1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en">
<title>UDP Syslog Input Module (imudp)</title>
</head>
<body>
<a href="rsyslog_conf_modules.html">back to rsyslog module overview</a>
<h1>UDP Syslog Input Module</h1>
<p><b>Module Name: imudp</b></p>
<p><b>Author: </b>Rainer Gerhards <rgerhards@adiscon.com></p>
<p><b>Multi-Ruleset Support: </b>since 5.3.2
<p><b>Description</b>:</p>
<p>Provides the ability to receive syslog messages via UDP.
<p>Multiple receivers may be configured by specifying
multiple input actions.
</p>
<p><b>Configuration Parameters</b>:</p>
<p><b>Module Parameters</b>:</p>
<ul>
<li><b>TimeRequery</b> <nbr-of-times><br>
this is a performance
optimization. Getting the system time is very costly. With this setting, imudp can
be instructed to obtain the precise time only once every n-times. This logic is
only activated if messages come in at a very fast rate, so doing less frequent
time calls should usually be acceptable. The default value is two, because we have
seen that even without optimization the kernel often returns twice the identical time.
You can set this value as high as you like, but do so at your own risk. The higher
the value, the less precise the timestamp.
<li><b>SchedulingPolicy</b> <rr/fifo/other><br>
Can be used the set the scheduler priority, if the necessary functionality
is provided by the platform. Most useful to select "fifo" for real-time
processing under Linux (and thus reduce chance of packet loss).
<li><b>SchedulingPriority</b> <number><br>
Scheduling priority to use.
</ul>
<p><b>Action Parameters</b>:</p>
<ul>
<li><b>Address</b> <IP><br>
local IP address (or name) the UDP listens should bind to</li>
<li><b>Port</b> <port><br>
default 514, start UDP server on this port. Either a single port can be specified or an array of ports. If multiple ports are specified, a listener will be automatically started for each port. Thus, no additional inputs need to be configured.
<br>Single port: Port="514"
<br>Array of ports: Port=["514","515","10514","..."]</li>
<li><b>Ruleset</b> <ruleset><br>
Binds the listener to a specific <a href="multi_ruleset.html">ruleset</a>.</li>
<li><b>rcvbufSize</b> <size><br>
Available since 7.5.3+<br>
This request a socket receive buffer of specific size from the operating system.
It is an expert parameter, which should only be changed for a good reason. Note that
setting this parameter disables Linux auto-tuning, which usually works pretty well.
The default value is 0, which means "keep the OS buffer size unchanged". This is a size
value. So in addition to pure integer values, sizes like "256k", "1m" and the like can
be specified. Note that setting very large sizes may require root or other special
privileges. Also note that the OS may slightly adjust the value or shrink it to a
system-set max value if the user is not sufficiently privileged. Technically, this
parameter will result in a setsockopt() call with SO_RCVBUF (and SO_RCVBUFFORCE if it
is available).
</ul>
<b>Caveats/Known Bugs:</b>
<ul>
<li>Scheduling parameters are set <b>after</b> privileges have been dropped.
In most cases, this means that setting them will not be possible after
privilege drop. This may be worked around by using a sufficiently-privileged
user account.
</li>
</ul>
<p><b>Sample:</b></p>
<p>This sets up an UPD server on port 514:<br>
</p>
<textarea rows="4" cols="60">module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
</textarea>
<p>The following sample is mostly equivalent to the first one, but request a
larger rcvuf size. Note that 1m most probably will not be honored by the OS
until the user is sufficiently privileged.</p>
<textarea rows="4" cols="60">module(load="imudp") # needs to be done just once
input(type="imudp" port="514" rcvbufSize="1m")
</textarea>
<p><b>Legacy Configuration Directives</b>:</p>
<p>Multiple receivers may be configured by specifying
$UDPServerRun multiple times.
</p>
<ul>
<li>$UDPServerAddress <IP><br>
equivalent to: Address </li>
<li>$UDPServerRun <port><br>
equivalent to: Port </li>
<li>$UDPServerTimeRequery <nbr-of-times><br>
equivalent to: TimeRequery
<li>$InputUDPServerBindRuleset <ruleset><br>
equivalent to: Ruleset </li>
<li>$IMUDPSchedulingPolicy <rr/fifo/other> Available since 4.7.4+, 5.7.3+, 6.1.3+.<br>
equivalent to: SchedulingPolicy
<li>$IMUDPSchedulingPriority <number> Available since 4.7.4+, 5.7.3+, 6.1.3+.<br>
equivalent to: SchedulingPriority
</ul>
<p><b>Legacy Sample:</b></p>
<p>This sets up an UPD server on port 514:<br>
</p>
<textarea rows="4" cols="60">$ModLoad imudp # needs to be done just once
$UDPServerRun 514
</textarea>
<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://www.rsyslog.com/">rsyslog</a>
project.<br>
Copyright © 2009-2013 by <a href="http://www.gerhards.net/rainer">Rainer
Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
</body></html>
|
