1
.\" Copyright 2004-2008 Rainer Gerhards and Adiscon for the rsyslog modifications
2
.\" May be distributed under the GNU General Public License
4
.TH RSYSLOGD 8 "11 July 2008" "Version 3.18.0" "Linux System Administration"
6
rsyslogd \- reliable and extended syslogd
36
is a system utility providing support for message logging.
37
Support of both internet and
38
unix domain sockets enables this utility to support both local
41
.B Note that this version of rsyslog ships with extensive documentation in html format.
42
This is provided in the ./doc subdirectory and probably
43
in a separate package if you installed rsyslog via a packaging system.
44
To use rsyslog's advanced features, you
46
to look at the html documentation, because the man pages only cover
47
basic aspects of operation.
48
.B For details and configuration examples, see the rsyslog.conf (5)
49
.B man page and the online documentation at http://www.rsyslog.com/doc
52
is derived from the sysklogd package which in turn is derived from the
56
provides a kind of logging that many modern programs use. Every logged
57
message contains at least a time and a hostname field, normally a
58
program name field, too, but that depends on how trusty the logging
59
program is. The rsyslog package supports free definition of output formats
60
via templates. It also supports precise timestamps and writing directly
61
to databases. If the database option is used, tools like phpLogCon can
62
be used to view the log data.
66
sources have been heavily modified a couple of notes
67
are in order. First of all there has been a systematic attempt to
68
ensure that rsyslogd follows its default, standard BSD behavior. Of course,
69
some configuration file changes are necessary in order to support the
70
template system. However, rsyslogd should be able to use a standard
71
syslog.conf and act like the orginal syslogd. However, an original syslogd
72
will not work correctly with a rsyslog-enhanced configuration file. At
73
best, it will generate funny looking file names.
74
The second important concept to note is that this version of rsyslogd
75
interacts transparently with the version of syslog found in the
76
standard libraries. If a binary linked to the standard shared
77
libraries fails to function correctly we would like an example of the
80
The main configuration file
82
or an alternative file, given with the
84
option, is read at startup. Any lines that begin with the hash mark
85
(``#'') and empty lines are ignored. If an error occurs during parsing
86
the error element is ignored. It is tried to parse the rest of the line.
90
.B Note that in version 3 of rsyslog a number of command line options
91
.B have been deprecated and replaced with config file directives. The
92
.B -c option controls the backward compatibility mode in use.
95
When sending UDP messages, there are potentially multiple pathes to
96
the target destination. By default,
98
only sends to the first target it can successfully send to. If -A
99
is given, messages are sent to all targets. This may improve
100
reliability, but may also cause message duplicaton. This option
101
should enabled only if it is fully understood.
106
to listen to IPv4 addresses only.
107
If neither -4 nor -6 is given,
109
listens to all configured addresses of the system.
114
to listen to IPv6 addresses only.
115
If neither -4 nor -6 is given,
117
listens to all configured addresses of the system.
120
Selects the desired backward compatibility mode. It must always be the
121
first option on the command line, as it influences processing of the
122
other options. To use the rsyslog v3 native interface, specify -c3. To
123
use compatibility mode , either do not use -c at all or use
126
is the rsyslog version that it shall be
127
compatible with. Using -c0 tells rsyslog to be command-line compatible
128
to sysklogd, which is the default if -c is not given.
129
.B Please note that rsyslogd issues warning messages if the -c3
130
.B command line option is not given.
131
This is to alert you that your are running in compatibility
132
mode. Compatibility mode interfers with you rsyslog.conf commands and
133
may cause some undesired side-effects. It is meant to be used with a
134
plain old rsyslog.conf - if you use new features, things become
135
messy. So the best advice is to work through this document, convert
136
your options and config file and then use rsyslog in native mode. In
137
order to aid you in this process, rsyslog logs every
138
compatibility-mode config file directive it has generated. So you can
139
simply copy them from your logfile and paste them to the config.
142
Turns on debug mode. Using this the daemon will not proceed a
144
to set itself in the background, but opposite to that stay in the
145
foreground and write much debug information on the current tty. See the
146
DEBUGGING section for more information.
148
.BI "\-f " "config file"
149
Specify an alternative configuration file instead of
150
.IR /etc/rsyslog.conf ","
151
which is the default.
153
.BI "\-i " "pid file"
154
Specify an alternative pid file instead of the default one.
155
This option must be used if multiple instances of rsyslogd should
156
run on a single machine.
158
.BI "\-l " "hostlist"
159
Specify a hostname that should be logged only with its simple hostname
160
and not the fqdn. Multiple hosts may be specified using the colon
164
Avoid auto-backgrounding. This is needed especially if the
166
is started and controlled by
169
.BI "\-q " "add hostname if DNS fails during ACL processing"
170
During ACL processing, hostnames are resolved to IP addreses for
171
performance reasons. If DNS fails during that process, the hostname
172
is added as wildcard text, which results in proper, but somewhat
173
slower operation once DNS is up again.
175
.BI "\-Q " "do not resolve hostnames during ACL processing"
176
Do not resolve hostnames to IP addresses during ACL processing.
178
.BI "\-s " "domainlist"
179
Specify a domainname that should be stripped off before
180
logging. Multiple domains may be specified using the colon (``:'')
182
Please be advised that no sub-domains may be specified but only entire
183
domains. For example if
185
is specified and the host logging resolves to satu.infodrom.north.de
186
no domain would be cut, you will have to specify two domains like:
187
.BR "\-s north.de:infodrom.north.de" .
190
Print version and exit.
193
Supress warnings issued when messages are received from non-authorized
194
machines (those, that are in no AllowedSender list).
197
Disable DNS for remote messages.
201
reacts to a set of signals. You may easily send a signal to
206
kill -SIGNAL $(cat /var/run/syslogd.pid)
209
Note that -SIGNAL must be replaced with the actual signal
210
you are trying to send, e.g. with HUP. So it then becomes:
213
kill -HUP $(cat /var/run/syslogd.pid)
220
perform a re-initialization. All open files are closed, the
221
configuration file (default is
222
.IR /etc/rsyslog.conf ")"
223
will be reread and the
225
facility is started again.
227
.B TERM ", " INT ", " QUIT
232
Switch debugging on/off. This option can only be used if
239
Wait for childs if some were born, because of wall'ing messages.
242
There is the potential for the rsyslogd daemon to be
243
used as a conduit for a denial of service attack.
244
A rogue program(mer) could very easily flood the rsyslogd daemon with
245
syslog messages resulting in the log files consuming all the remaining
246
space on the filesystem. Activating logging over the inet domain
247
sockets will of course expose a system to risks outside of programs or
248
individuals on the local machine.
250
There are a number of methods of protecting a machine:
252
Implement kernel firewalling to limit which hosts or networks have
253
access to the 514/UDP socket.
255
Logging can be directed to an isolated or non-root filesystem which,
256
if filled, will not impair the machine.
258
The ext2 filesystem can be used which can be configured to limit a
259
certain percentage of a filesystem to usage by root only. \fBNOTE\fP
260
that this will require rsyslogd to be run as a non-root process.
261
\fBALSO NOTE\fP that this will prevent usage of remote logging on the default port since
262
rsyslogd will be unable to bind to the 514/UDP socket.
264
Disabling inet domain sockets will limit risk to the local machine.
265
.SS Message replay and spoofing
266
If remote logging is enabled, messages can easily be spoofed and replayed.
267
As the messages are transmitted in clear-text, an attacker might use
268
the information obtained from the packets for malicious things. Also, an
269
attacker might replay recorded messages or spoof a sender's IP address,
270
which could lead to a wrong perception of system activity. These can
271
be prevented by using GSS-API authentication and encryption. Be sure
272
to think about syslog network security before enabling it.
275
When debugging is turned on using
279
will be very verbose by writing much of what it does on stdout.
284
Configuration file for
288
for exact information.
291
The Unix domain socket to from where local syslog messages are read.
293
.I /var/run/rsyslogd.pid
294
The file containing the process id of
297
.I prefix/lib/rsyslog
298
Default directory for
302
is specified during compilation (e.g. /usr/local).
306
Controls runtime debug support.It contains an option string with the
307
following options possible (all are case insensitive):
311
Print out the logical flow of functions (entering and exiting them)
313
Specifies which files to trace LogFuncFlow. If not set (the
314
default), a LogFuncFlow trace is provided for all files. Set to
315
limit it to the files specified.FileTrace may be specified multiple
316
times, one file each (e.g. export RSYSLOG_DEBUG="LogFuncFlow
317
FileTrace=vm.c FileTrace=expr.c"
319
Print the content of the debug function database whenever debug
320
information is printed (e.g. abort case)!
321
.IP PrintAllDebugInfoOnExit
322
Print all debug information immediately before rsyslogd exits
323
(currently not implemented!)
325
Print mutex action as it happens. Useful for finding deadlocks and
328
Do not prefix log lines with a timestamp (default is to do that).
330
Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG is not
331
set, this means no messages will be displayed at all.
333
Display a very short list of commands - hopefully a life saver if
334
you can't access the documentation...
339
If set, writes (allmost) all debug message to the specified log file
340
in addition to stdout.
343
Provides the default directory in which loadable modules reside.
346
Please review the file BUGS for up-to-date information on known
347
bugs and annouyances.
348
.SH Further Information
350
.BR http://www.rsyslog.com/doc
351
for additional information, tutorials and a support forum.
353
.BR rsyslog.conf (5),
362
is derived from sysklogd sources, which in turn was taken from
363
the BSD sources. Special thanks to Greg Wettstein (greg@wind.enjellic.com)
364
and Martin Schulze (joey@linux.de) for the fine sysklogd package.
372
Grossrinderfeld, Germany
374
rgerhards@adiscon.com