
<DT id="35">Help<DD>
|
|
Display a very short list of commands - hopefully a life saver if
|
|
you can't access the documentation...
|
|
</DL>
|
|
</DL>
|
|
|
|
<P>
|
|
<DT id="36"><B>RSYSLOG_DEBUGLOG</B>
|
|
|
|
<DD>
|
|
If set, writes (almost) all debug message to the specified log file
|
|
in addition to stdout.
|
|
<DT id="37"><B>RSYSLOG_MODDIR</B>
|
|
|
|
<DD>
|
|
Provides the default directory in which loadable modules reside.
|
|
|
|
</DL>
|
|
<A NAME="lbAL"> </A>
|
|
<H2>BUGS</H2>
|
|
|
|
Please review the file BUGS for up-to-date information on known
|
|
bugs and annoyances.
|
|
<A NAME="lbAM"> </A>
|
|
<H2>Further Information</H2>
|
|
|
|
Please visit
|
|
<B><A HREF="https://www.rsyslog.com/doc/">https://www.rsyslog.com/doc/</A></B>
|
|
|
|
for additional information, tutorials and a support forum.
|
|
<A NAME="lbAN"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?5+rsyslog.conf">rsyslog.conf</A></B>(5),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?1+logger">logger</A></B>(1),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?2+syslog">syslog</A></B>(2),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?3+syslog">syslog</A></B>(3),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?5+services">services</A></B>(5),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+savelog">savelog</A></B>(8)
|
|
|
|
<P>
|
|
|
|
<A NAME="lbAO"> </A>
|
|
<H2>COLLABORATORS</H2>
|
|
|
|
<B>rsyslogd</B>
|
|
|
|
is derived from sysklogd sources, which in turn was taken from
|
|
the BSD sources. Special thanks to Greg Wettstein (<A HREF="mailto:greg@wind.enjellic.com">greg@wind.enjellic.com</A>)
|
|
and Martin Schulze (<A HREF="mailto:joey@linux.de">joey@linux.de</A>) for the fine sysklogd package.
|
|
<P>
|
|
|
|
<DL COMPACT>
|
|
<DT id="38">Rainer Gerhards<DD>
|
|
<DT id="39">Adiscon GmbH<DD>
|
|
<DT id="40">Grossrinderfeld, Germany<DD>
|
|
<DT id="41"><A HREF="mailto:rgerhards@adiscon.com">rgerhards@adiscon.com</A><DD>
|
|
|
|
<P>
|
|
</DL>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="42"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="43"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="44"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT id="45"><A HREF="#lbAE">OPTIONS</A><DD>
|
|
<DT id="46"><A HREF="#lbAF">SIGNALS</A><DD>
|
|
<DT id="47"><A HREF="#lbAG">SECURITY THREATS</A><DD>
|
|
<DL>
|
|
<DT id="48"><A HREF="#lbAH">Message replay and spoofing</A><DD>
|
|
</DL>
|
|
<DT id="49"><A HREF="#lbAI">DEBUGGING</A><DD>
|
|
<DT id="50"><A HREF="#lbAJ">FILES</A><DD>
|
|
<DT id="51"><A HREF="#lbAK">ENVIRONMENT</A><DD>
|
|
<DT id="52"><A HREF="#lbAL">BUGS</A><DD>
|
|
<DT id="53"><A HREF="#lbAM">Further Information</A><DD>
|
|
<DT id="54"><A HREF="#lbAN">SEE ALSO</A><DD>
|
|
<DT id="55"><A HREF="#lbAO">COLLABORATORS</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:15 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|