1
# A commented quick reference and sample configuration
2
# WARNING: This is not a manual, the full manual of rsyslog configuration is in
3
# rsyslog.conf (5) manpage
5
# "$" starts lines that contain new directives. The full list of directives
6
# can be found in /usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html or online
7
# at http://www.rsyslog.com/doc if you do not have (or find) a local copy.
11
# Some global directives
12
# ----------------------
14
# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd
16
$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
18
# $UMASK - specifies the rsyslogd processes' umask
22
# $FileGroup - Set the group for dynaFiles newly created
26
# $FileOwner - Set the file owner for dynaFiles newly created.
30
# $IncludeConfig - include other files into the main configuration file
32
$IncludeConfig /etc/some-included-file.conf # one file
33
$IncludeConfig /etc/rsyslog.d/ # whole directory (must contain the final slash)
35
# $ModLoad - Dynamically loads a plug-in and activates it
37
$ModLoad MySQL # load MySQL functionality
38
$ModLoad /rsyslog/modules/somemodule.so # load a module via absolute path
45
# Templates allow to specify any format a user might want.
46
# They MUST be defined BEFORE they are used.
48
# A template consists of a template directive, a name, the actual template text
49
# and optional options. A sample is:
51
$template MyTemplateName,"\7Text %property% some more text\n",
54
# * $template - tells rsyslog that this line contains a template.
55
# * MyTemplateName - template name. All other config lines refer to this name.
56
# * "\7Text %property% some more text\n" - templage text
58
# The backslash is an escape character, i.e. \7 rings the bell, \n is a new line.
63
# Template options are case-insensitive. Currently defined are:
64
# sql format the string suitable for a SQL statement. This will replace single
65
# quotes ("'") by two single quotes ("''") to prevent the SQL injection
66
# (NO_BACKSLASH_ESCAPES turned off)
67
# stdsql - format the string suitable for a SQL statement that is to
68
# be sent to a standards-compliant sql server.
69
# (NO_BACKSLASH_ESCAPES turned on)
73
# Properties inside templates
74
# ---------------------------
76
# Properties can be modified by the property replacer. They are accessed
77
# inside the template by putting them between percent signs. The full syntax is as follows:
79
# %propname:fromChar:toChar:options%
81
# FromChar and toChar are used to build substrings.
82
# If you need to obtain the first 2 characters of the
83
# message text, you can use this syntax:
85
# If you do not whish to specify from and to, but you want to
86
# specify options, you still need to include the colons.
88
# For example, to convert the full message text to lower case only, use
89
# "%msg:::lowercase%".
91
# The full list of property options can be found in rsyslog.conf(5) manpage
95
# Samples of template definitions
96
# -------------------------------
98
# A template that resambles traditional syslogd file output:
99
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
101
# A more verbose template:
102
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"
104
# A template that resembles RFC 3164 on-the-wire format:
105
# (yes, there is NO space betwen syslogtag and msg! that's important!)
106
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
108
# a template resembling traditional wallmessage format:
109
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
111
# The template below emulates winsyslog format, but we need to check the time
112
# stamps used. It is also a good sampleof the property replacer in action.
113
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
115
# A template used for database writing (notice it *is* an actual
117
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
125
*.* /var/log/traditionalfile.log;TraditionalFormat # log to a file in the traditional format
127
# Forwarding to remote machine
128
# ----------------------------
129
*.* @172.19.2.16 # udp (standard for syslog)
130
*.* @@172.19.2.17 # tcp
134
# (you must have rsyslog-mysql package installed)
135
# !!! Don't forget to set permission of rsyslog.conf to 600 !!!
136
*.* >hostname,dbname,userid,password # (default Monitorware schema, can be created by /usr/share/doc/rsyslog-mysql-1.19.6/createDB.sql)
138
# And this one uses the template defined above:
139
*.* >hostname,dbname,userid,password;dbFormat
143
*.* ^alsaunmute # set default volume to soundcard
147
# if the user logges word rulez or rulezz or rulezzz or..., then we will shut down his pc
148
# (note, that + have to be double backslashed...)
149
:msg, regex, "rulez\\+" ^poweroff
151
# A more complex example
152
# ----------------------
153
$template bla_logged,"%timegenerated% the BLA was logged"
154
:msg, contains, "bla" ^logger;bla_logged
158
# first we need to create pipe by # mkfifo /a_big_pipe
163
*.* ~ # discards everything