« back to all changes in this revision
Viewing changes to rsyslog.conf.5
- browse files at revision 1
- compare with another revision
- download diff
- download tarball
- view history from revision 1
- Committer: Bazaar Package Importer
- Author(s): Michael Biebl
- Date: 2007-10-19 17:21:49 UTC
- Revision ID: james.westby@ubuntu.com-20071019172149-ie6ej2xve33mxiu7
Tags: upstream-1.19.10
ImportĀ upstreamĀ versionĀ 1.19.10
- files added:
- contrib
- doc
- freebsd
- plugins
- plugins/ommysql
- plugins/ommysql/contrib
- redhat
- slackware
added
removed
rsyslog.conf.5
1
.\" rsyslog.conf - rsyslogd(8) configuration file
2
.\" Copyright 2003-2007 Rainer Gerhards and Adiscon GmbH.
3
.\"
4
.\" This file is part of the rsyslog package, an enhanced system log daemon.
5
.\"
6
.\" This program is free software; you can redistribute it and/or modify
7
.\" it under the terms of the GNU General Public License as published by
8
.\" the Free Software Foundation; either version 2 of the License, or
9
.\" (at your option) any later version.
10
.\"
11
.\" This program is distributed in the hope that it will be useful,
12
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
13
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
.\" GNU General Public License for more details.
15
.\"
16
.\" You should have received a copy of the GNU General Public License
17
.\" along with this program; if not, write to the Free Software
18
.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
19
.\"
20
.TH RSYSLOG.CONF 5 "04 September 2007" "Version 1.19.4" "Linux System Administration"
21
.SH NAME
22
rsyslog.conf \- rsyslogd(8) configuration file
23
.SH DESCRIPTION
24
The
25
.I rsyslog.conf
26
file is the main configuration file for the
27
.BR rsyslogd (8)
28
which logs system messages on *nix systems. This file specifies rules
29
for logging. For special features see the
30
.BR rsyslogd (8)
31
manpage. Ryslog.conf is backward-compatible with sysklogd's syslog.conf file. So if you migrate
32
from syklogd you can rename it and it should work.
33
34
35
.SH BASIC STRUCTURE
36
37
Lines starting with a hash mark ('#') and empty lines are ignored.
38
Rsyslog.conf should contain following sections (sorted by recommended order in file):
39
40
.TP
41
Global directives
42
Global directives set some global properties of whole rsyslog daemon, for example size of main
43
message queue ($MainMessageQueueSize), loading external modules ($ModLoad) and so on.
44
All global directives need to be specified on a line by their own and must start with
45
a dollar-sign. The complete list of global directives can be found in html documentation in doc
46
directory or online on web pages.
47
48
.TP
49
Templates
50
Templates allow you to specify format of the logged message. They are also used for dynamic
51
file name generation. They have to be defined before they are used in rules. For more info
52
about templates see TEMPLATES section of this manpage.
53
54
.TP
55
Output channels
56
Output channels provide an umbrella for any type of output that the user might want.
57
They have to be defined before they are used in rules. For more info about output channels
58
see OUTPUT CHANNELS section of this manpage.
59
60
.TP
61
Rules (selector + action)
62
Every rule line consists of two fields, a selector field and an action field. These
63
two fields are separated by one or more spaces or tabs. The selector field specifies
64
a pattern of facilities and priorities belonging to the specified action.
65
66
.SH ACTIONS
67
The action field of a rule describes what to do with the message. In general, message content
68
is written to a kind of "logfile". But also other actions might be done, like writing to a
69
database table or forwarding to another host.
70
71
.SS Regular file
72
Typically messages are logged to real files. The file has to be specified with full pathname,
73
beginning with a slash ('/').
74
75
.B Example:
76
.RS
77
*.* /var/log/traditionalfile.log;TraditionalFormat # log to a file in the traditional format
78
.RE
79
80
.SS Named pipes
81
This version of rsyslogd(8) has support for logging output to named pipes (fifos). A fifo or
82
named pipe can be used as a destination for log messages by prepending a pipe symbol ('|')
83
to the name of the file. This is handy for debugging. Note that the fifo must be created with
84
the mkfifo(1) command before rsyslogd(8) is started.
85
86
.SS Terminal and console
87
If the file you specified is a tty, special tty-handling is done, same with /dev/console.
88
89
.SS Remote machine
90
To forward messages to another host, prepend the hostname with the at sign ("@"). A single at
91
sign means that messages will be forwarded via UDP protocol (the standard for syslog). If you
92
prepend two at signs ("@@"), the messages will be transmitted via TCP.
93
94
Please note that this version of rsyslogd by default does NOT forward messages it has received
95
from the network to another host. Specify the "-h" option to enable this.
96
97
.B Example:
98
.RS
99
*.* @192.168.0.1
100
.RE
101
.sp
102
In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destination
103
port defaults to 514.
104
105
.SS List of users
106
Usually critical messages are also directed to ``root'' on that machine. You can specify a list
107
of users that shall get the message by simply writing the login. You may specify more than one
108
user by separating them with commas (','). If they're logged in they get the message. Don't
109
think a mail would be sent, that might be too late.
110
111
.SS Everyone logged on
112
Emergency messages often go to all users currently online to notify them that something strange
113
is happening with the system. To specify this wall(1)-feature use an asterisk ('*').
114
115
.SS Database table
116
This allows logging of the message to a database table. Currently, only MySQL databases are
117
supported. By default, a MonitorWare-compatible schema is required for this to work. You can
118
create that schema with the createDB.SQL file that came with the rsyslog package. You can also
119
use any other schema of your liking - you just need to define a proper template and assign this
120
template to the action.
121
122
The database writer is called by specifying a greater-then sign ('>') in front of the database
123
connect information. Immediately after that sign the database host name must be given, a comma,
124
the database name, another comma, the database user, a comma and then the user's password. If
125
a specific template is to be used, a semicolon followed by the template name can follow the
126
connect information.
127
128
.B Example:
129
.RS
130
>dbhost,dbname,dbuser,dbpassword;dbtemplate
131
.RE
132
133
.B Important: to use the database functionality, the MySQL output module must be loaded
134
in the config file BEFORE the first database table action is used. This is done by placing the
135
.B $ModLoad
136
MySQL directive some place above the first use of the database write (we recommend doing at the
137
the beginning of the config file).
138
.B You have to install the rsyslog-mysql package to get this module.
139
140
.SS Discard
141
If the discard action is carried out, the received message is immediately discarded. Discard
142
can be highly effective if you want to filter out some annoying messages that otherwise would
143
fill your log files. To do that, place the discard actions early in your log files.
144
This often plays well with property-based filters, giving you great freedom in specifying
145
what you do not want.
146
147
Discard is just the single tilde character with no further parameters.
148
.sp
149
.B Example:
150
.RS
151
*.* ~ # discards everything.
152
.RE
153
154
155
.SS Output channel
156
Binds an output channel definition (see there for details) to this action. Output channel actions
157
must start with a $-sign, e.g. if you would like to bind your output channel definition "mychannel"
158
to the action, use "$mychannel". Output channels support template definitions like all all other
159
actions.
160
161
.SS Shell execute
162
This executes a program in a subshell. The program is passed the template-generated message as the
163
only command line parameter. Rsyslog waits until the program terminates and only then continues to run.
164
165
.B Example:
166
.RS
167
^program-to-execute;template
168
.RE
169
170
The program-to-execute can be any valid executable. It receives the template string as a single parameter
171
(argv[1]).
172
173
.SH FILTER CONDITIONS
174
Rsyslog offers two different types "filter conditions":
175
.sp 0
176
* "traditional" severity and facility based selectors
177
.sp 0
178
* property-based filters
179
.RE
180
181
.SS Blocks
182
Rsyslogd supports BSD-style blocks inside rsyslog.conf. Each block of lines is separated from
183
the previous block by a program or hostname specification. A block will only log messages
184
corresponding to the most recent program and hostname specifications given. Thus, a block which
185
selects "ppp" as the program, directly followed by a block that selects messages from the
186
hostname "dialhost", then the second block will only log messages from the ppp program on dialhost.
187
188
.SS Selectors
189
.B Selectors are the traditional way of filtering syslog messages.
190
They have been kept in rsyslog with their original syntax, because it is well-known, highly
191
effective and also needed for compatibility with stock syslogd configuration files. If you just
192
need to filter based on priority and facility, you should do this with selector lines. They are
193
not second-class citizens in rsyslog and offer the best performance for this job.
194
195
.SS Property-Based Filters
196
Property-based filters are unique to rsyslogd. They allow to filter on any property, like HOSTNAME,
197
syslogtag and msg.
198
199
A property-based filter must start with a colon in column 0. This tells rsyslogd that it is the new
200
filter type. The colon must be followed by the property name, a comma, the name of the compare
201
operation to carry out, another comma and then the value to compare against. This value must be quoted.
202
There can be spaces and tabs between the commas. Property names and compare operations are
203
case-sensitive, so "msg" works, while "MSG" is an invalid property name. In brief, the syntax is as follows:
204
.sp
205
.RS
206
:property, [!]compare-operation, "value"
207
.RE
208
209
The following compare-operations are currently supported:
210
.sp
211
.RS
212
.B contains
213
.RS
214
Checks if the string provided in value is contained in the property
215
.RE
216
.sp
217
.B isequal
218
.RS
219
Compares the "value" string provided and the property contents. These two values must be exactly equal to match.
220
.RE
221
.sp
222
.B startswith
223
.RS
224
Checks if the value is found exactly at the beginning of the property value
225
.RE
226
.sp
227
.B regex
228
.RS
229
Compares the property against the provided regular expression.
230
.RE
231
232
.SH TEMPLATES
233
234
Every output in rsyslog uses templates - this holds true for files, user
235
messages and so on. Templates compatible with the stock syslogd
236
formats are hardcoded into rsyslogd. If no template is specified, we use
237
one of these hardcoded templates. Search for "template_" in syslogd.c and
238
you will find the hardcoded ones.
239
240
A template consists of a template directive, a name, the actual template text
241
and optional options. A sample is:
242
243
.RS
244
.B $template MyTemplateName,"\\\\7Text %property% some more text\\\\n",<options>
245
.RE
246
247
The "$template" is the template directive. It tells rsyslog that this line
248
contains a template. The backslash is an escape character. For example, \\7 rings the
249
bell (this is an ASCII value), \\n is a new line. The set in rsyslog is a bit restricted
250
currently.
251
252
All text in the template is used literally, except for things within percent
253
signs. These are properties and allow you access to the contents of the syslog
254
message. Properties are accessed via the property replacer and it can for example
255
pick a substring or do date-specific formatting. More on this is the PROPERTY REPLACER
256
section of this manpage.
257
258
To escape:
259
.sp 0
260
% = \\%
261
.sp 0
262
\\ = \\\\ --> '\\' is used to escape (as in C)
263
.sp 0
264
$template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
265
266
Properties can be accessed by the property replacer (see there for details).
267
268
.B Please note that as of 1.15.0, templates can also by used to generate selector lines with dynamic file names.
269
For example, if you would like to split syslog messages from different hosts
270
to different files (one per host), you can define the following template:
271
272
.RS
273
.B $template DynFile,"/var/log/system-%HOSTNAME%.log"
274
.RE
275
276
This template can then be used when defining an output selector line. It will
277
result in something like "/var/log/system-localhost.log"
278
279
.SS Template options
280
The <options> part is optional. It carries options influencing the template as whole.
281
See details below. Be sure NOT to mistake template options with property options - the
282
later ones are processed by the property replacer and apply to a SINGLE property, only
283
(and not the whole template).
284
285
Template options are case-insensitive. Currently defined are:
286
287
.RS
288
.TP
289
sql
290
format the string suitable for a SQL statement in MySQL format. This will replace single
291
quotes ("'") and the backslash character by their backslash-escaped counterpart
292
("\'" and "\\") inside each field. Please note that in MySQL configuration, the NO_BACKSLASH_ESCAPES
293
mode must be turned off for this format to work (this is the default).
294
295
.TP
296
stdsql
297
format the string suitable for a SQL statement that is to be sent to a standards-compliant
298
sql server. This will replace single quotes ("'") by two single quotes ("''") inside each field.
299
You must use stdsql together with MySQL if in MySQL configuration the NO_BACKSLASH_ESCAPES
300
is turned on.
301
.RE
302
303
Either the
304
.B sql
305
or
306
.B stdsql
307
option
308
.B MUST
309
be specified when a template is used for writing to a database,
310
otherwise injection might occur. Please note that due to the unfortunate fact
311
that several vendors have violated the sql standard and introduced their own
312
escape methods, it is impossible to have a single option doing all the work.
313
So you yourself must make sure you are using the right format.
314
.B If you choose the wrong one, you are still vulnerable to sql injection.
315
316
Please note that the database writer *checks* that the sql option is present
317
in the template. If it is not present, the write database action is disabled.
318
This is to guard you against accidental forgetting it and then becoming
319
vulnerable to SQL injection. The sql option can also be useful with files -
320
especially if you want to import them into a database on another machine for
321
performance reasons. However, do NOT use it if you do not have a real need for
322
it - among others, it takes some toll on the processing time. Not much, but on
323
a really busy system you might notice it ;)
324
325
The default template for the write to database action has the sql option set.
326
As we currently support only MySQL and the sql option matches the default MySQL
327
configuration, this is a good choice. However, if you have turned on
328
NO_BACKSLASH_ESCAPES in your MySQL config, you need to supply a template with
329
the stdsql option. Otherwise you will become vulnerable to SQL injection.
330
331
.SS Template examples
332
Please note that the samples are split across multiple lines. A template MUST
333
NOT actually be split across multiple lines.
334
335
A template that resembles traditional syslogd file output:
336
.sp
337
.RS
338
$template TraditionalFormat,"%timegenerated% %HOSTNAME%
339
.sp 0
340
%syslogtag%%msg:::drop-last-lf%\n"
341
.RE
342
343
A template that tells you a little more about the message:
344
.sp
345
.RS
346
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,
347
.sp 0
348
%syslogtag%,%msg%\n"
349
.RE
350
351
A template for RFC 3164 format:
352
.sp
353
.RS
354
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
355
.RE
356
357
A template for the format traditionally used for user messages:
358
.sp
359
.RS
360
$template usermsg," XXXX%syslogtag%%msg%\n\r"
361
.RE
362
363
And a template with the traditional wall-message format:
364
.sp
365
.RS
366
$template wallmsg,"\\r\\n\\7Message from syslogd@%HOSTNAME% at %timegenerated%"
367
.RE
368
369
.B A template that can be used for writing to a database (please note the SQL template option)
370
.sp
371
.RS
372
.ad l
373
$template MySQLInsert,"insert iut, message, receivedat values
374
('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')
375
into systemevents\\r\\n", SQL
376
377
NOTE 1: This template is embedded into core application under name
378
.B StdDBFmt
379
, so you don't need to define it.
380
.sp
381
NOTE 2: You have to have MySQL module installed to use this template.
382
.ad
383
.RE
384
385
.SH OUTPUT CHANNELS
386
387
Output Channels are a new concept first introduced in rsyslog 0.9.0. As of this writing,
388
it is most likely that they will be replaced by something different in the future.
389
So if you use them, be prepared to change you configuration file syntax when you upgrade
390
to a later release.
391
392
Output channels are defined via an $outchannel directive. It's syntax is as follows:
393
.sp
394
.RS
395
.B $outchannel name,file-name,max-size,action-on-max-size
396
.RE
397
398
name is the name of the output channel (not the file), file-name is the file name to be
399
written to, max-size the maximum allowed size and action-on-max-size a command to be issued
400
when the max size is reached. This command always has exactly one parameter. The binary is
401
that part of action-on-max-size before the first space, its parameter is everything behind
402
that space.
403
404
Keep in mind that $outchannel just defines a channel with "name". It does not activate it.
405
To do so, you must use a selector line (see below). That selector line includes the channel
406
name plus an $ sign in front of it. A sample might be:
407
.sp
408
.RS
409
*.* $mychannel
410
.RE
411
412
.SH PROPERTY REPLACER
413
The property replacer is a core component in rsyslogd's output system. A syslog message has
414
a number of well-defined properties (see below). Each of this properties can be accessed and
415
manipulated by the property replacer. With it, it is easy to use only part of a property value
416
or manipulate the value, e.g. by converting all characters to lower case.
417
418
.SS Accessing Properties
419
Syslog message properties are used inside templates. They are accessed by putting them between
420
percent signs. Properties can be modified by the property replacer. The full syntax is as follows:
421
.sp
422
.RS
423
.B %propname:fromChar:toChar:options%
424
.RE
425
426
propname is the name of the property to access.
427
.B It is case-sensitive.
428
429
.SS Available Properties
430
.TP
431
.B msg
432
the MSG part of the message (aka "the message" ;))
433
.TP
434
.B rawmsg
435
the message exactly as it was received from the socket. Should be useful for debugging.
436
.TP
437
.B HOSTNAME
438
hostname from the message
439
.TP
440
.B FROMHOST
441
hostname of the system the message was received from (in a relay chain, this is the system immediately
442
in front of us and not necessarily the original sender)
443
.TP
444
.B syslogtag
445
TAG from the message
446
.TP
447
.B programname
448
the "static" part of the tag, as defined by BSD syslogd. For example, when TAG is "named[12345]",
449
programname is "named".
450
.TP
451
.B PRI
452
PRI part of the message - undecoded (single value)
453
.TP
454
.B PRI-text
455
the PRI part of the message in a textual form (e.g. "syslog.info")
456
.TP
457
.B IUT
458
the monitorware InfoUnitType - used when talking to a MonitorWare backend (also for phpLogCon)
459
.TP
460
.B syslogfacility
461
the facility from the message - in numerical form
462
.TP
463
.B syslogfacility-text
464
the facility from the message - in text form
465
.TP
466
.B syslogseverity
467
severity from the message - in numerical form
468
.TP
469
.B syslogseverity-text
470
severity from the message - in text form
471
.TP
472
.B timegenerated
473
timestamp when the message was RECEIVED. Always in high resolution
474
.TP
475
.B timereported
476
timestamp from the message. Resolution depends on what was provided in the message (in most cases, only seconds)
477
.TP
478
.B TIMESTAMP
479
alias for timereported
480
.TP
481
.B PROTOCOL-VERSION
482
The contents of the PROTOCOL-VERSION field from IETF draft draft-ietf-syslog-protocol
483
.TP
484
.B STRUCTURED-DATA
485
The contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocol
486
.TP
487
.B APP-NAME
488
The contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol
489
.TP
490
.B PROCID
491
The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol
492
.TP
493
.B MSGID
494
The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol
495
.TP
496
.B $NOW
497
The current date stamp in the format YYYY-MM-DD
498
.TP
499
.B $YEAR
500
The current year (4-digit)
501
.TP
502
.B $MONTH
503
The current month (2-digit)
504
.TP
505
.B $DAY
506
The current day of the month (2-digit)
507
.TP
508
.B $HOUR
509
The current hour in military (24 hour) time (2-digit)
510
.TP
511
.B $MINUTE
512
The current minute (2-digit)
513
514
.P
515
Properties starting with a $-sign are so-called system properties. These do NOT stem from the
516
message but are rather internally-generated.
517
518
.SS Character Positions
519
FromChar and toChar are used to build substrings. They specify the offset within the string that
520
should be copied. Offset counting starts at 1, so if you need to obtain the first 2 characters of
521
the message text, you can use this syntax: "%msg:1:2%". If you do not wish to specify from and to,
522
but you want to specify options, you still need to include the colons. For example, if you would
523
like to convert the full message text to lower case, use "%msg:::lowercase%". If you would like to
524
extract from a position until the end of the string, you can place a dollar-sign ("$") in toChar
525
(e.g. %msg:10:$%, which will extract from position 10 to the end of the string).
526
527
There is also support for
528
.Bregular expressions.
529
To use them, you need to place a "R" into FromChar.
530
This tells rsyslog that a regular expression instead of position-based extraction is desired. The
531
actual regular expression
532
.B must
533
then be provided in toChar. The regular expression must be followed
534
by the string "--end". It denotes the end of the regular expression and will not become part of it.
535
If you are using regular expressions, the property replacer will return the part of the property text
536
that matches the regular expression. An example for a property replacer sequence with a regular
537
expression is: "%msg:R:.*Sev:. \\(.*\\) \\[.*--end%"
538
539
Also, extraction can be done based on so-called "fields". To do so, place a "F" into FromChar. A field
540
in its current definition is anything that is delimited by a delimiter character. The delimiter by
541
default is TAB (US-ASCII value 9). However, if can be changed to any other US-ASCII character by
542
specifying a comma and the decimal US-ASCII value of the delimiter immediately after the "F". For example,
543
to use comma (",") as a delimiter, use this field specifier: "F,44". If your syslog data is delimited,
544
this is a quicker way to extract than via regular expressions (actually, a *much* quicker way). Field
545
counting starts at 1. Field zero is accepted, but will always lead to a "field not found" error. The same
546
happens if a field number higher than the number of fields in the property is requested. The field number
547
must be placed in the "ToChar" parameter. An example where the 3rd field (delimited by TAB) from the msg
548
property is extracted is as follows: "%msg:F:3%". The same example with semicolon as delimiter is
549
"%msg:F,59:3%".
550
551
Please note that the special characters "F" and "R" are case-sensitive. Only upper case works, lower case
552
will return an error. There are no white spaces permitted inside the sequence (that will lead to error
553
messages and will NOT provide the intended result).
554
555
.SS Property Options
556
Property options are case-insensitive. Currently, the following options are defined:
557
.TP
558
uppercase
559
convert property to lowercase only
560
.TP
561
lowercase
562
convert property text to uppercase only
563
.TP
564
drop-last-lf
565
The last LF in the message (if any), is dropped. Especially useful for PIX.
566
.TP
567
date-mysql
568
format as mysql date
569
.TP
570
date-rfc3164
571
format as RFC 3164 date
572
.TP
573
date-rfc3339
574
format as RFC 3339 date
575
.TP
576
escape-cc
577
replace control characters (ASCII value 127 and values less then 32) with an escape sequence. The sequence is "#<charval>" where charval is the 3-digit decimal value of the control character. For example, a tabulator would be replaced by "#009".
578
.TP
579
space-cc
580
replace control characters by spaces
581
.TP
582
drop-cc
583
drop control characters - the resulting string will neither contain control characters, escape sequences nor any other replacement character like space.
584
585
.SH FILES
586
.PD 0
587
.TP
588
.I /etc/rsyslog.conf
589
Configuration file for
590
.B rsyslogd
591
592
.SH SEE ALSO
593
.BR rsyslogd (8),
594
.BR logger (1),
595
.BR syslog (3)
596
597
The complete documentation can be found in the doc folder of the rsyslog distribution or online at
598
599
.RS
600
.B http://www.rsyslog.com/doc
601
.RE
602
603
.SH AUTHORS
604
The
605
.B rsyslogd
606
is taken from sysklogd sources, which have been heavily modified
607
by Rainer Gerhards (rgerhards@adiscon.com) and others.
Loggerhead is a web-based interface for Breezy
Version: 2.0.1