diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/debug.html | 6 | ||||
| -rw-r--r-- | doc/dev_oplugins.html | 31 | ||||
| -rw-r--r-- | doc/imfile.html | 395 | ||||
| -rw-r--r-- | doc/impstats.html | 6 | ||||
| -rw-r--r-- | doc/imuxsock.html | 8 | ||||
| -rw-r--r-- | doc/manual.html | 2 | ||||
| -rw-r--r-- | doc/mmanon.html | 9 | ||||
| -rw-r--r-- | doc/mmnormalize.html | 11 | ||||
| -rw-r--r-- | doc/omfile.html | 26 | ||||
| -rw-r--r-- | doc/omfwd.html | 5 | ||||
| -rw-r--r-- | doc/omruleset.html | 5 | ||||
| -rw-r--r-- | doc/property_replacer.html | 4 | ||||
| -rw-r--r-- | doc/queues.html | 5 | ||||
| -rw-r--r-- | doc/rsyslog_conf_filter.html | 5 | ||||
| -rw-r--r-- | doc/rsyslog_conf_templates.html | 12 | ||||
| -rw-r--r-- | doc/rsyslog_packages.html | 22 | ||||
| -rw-r--r-- | doc/sigprov_gt.html | 6 | ||||
| -rw-r--r-- | doc/troubleshoot.html | 24 |
18 files changed, 361 insertions, 221 deletions
diff --git a/doc/debug.html b/doc/debug.html index 557ca6d3..229aeb08 100644 --- a/doc/debug.html +++ b/doc/debug.html @@ -160,7 +160,11 @@ enable DebugOnDemand mode only for a reason. Note that when no debug mode is ena SIGUSR1 and SIGUSR2 are completely ignored. <p>When running in any of the debug modes (including on demand mode), an interactive instance of rsyslogd can be aborted by pressing ctl-c. -<p> +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/how-to-use-debug-on-demand/">How to use debug on demand</a></li> +</ul> +</p> <p>[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> <p><font size="2">This documentation is part of the <a href="http://www.rsyslog.com/">rsyslog</a> project.<br> diff --git a/doc/dev_oplugins.html b/doc/dev_oplugins.html index b33b67f9..4a9cd15d 100644 --- a/doc/dev_oplugins.html +++ b/doc/dev_oplugins.html @@ -18,19 +18,10 @@ means they are primarily thought of being message sinks. In theory, however, out plugins may aggergate other functionality, too. Nobody has taken this route so far so if you would like to do that, it is highly suggested to post your plan on the rsyslog mailing list, first (so that we can offer advise). -<p>The rsyslog distribution tarball contains two plugins that are extremely well -targeted for getting started: -<ul> -<li>omtemplate -<li>omstdout -</ul> -Plugin omtemplate was specifically created to provide a copy template for new output -plugins. It is bare of real functionality but has ample comments. Even if you decide -to start from another plugin (or even from scratch), be sure to read omtemplate source -and comments first. The omstdout is primarily a testing aide, but offers support for -the two different parameter-passing conventions plugins can use (plus the way to -differentiate between the two). It also is not bare of functionaly, only mostly -bare of it ;). But you can actually execute it and play with it. +<p>The rsyslog distribution tarball contains the omstdout plugin which is extremely well +targeted for getting started. Just note that this plugin itself is not meant for +production use. But it is very simplistic and so a really good starting point to +grasp the core ideas. <p>In any case, you should also read the comments in ./runtime/module-template.h. Output plugins are build based on a large set of code-generating macros. These macros handle most of the plumbing needed by the interface. As long as no @@ -38,19 +29,7 @@ special callback to rsyslog is needed (it typically is not), an output plugin do not really need to be aware that it is executed by rsyslog. As a plug-in programmer, you can (in most cases) "code as usual". However, all macros and entry points need to be provided and thus reading the code comments in the files mentioned is highly suggested. -<p>In short, the best idea is to start with a template. Let's assume you start by -copying omtemplate. Then, the basic steps you need to do are: -<ul> -<li>cp ./plugins/omtemplate ./plugins/your-plugin -<li>mv cd ./plugins/your-plugin -<li>vi Makefile.am, adjust to your-plugin -<li>mv omtemplate.c your-plugin.c -<li>cd ../.. -<li>vi Makefile.am configure.ac -<br>search for omtemplate, copy and modify (follow comments) -</ul> -<p>Basically, this is all you need to do ... Well, except, of course, coding -your plugin ;). For testing, you need rsyslog's debugging support. Some useful +<p>For testing, you need rsyslog's debugging support. Some useful information is given in "<a href="troubleshoot.html">troubleshooting rsyslog</a> from the doc set. <h2>Special Topics</h2> diff --git a/doc/imfile.html b/doc/imfile.html index 88f0d39f..a69f62e9 100644 --- a/doc/imfile.html +++ b/doc/imfile.html @@ -1,156 +1,218 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html> - <head> - <meta content="en" http-equiv="Content-Language" /> - <title>Text File Input Monitor</title> - </head> - <body> - <p> - <a href="rsyslog_conf_modules.html">back</a></p> - <h1> - Text File Input Module</h1> - <p> - <b>Module Name: imfile</b></p> - <p> - <b>Author: </b>Rainer Gerhards <rgerhards@adiscon.com></p> - <p> - <b>Description</b>:</p> - <p> - Provides the ability to convert any standard text file into a syslog message. A standard text file is a file consisting of printable characters with lines being delimited by LF.</p> - <p> - The file is read line-by-line and any line read is passed to rsyslog's rule engine. The rule engine applies filter conditons and selects which actions needs to be carried out. Empty lines are <b>not</b> processed, as they would result in empty syslog records. They are simply ignored.</p> - <p> - As new lines are written they are taken from the file and processed. Please note that this happens based on a polling interval and not immediately. The file monitor support file rotation. To fully work, rsyslogd must run while the file is rotated. Then, any remaining lines from the old file are read and processed and when done with that, the new file is being processed from the beginning. If rsyslogd is stopped during rotation, the new file is read, but any not-yet-reported lines from the previous file can no longer be obtained.</p> - <p> - When rsyslogd is stopped while monitoring a text file, it records the last processed location and continues to work from there upon restart. So no data is lost during a restart (except, as noted above, if the file is rotated just in this very moment).</p> - <p> - Currently, the file must have a fixed name and location (directory). It is planned to add support for dynamically generating file names in the future.</p> - <p> - Multiple files may be monitored by specifying $InputRunFileMonitor multiple times.</p> - <p> - <b>Configuration Directives</b>:</p> - <p> - <b>Module Directives</b></p> - <ul> - <li> - <span style="font-weight: bold;">PollingInterval seconds</span><br /> - This is a global setting. It specifies how often files are to be polled for new data. The time specified is in seconds. The <span style="font-weight: bold;">default value</span> is 10 seconds. Please note that future releases of imfile may support per-file polling intervals, but currently this is not the case. If multiple PollingInterval statements are present in rsyslog.conf, only the last one is used.<br /> - A short poll interval provides more rapid message forwarding, but requires more system ressources. While it is possible, we stongly recommend not to set the polling interval to 0 seconds. That will make rsyslogd become a CPU hog, taking up considerable ressources. It is supported, however, for the few very unusual situations where this level may be needed. Even if you need quick response, 1 seconds should be well enough. Please note that imfile keeps reading files as long as there is any data in them. So a "polling sleep" will only happen when nothing is left to be processed.</li> - </ul> - <p> - <b>Action Directives</b></p> - <ul> - <li> - <strong>(required) File /path/to/file</strong><br /> - The file being monitored. So far, this must be an absolute name (no macros or templates).</li> - <li> - <span style="font-weight: bold;">(required) Tag tag:</span><br /> - The syslog tag to be used for messages that originate from this file. If you would like to see the colon after the tag, you need to specify it here (as shown above).</li> - <li> - <span style="font-weight: bold;">(required) StateFile <name-of-state-file></span><br /> - Rsyslog must keep track of which parts of the to be monitored file it already processed. This is done in the state file. This file always is created in the rsyslog working directory (configurable via $WorkDirectory). So you need to provide a file name here, not a path. Be careful to use unique names for different files being monitored. If there are duplicates, all sorts of "interesting" things may happen. Rsyslog currently does not check if a name is specified multiple times. Note that when $WorkDirectory is not set or set to a non-writable location, the state file will not be generated.</li> - <li> - <span style="font-weight: bold;">Facility facility</span><br /> - The syslog facility to be assigned to lines read. Can be specified in textual form (e.g. "local0", "local1", ...) or as numbers (e.g. 128 for "local0"). Textual form is suggested. <span style="font-weight: bold;">Default</span> is "local0".</li> - <li> - <span style="font-weight: bold;">Severity</span><br /> - The syslog severity to be assigned to lines read. Can be specified in textual form (e.g. "info", "warning", ...) or as numbers (e.g. 4 for "info"). Textual form is suggested. <span style="font-weight: bold;">Default</span> is "notice".</li> - <li> - <b>PersistStateInterval</b> [lines]<br /> - Specifies how often the state file shall be written when processing the input file. The <strong>default</strong> value is 0, which means a new state file is only written when the monitored files is being closed (end of rsyslogd execution). Any other value n means that the state file is written every time n file lines have been processed. This setting can be used to guard against message duplication due to fatal errors (like power fail). Note that this setting affects imfile performance, especially when set to a low value. Frequently writing the state file is very time consuming.</li> - <li> - <b>ReadMode</b> [mode]<br /> - This mode should defined when having multiline messages. The value can range from 0-2 and determines the multiline detection method.<br /> - 0 (<strong>default</strong>) - line based (Each line is a new message)<br /> - 1 - paragraph (There is a blank line between log messages)<br /> - 2 - indented (New log messages start at the beginning of a line. If a line starts with a space it is part of the log message before it)</li> - <li> - <b>MaxLinesAtOnce</b> [number]<br /> - This is useful if multiple files need to be monitored. If set to 0, each file will be fully processed and then processing switches to the next file (this was the default in previous versions). If it is set, a maximum of [number] lines is processed in sequence for each file, and then the file is switched. This provides a kind of mutiplexing the load of multiple files and probably leads to a more natural distribution of events when multiple busy files are monitored. The <strong>default</strong> is 1024.</li> - <li> - <b>MaxSubmitAtOnce</b> [number]<br /> - This is an expert option. It can be used to set the maximum input batch size that imfile can generate. The <strong>default</strong> is 1024, which is suitable for a wide range of applications. Be sure to understand rsyslog message batch processing before you modify this option. If you do not know what this doc here talks about, this is a good indication that you should NOT modify the default.</li> - <li> - <b>Ruleset</b> <ruleset> Binds the listener to a specific <a href="multi_ruleset.html">ruleset</a>.</li> - </ul> - <p> - <b>Caveats/Known Bugs:</b></p> - <p> - So far, only 100 files can be monitored. If more are needed, the source needs to be patched. See define MAX_INPUT_FILES in imfile.c</p> - <p> - Powertop users may want to notice that imfile utilizes polling. Thus, it is no good citizen when it comes to conserving system power consumption. We are currently evaluating to move to inotify(). However, there are a number of subtle issues, which needs to be worked out first. We will make the change as soon as we can. If you can afford it, we recommend using a long polling interval in the mean time.</p> - <p> - <b>Sample:</b></p> - <p> - The following sample monitors two files. If you need just one, remove the second one. If you need more, add them according to the sample ;). This code must be placed in /etc/rsyslog.conf (or wherever your distro puts rsyslog's config files). Note that only commands actually needed need to be specified. The second file uses less commands and uses defaults instead.</p> - <p> - <textarea cols="60" rows="15">module(load="imfile" PollingInterval="10") #needs to be done just once +<html><head> +<meta http-equiv="Content-Language" content="en"><title>Text File Input Monitor</title></head> +<body> +<a href="rsyslog_conf_modules.html">back</a> + +<h1>Text File Input Module</h1> +<p><b>Module Name: imfile</b></p> +<p><b>Author: </b>Rainer Gerhards +<rgerhards@adiscon.com></p> +<p><b>Description</b>:</p> +<p>Provides the ability to convert any standard text file into +a syslog message. A standard +text file is a file consisting of printable characters with lines +being delimited by LF.</p> +<p>The file is read line-by-line and any line read is passed to +rsyslog's rule engine. The rule engine applies filter conditions and +selects which actions needs to be carried out. Empty lines are <b>not</b> +processed, as they would result in empty syslog records. They are simply +ignored.</p> +<p>As new lines are written they are taken from the file and +processed. Please note that this happens based on a polling interval +and not immediately. The file monitor support file rotation. To fully +work, rsyslogd must run while the file is rotated. Then, any remaining +lines from the old file are read and processed and when done with that, +the new file is being processed from the beginning. If rsyslogd is +stopped during rotation, the new file is read, but any not-yet-reported +lines from the previous file can no longer be obtained.</p> +<p>When rsyslogd is stopped while monitoring a text file, it +records the last processed location and continues to work from there +upon restart. So no data is lost during a restart (except, as noted +above, if the file is rotated just in this very moment).</p> +<p>Currently, the file must have a fixed name and location +(directory). It is planned to add support for dynamically generating +file names in the future.</p> +<p>Multiple files may be monitored by specifying +$InputRunFileMonitor multiple times. +</p> + +<p><b>Configuration Directives</b>:</p> +<p><b>Module Directives</b></p> +<ul> +<li><span style="font-weight: bold;">PollingInterval +seconds</span><br> +This is a global setting. It specifies how often files are to be polled +for new data. The time specified is in seconds. The <span style="font-weight: bold;">default value</span> is 10 +seconds. Please note that future +releases of imfile may support per-file polling intervals, but +currently this is not the case. If multiple PollingInterval +statements are present in rsyslog.conf, only the last one is used.<br> +A short poll interval provides more rapid message forwarding, but +requires more system resources. While it is possible, we stongly +recommend not to set the polling interval to 0 seconds. That will make +rsyslogd become a CPU hog, taking up considerable resources. It is +supported, however, for the few very unusual situations where this +level may be needed. Even if you need quick response, 1 seconds should +be well enough. Please note that imfile keeps reading files as long as +there is any data in them. So a "polling sleep" will only happen when +nothing is left to be processed.</li> +</ul> + +<p><b>Action Directives</b></p> +<ul> +<li><strong>(required) File /path/to/file</strong><br> +The file being monitored. So far, this must be an absolute name (no +macros or templates)</li> +<li><span style="font-weight: bold;">(required) Tag +tag:</span><br> +The tag to be used for messages that originate from this file. If you +would like to see the colon after the tag, you need to specify it here +(as shown above).</li> +<li><span style="font-weight: bold;">(required) StateFile +<name-of-state-file></span><br> +Rsyslog must keep track of which parts of the to be monitored file it +already processed. This is done in the state file. This file always is +created in the rsyslog working directory (configurable via +$WorkDirectory). Be careful to use unique names for different files +being monitored. If there are duplicates, all sorts of "interesting" +things may happen. Rsyslog currently does not check if a name is +specified multiple times. +Note that when $WorkDirectory is not set or set to a non-writable +location, the state file will not be generated.</li> +<li><span style="font-weight: bold;">Facility +facility</span><br> +The syslog facility to be assigned to lines read. Can be specified in +textual form (e.g. "local0", "local1", ...) or as numbers (e.g. 128 for +"local0"). Textual form is suggested. <span style="font-weight: bold;">Default</span> is +"local0".<span style="font-weight: bold;"></span></li> +<li><span style="font-weight: bold;">Severity</span><br> +The +syslog severity to be assigned to lines read. Can be specified in +textual form (e.g. "info", "warning", ...) or as numbers (e.g. 4 for +"info"). Textual form is suggested. <span style="font-weight: bold;">Default</span> +is "notice".</li> +<li><b>PersistStateInterval</b> [lines]</b><br> +Specifies how often the state file shall be written when processing the input +file. The <strong>default</strong> value is 0, which means a new state file is only written when +the monitored files is being closed (end of rsyslogd execution). Any other +value n means that the state file is written every time n file lines have +been processed. This setting can be used to guard against message duplication due +to fatal errors (like power fail). Note that this setting affects imfile +performance, especially when set to a low value. Frequently writing the state +file is very time consuming. +<li><b>ReadMode</b> [mode]</b><br> +This mode should defined when having multiline messages. The value can range from 0-2 and determines the multiline detection method. +<br>0 (<strong>default</strong>) - line based (Each line is a new message) +<br>1 - paragraph (There is a blank line between log messages) +<br>2 - indented (New log messages start at the beginning of a line. If a line starts with a space it is part of the log message before it) +<li><b>MaxLinesAtOnce</b> [number]</b> +<br> +This is useful if multiple files need to be monitored. If set to 0, each file +will be fully processed and then processing switches to the next file +(this was the default in previous versions). If it is set, a maximum of +[number] lines is processed in sequence for each file, and then the file is +switched. This provides a kind of mutiplexing the load of multiple files and +probably leads to a more natural distribution of events when multiple busy files +are monitored. The <strong>default</strong> is 1024. +<li><b>MaxSubmitAtOnce</b> [number]</b> +<br> +This is an expert option. It can be used to set the maximum input batch size that +imfile can generate. The <strong>default</strong> is 1024, which is suitable for a wide range of +applications. Be sure to understand rsyslog message batch processing before you +modify this option. If you do not know what this doc here talks about, this is a +good indication that you should NOT modify the default. +<li><b>Ruleset</b> <ruleset> +Binds the listener to a specific <a href="multi_ruleset.html">ruleset</a>.</li> +</ul> +<b>Caveats/Known Bugs:</b> +<p>So far, only 100 files can be monitored. If more are needed, +the source needs to be patched. See define MAX_INPUT_FILES in imfile.c</p><p>Powertop +users may want to notice that imfile utilizes polling. Thus, it is no +good citizen when it comes to conserving system power consumption. We +are currently evaluating to move to inotify(). However, there are a +number of subtle issues, which needs to be worked out first. We will +make the change as soon as we can. If you can afford it, we recommend +using a long polling interval in the mean time. +</p> +<p><b>Sample:</b></p> +<p>The following sample monitors two files. If you need just one, +remove the second one. If you need more, add them according to the +sample ;). This code must be placed in /etc/rsyslog.conf (or wherever +your distro puts rsyslog's config files). Note that only commands +actually needed need to be specified. The second file uses less +commands and uses defaults instead.<br> +</p> +<textarea rows="15" cols="60">module(load="imfile" PollingInterval="10") #needs to be done just once # File 1 -input(type="imfile" - File="/path/to/file1" - Tag="tag1" - StateFile="statefile1" - Severity="error" - Facility="local7") +input(type="imfile" File="/path/to/file1" + Tag="tag1" + StateFile="statefile1" + Severity="error" + Facility="local7") # File 2 -input(type="imfile" - File="/path/to/file2" - Tag="tag2" - StateFile="statefile2") -# ... and so on ... #</textarea></p> - <p> - <b>Legacy Configuration Directives</b>:</p> - <ul> - <li> - <strong>$InputFileName /path/to/file</strong><br /> - equivalent to: File</li> - <li> - <span style="font-weight: bold;">$InputFileTag tag:</span><br /> - equivalent to: Tag</li> - <li> - <span style="font-weight: bold;">$InputFileStateFile <name-of-state-file></span><br /> - equivalent to: StateFile</li> - <li> - <span style="font-weight: bold;">$InputFileFacility facility</span><br /> - equivalent to: Facility</li> - <li> - <span style="font-weight: bold;">$InputFileSeverity</span><br /> - equivalent to: Severity</li> - <li> - <span style="font-weight: bold;">$InputRunFileMonitor</span><br /> - This <span style="font-weight: bold;">activates</span> the current monitor. It has no parameters. If you forget this directive, no file monitoring will take place.</li> - <li> - <span style="font-weight: bold;">$InputFilePollInterval seconds</span><br /> - equivalent to: PollingInterva</li> - <li> - <b>$InputFilePersistStateInterval</b> [lines]<br /> - Available in 4.7.3+, 5.6.2+<br /> - equivalent to: PersistStateInterval</li> - <li> - <b>$InputFileReadMode</b> [mode]<br /> - Available in 5.7.5+<br /> - equivalent to: ReadMode</li> - <li> - <b>$InputFileMaxLinesAtOnce</b> [number]<br /> - Available in 5.9.0+<br /> - equivalent to: MaxLinesAtOnce</li> - <li> - $InputFileBindRuleset <ruleset><br /> - Available in 5.7.5+, 6.1.5+<br /> - equivalent to: Ruleset</li> - </ul> - <p> - <b>Caveats/Known Bugs:</b></p> - <p> - So far, only 100 files can be monitored. If more are needed, the source needs to be patched. See define MAX_INPUT_FILES in imfile.c</p> - <p> - Powertop users may want to notice that imfile utilizes polling. Thus, it is no good citizen when it comes to conserving system power consumption. We are currently evaluating to move to inotify(). However, there are a number of subtle issues, which needs to be worked out first. We will make the change as soon as we can. If you can afford it, we recommend using a long polling interval in the mean time.</p> - <p> - <b>Sample:</b></p> - <p> - The following sample monitors two files. If you need just one, remove the second one. If you need more, add them according to the sample ;). This code must be placed in /etc/rsyslog.conf (or wherever your distro puts rsyslog's config files). Note that only commands actually needed need to be specified. The second file uses less commands and uses defaults instead.</p> - <p> - <textarea cols="60" rows="15">$ModLoad imfile # needs to be done just once +input(type="imfile" File="/path/to/file2" + Tag="tag2" + StateFile="statefile2") +# ... and so on ... +# +</textarea> + + +<p><b>Legacy Configuration Directives</b>:</p> +<ul> +<li><strong>$InputFileName /path/to/file</strong><br> +equivalent to: File </li> +<li><span style="font-weight: bold;">$InputFileTag +tag:</span><br> +equivalent to: Tag </li> +<li><span style="font-weight: bold;">$InputFileStateFile +<name-of-state-file></span><br> +equivalent to: StateFile </li> +<li><span style="font-weight: bold;">$InputFileFacility +facility</span><br> +equivalent to: Facility </span></li> +<li><span style="font-weight: bold;">$InputFileSeverity</span><br> +equivalent to: Severity</li> +<li><span style="font-weight: bold;">$InputRunFileMonitor</span><br> +This <span style="font-weight: bold;">activates</span> +the current monitor. It has no parameters. If you forget this +directive, no file monitoring will take place.</li> +<li><span style="font-weight: bold;">$InputFilePollInterval +seconds</span><br> +equivalent to: PollingInterval</li> +<li><b>$InputFilePersistStateInterval</b> [lines]</b><br> +Available in 4.7.3+, 5.6.2+<br> +equivalent to: PersistStateInterval +<li><b>$InputFileReadMode</b> [mode]</b><br> +Available in 5.7.5+<br> +equivalent to: ReadMode +<li><b>$InputFileMaxLinesAtOnce</b> [number]</b><br> +Available in 5.9.0+<br> +equivalent to: MaxLinesAtOnce +<li>$InputFileBindRuleset <ruleset><br> +Available in 5.7.5+, 6.1.5+<br> +equivalent to: Ruleset </li> +</ul> +<b>Caveats/Known Bugs:</b> +<p>So far, only 100 files can be monitored. If more are needed, +the source needs to be patched. See define MAX_INPUT_FILES in imfile.c</p><p>Powertop +users may want to notice that imfile utilizes polling. Thus, it is no +good citizen when it comes to conserving system power consumption. We +are currently evaluating to move to inotify(). However, there are a +number of subtle issues, which needs to be worked out first. We will +make the change as soon as we can. If you can afford it, we recommend +using a long polling interval in the mean time. +</p> +<p><b>Sample:</b></p> +<p>The following sample monitors two files. If you need just one, +remove the second one. If you need more, add them according to the +sample ;). This code must be placed in /etc/rsyslog.conf (or wherever +your distro puts rsyslog's config files). Note that only commands +actually needed need to be specified. The second file uses less +commands and uses defaults instead.<br> +</p> +<textarea rows="15" cols="60">$ModLoad imfile # needs to be done just once # File 1 $InputFileName /path/to/file1 $InputFileTag tag1: @@ -158,18 +220,21 @@ $InputFileStateFile stat-file1 $InputFileSeverity error $InputFileFacility local7 $InputRunFileMonitor -# File 2 -$InputFileName /path/to/file2 -$InputFileTag tag2: -$InputFileStateFile stat-file2 -$InputRunFileMonitor -# ... and so on ... # -# check for new lines every 10 seconds -$InputFilePollingInterval 10</textarea></p> - <p> - [<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> - <p> - <font size="2">This documentation is part of the <a href="http://www.rsyslog.com/">rsyslog</a> project.<br /> - Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and <a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL version 3 or higher.</font></p> - </body> -</html> +# File 2 +$InputFileName /path/to/file2 +$InputFileTag tag2: +$InputFileStateFile stat-file2 +$InputRunFileMonitor +# ... and so on ... +# +# check for new lines every 10 seconds +$InputFilePollInterval 10 +</textarea> +<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] +[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> +<p><font size="2">This documentation is part of the +<a href="http://www.rsyslog.com/">rsyslog</a> project.<br> +Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer +Gerhards</a> and <a href="http://www.adiscon.com/">Adiscon</a>. +Released under the GNU GPL version 3 or higher.</font></p> +</body></html> diff --git a/doc/impstats.html b/doc/impstats.html index 8db9c6f6..392fc431 100644 --- a/doc/impstats.html +++ b/doc/impstats.html @@ -81,6 +81,12 @@ If set to on, stats messages are emitted as structured cee-enhanced syslog. If set to off, legacy format is used (which is compatible with pre v6-rsyslog). </li> </ul> +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/rsyslog-statistic-counter/">rsyslog statistics counter</a></li> +<li><a href="http://www.rsyslog.com/impstats-delayed-or-lost/">impstats delayed or lost</a> - cause and cure +</ul> +</p> <b>Caveats/Known Bugs:</b> <ul> <li>This module MUST be loaded right at the top of rsyslog.conf, otherwise diff --git a/doc/imuxsock.html b/doc/imuxsock.html index 0affe8c3..e89a67aa 100644 --- a/doc/imuxsock.html +++ b/doc/imuxsock.html @@ -180,7 +180,13 @@ oneself has the advantage that a limited amount of messages may be queued by the OS if rsyslog is not running. </li> </ul> - +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/what-are-trusted-properties/">What are "trusted properties"?</a></li> +<li><a href="http://www.rsyslog.com/why-does-imuxsock-not-work-on-solaris/">Why does imuxsock not work +on Solaris?</a></li> +</ul> +</p> <b>Caveats/Known Bugs:</b><br> <ul> <li>There is a compile-time limit of 50 concurrent sockets. If you need more, you need to diff --git a/doc/manual.html b/doc/manual.html index bc57c136..a8477bcd 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -19,7 +19,7 @@ professional services</a> available directly from the source!</p> <p><b>Please visit the <a href="http://www.rsyslog.com/sponsors">rsyslog sponsor's page</a> to honor the project sponsors or become one yourself!</b> We are very grateful for any help towards the project goals.</p> -<p><b>This documentation is for version 7.4.1 (v7.4-stable branch) of rsyslog.</b> +<p><b>This documentation is for version 7.4.6 (v7.4-stable branch) of rsyslog.</b> Visit the <i><a href="http://www.rsyslog.com/status">rsyslog status page</a></i></b> to obtain current version information and project status. </p><p><b>If you like rsyslog, you might diff --git a/doc/mmanon.html b/doc/mmanon.html index 16065a1f..e14d75cf 100644 --- a/doc/mmanon.html +++ b/doc/mmanon.html @@ -18,14 +18,7 @@ Note that anonymization will break digital signatures on the message, if they exist. <p><i>How are IP-Addresses defined?</i> <p>We assume that an IP address consists of four octets in dotted notation, -where each of the octets has a value between 0 and 255, inclusively. After -the last octet, there must be either a space or a colon. So, for example, -"1.2.3.4 Test" and "1.2.3.4:514 Test" are detected as containing valid IP -addresses, whereas this is not the case for "1.2.300.4 Test" or -"1.2.3.4-Test". The message text may contain multiple addresses. If so, -each of them is anonimized (according to the same rules). -<b>Important:</b> We may change the set of acceptable characters after -the last octet in the future, if there are good reasons to do so. +where each of the octets has a value between 0 and 255, inclusively. <p> </p> <p><b>Module Configuration Parameters</b>:</p> diff --git a/doc/mmnormalize.html b/doc/mmnormalize.html index 787bd957..81100235 100644 --- a/doc/mmnormalize.html +++ b/doc/mmnormalize.html @@ -46,6 +46,17 @@ parameter. <li>$mmnormalizeUseRawMsg <on/off> - equivalent to the "useRawMsg" parameter. </ul> +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/">First steps for mmnormalize</a></li> +<li><a href="http://www.rsyslog.com/log-normalization-and-special-characters/">Log normalization and +special characters</a></li> +<li><a href="http://www.rsyslog.com/log-normalization-and-the-leading-space/">Log normalization and +the leading space</a></li> +<li><a href="http://www.rsyslog.com/using-rsyslog-mmnormalize-module-effectively-with-adiscon-loganalyzer/">Using +mmnormalize effectively with Adiscon LogAnalyzer</a></li> +</ul> +</p> <b>Caveats/Known Bugs:</b> <p>None known at this time. </ul> diff --git a/doc/omfile.html b/doc/omfile.html index cd53fd1d..0f64f26f 100644 --- a/doc/omfile.html +++ b/doc/omfile.html @@ -97,7 +97,31 @@ sets a new default template for file actions.<br></li><br> </ul> -<p><b>Caveats/Known Bugs:</b></p><ul><li>None.</li></ul> +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/how-to-sign-log-messages-through-signature-provider-guardtime/">Sign log messages through signature provider Guardtime</a></li> +</ul> +</p> +<p><b>Caveats/Known Bugs:</b></p> +<ul> +<li>One needs to be careful with log rotation if signatures and/or encryption +are being used. These create side-files, which form a set and must be kept +together. +<br> +For signatures, the ".sigstate" file must NOT be rotated away if +signature chains are to be build across multiple files. This is because +.sigstate contains just global information for the whole file set. However, +all other files need to be rotated together. The proper sequence is to + <ol> + <li> move all files inside the file set + <li> only AFTER this is completely done, HUP rsyslog + </ol> +This sequence will ensure that all files inside the set are atomically +closed and in sync. HUPing only after a subset of files have been moved +results in inconsistencies and will most probably render the file set +unusable. +</li> +</ul> <p><b>Sample:</b></p> <p>The following command writes all syslog messages into a file.</p> <textarea rows="5" cols="60">Module (load="builtin:omfile") diff --git a/doc/omfwd.html b/doc/omfwd.html index 53f9e527..a541dd27 100644 --- a/doc/omfwd.html +++ b/doc/omfwd.html @@ -56,6 +56,11 @@ Permits to resend the last message when a connection is reconnected. This setting affects TCP-based syslog, only. It is most useful for traditional, plain TCP syslog. Using this protocol, it is not always possible to know which messages were successfully transmitted to the receiver when a connection breaks. In many cases, the last message sent is lost. By switching this setting to "yes", rsyslog will always retransmit the last message when a connection is reestablished. This reduces potential message loss, but comes at the price that some messages may be duplicated (what usually is more acceptable). <br></li><br> </ul> +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/encrypted-disk-queues/">Encrypted Disk Queues</a></li> +</ul> +</p> <p><b>Caveats/Known Bugs:</b></p><ul><li>None.</li></ul> <p><b>Sample:</b></p> <p>The following command sends all syslog messages to a remote server via TCP port 10514.</p> diff --git a/doc/omruleset.html b/doc/omruleset.html index 41d6ccfc..f0d5f7bd 100644 --- a/doc/omruleset.html +++ b/doc/omruleset.html @@ -122,6 +122,11 @@ $ActionOmrulesetRulesetName nested # of course, we can have "regular" actions alongside :omrulset: actions *.* /path/to/general-message-file.log </textarea> +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/rulesets-and-rsyslog-7-2/">Calling rulesets since rsyslog 7.2</a></li> +</ul> +</p> <p><b>Caveats/Known Bugs:</b> <p>The current configuration file language is not really adequate for a complex construct like omruleset. Unfortunately, more important work is currently preventing me from redoing the diff --git a/doc/property_replacer.html b/doc/property_replacer.html index 13ff41c3..7218c22e 100644 --- a/doc/property_replacer.html +++ b/doc/property_replacer.html @@ -746,13 +746,15 @@ use drop-cc and "drop-cc,escape-cc" will use escape-cc mode. options. It was initially introduced to support the "jsonf" option, for which it provides the capability to set an alternative field name. If it is not specified, it defaults to the property name. -<h2>Further Links</h2> +<b>See also</b> <ul> <li>Article on "<a href="rsyslog_recording_pri.html">Recording the Priority of Syslog Messages</a>" (describes use of templates to record severity and facility of a message)</li> <li><a href="rsyslog_conf.html">Configuration file format</a>, this is where you actually use the property replacer.</li> +<li><a href="http://www.rsyslog.com/what-is-the-difference-between-timereported-and-timegenerated/"> +Difference between timereported and timegenerated.</li> </ul> <p>[<a href="manual.html">manual index</a>] [<a href="rsyslog_conf.html">rsyslog.conf</a>] diff --git a/doc/queues.html b/doc/queues.html index 75b70fbf..85df9fef 100644 --- a/doc/queues.html +++ b/doc/queues.html @@ -386,6 +386,11 @@ it terminates. This includes data elements there were begun being processed by workers that needed to be cancelled due to too-long processing. For a large queue, this operation may be lengthy. No timeout applies to a required shutdown save.</p> +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/encrypted-disk-queues/">Encrypted Disk Queues</a></li> +</ul> +</p> [<a href="manual.html">manual index</a>] [<a href="rsyslog_conf.html">rsyslog.conf</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> diff --git a/doc/rsyslog_conf_filter.html b/doc/rsyslog_conf_filter.html index a795193f..c8a40b6c 100644 --- a/doc/rsyslog_conf_filter.html +++ b/doc/rsyslog_conf_filter.html @@ -275,6 +275,11 @@ supported (except for "not" as outlined above). Please note that while it is possible to query facility and severity via property-based filters, it is far more advisable to use classic selectors (see above) for those cases.</p> +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/filter-optimization-with-arrays/">Filter optimization with arrays</a></li> +</ul> +</p> <p>[<a href="manual.html">manual index</a>] [<a href="rsyslog_conf.html">rsyslog.conf</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> diff --git a/doc/rsyslog_conf_templates.html b/doc/rsyslog_conf_templates.html index 9a6e1619..562aa9a3 100644 --- a/doc/rsyslog_conf_templates.html +++ b/doc/rsyslog_conf_templates.html @@ -288,8 +288,8 @@ Note that the template string itself must be on a single line. <h4>Standard Template for Forwarding to a Remote Host (RFC3164 mode)</h4> <p><pre><code>template(name="ForwardFormat" type="list") { constant(value="<") - property(name="PRI") - constant(value="<") + property(name="pri") + constant(value=">") property(name="timestamp" dateFormat="rfc3339") constant(value=" ") property(name="hostname") @@ -524,7 +524,13 @@ $template TraditionalForwardFormat,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:3 <br><br> $template StdSQLFormat,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL </code></p> - +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/how-to-bind-a-template/">How to bind a template</a></li> +<li><a href="http://www.rsyslog.com/adding-the-bom-to-a-message/">Adding the BOM to a message</a></li> +<li><a href="http://www.rsyslog.com/article60/">How to separate log files by host name of the sending device</a></li> +</ul> +</p> <p>[<a href="manual.html">manual index</a>] [<a href="rsyslog_conf.html">rsyslog.conf</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> diff --git a/doc/rsyslog_packages.html b/doc/rsyslog_packages.html index 80ba96c5..014791a3 100644 --- a/doc/rsyslog_packages.html +++ b/doc/rsyslog_packages.html @@ -12,20 +12,29 @@ like to maintain a package for a new distribution, please mail me at appreciated. While I create the core daemon, the package maintainers are really filling it with life, making it available to the average user. I am very grateful for that!</p> -<p>This list has last been updated on 2008-07-11 by +<p>This list has last been updated on 2013-07-25 by <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer Gerhards</a>. New packages may appear at any time, so be sure to check this page whenever you need a new one.</p> <ul> +<li><b>Ubuntu</b> (maintained by Adiscon) + <ul> + <li><a href="http://www.rsyslog.com/ubuntu-repository/">http://www.rsyslog.com/ubuntu-repository/</a> + </ul> + +<li><b>RHEL/CentOS</b> (maintained by Adiscon) + <ul> + <li><a href="http://www.rsyslog.com/rhelcentos-rpms/">http://www.rsyslog.com/rhelcentos-rpms/</a> + </ul> + <li><b>BSD</b> (maintained by infofarmer) <ul> - <li><a href="http://www.freshports.org/sysutils/rsyslog/"> http://www.freshports.org/sysutils/rsyslog/</a> + <li><a href="http://www.freshports.org/sysutils/rsyslog/">http://www.freshports.org/sysutils/rsyslog/</a> </ul> <li><b>CentOS 4.3</b> (maintained by James Bergamin) <ul> - <li><a href="http://www.se-community.com/~james/rsyslog/"> -http://www.se-community.com/~james/rsyslog/</a> + <li><a href="http://www.se-community.com/~james/rsyslog/">http://www.se-community.com/~james/rsyslog/</a> </ul> <li><b>Debian</b> (maintained by Michael Biebl) @@ -72,5 +81,10 @@ of the distribution name. <p>If you do not find a suitable package for your distribution, there is no reason to panic. It is quite simple to install rsyslog from the source tarball, so you should consider that. +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/how-to-use-the-ubuntu-repository/">How to use the Ubuntu repository</a></li> +</ul> +</p> </body> </html> diff --git a/doc/sigprov_gt.html b/doc/sigprov_gt.html index caeee116..5ffd26d8 100644 --- a/doc/sigprov_gt.html +++ b/doc/sigprov_gt.html @@ -64,6 +64,12 @@ sig.keepRecordHashes requries). Note that both Tree and Record hashes can be kept inside the signature file. </li> </ul> +<p><b>See Also</b> +<ul> +<li><a href="http://www.rsyslog.com/how-to-sign-log-messages-through-signature-provider-guardtime/">How +to sign log messages through signature provider Guardtime</a></li> +</ul> +</p> <b>Caveats/Known Bugs:</b> <ul> <li>currently none known diff --git a/doc/troubleshoot.html b/doc/troubleshoot.html index 0f0c7fca..a0303a24 100644 --- a/doc/troubleshoot.html +++ b/doc/troubleshoot.html @@ -88,15 +88,19 @@ passwords or other sensitive data. If it does, you can change it to some <b>cons meaningless value. <b>Do not delete the lines</b>, as this renders the debug log unusable (and makes Rainer quite angry for wasted time, aka significantly reduces the chance he will remain motivated to look at your problem ;)). For the same reason, make sure -whatever you change is change consistently. Really! -<p>Debug log file can get quite large. Before submitting them, it is a good idea to zip them. -Rainer has handled files of around 1 to 2 GB. If your's is larger ask before submitting. Often, -it is sufficient to submit the first 2,000 lines of the log file and around another 1,000 around -the area where you see a problem. Also, -ask you can submit a file via private mail. Private mail is usually a good way to go for large files -or files with sensitive content. However, do NOT send anything sensitive that you do not want -the outside to be known. While Rainer so far made effort no to leak any sensitive information, -there is no guarantee that doesn't happen. If you need a guarantee, you are probably a +whatever you change is changed consistently. Really! +<p>While most debug log files are moderately large, some can get quite to extremly large. +For those on the larger side, it is a good idea to zip them. If the file is less than +around 100KiB, it's probably not necessary. +<p>A good place to post your debug log is at the +<a href="http://kb.monitorware.com/rsyslog-f40.html">rsyslog support forums</a>, together with +your question. This also enables us to keep track of the case. The forums accept attachments in +various common formats, but rejects others for security reasons. The zip, txt, and log extensions +are definitely permitted, so it probably is a good idea to use one of them. For others, please +simply try and revert to another format if the forum doesn't like what you used. +<p> +Please note that all information in your debug file is publically visiable. +If this is not acceptable for you, you are probably a candidate for a <a href="professional_support.html">commercial support contract</a>. Free support comes without any guarantees, include no guarantee on confidentiality [aka "we don't want to be sued for work were are not even paid for ;)]. @@ -156,7 +160,7 @@ need to program or do anything else except get a problem solved ;) [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> <p><font size="2">This documentation is part of the <a href="http://www.rsyslog.com/">rsyslog</a> project.<br> -Copyright © 2008-2010 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and +Copyright © 2008-2013 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and <a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL version 3 or higher.</font></p> </body> |