path: root/rsyslogd.8

RSYSLOGD(8)                        Linux System Administration                        RSYSLOGD(8)

NAME
       rsyslogd - reliable and extended syslogd

SYNOPSIS
       rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
       [ -i pid file ] [ -l hostlist ] [ -n ]
       [ -q ] [ -Q ] [ -s domainlist ] [ -v ] [ -w ] [ -x ]

DESCRIPTION
       Rsyslogd  is  a system utility providing support for message logging.  Support of both in-
       ternet and unix domain sockets enables this utility to support both local and remote  log-
       ging.

       Note that this version of rsyslog ships with extensive documentation in html format.  This
       is provided in the ./doc subdirectory and probably in a separate package if you  installed
       rsyslog  via  a packaging system.  To use rsyslog's advanced features, you need to look at
       the html documentation, because the man pages only cover basic aspects of operation.

       Rsyslogd(8) is derived from the sysklogd package which in turn is derived from  the  stock
       BSD sources.

       Rsyslogd  provides  a kind of logging that many modern programs use.  Every logged message
       contains at least a time and a hostname field, normally a program  name  field,  too,  but
       that depends on how trusty the logging program is. The rsyslog package supports free defi-
       nition of output formats via templates. It also supports precise  timestamps  and  writing
       directly to databases. If the database option is used, tools like phpLogCon can be used to
       view the log data.

       While the rsyslogd sources have been heavily modified a couple  of  notes  are  in  order.
       First  of  all there has been a systematic attempt to ensure that rsyslogd follows its de-
       fault, standard BSD behavior. Of course, some configuration file changes are necessary  in
       order  to  support the template system. However, rsyslogd should be able to use a standard
       syslog.conf and act like the orginal syslogd. However, an original syslogd will  not  work
       correctly  with  a  rsyslog-enhanced  configuration  file. At best, it will generate funny
       looking file names.  The second important concept to note is that this version of rsyslogd
       interacts  transparently with the version of syslog found in the standard libraries.  If a
       binary linked to the standard shared libraries fails to function correctly we  would  like
       an example of the anomalous behavior.

       The  main  configuration  file /etc/rsyslog.conf or an alternative file, given with the -f
       option, is read at startup.  Any lines that begin with the hash  mark  (``#'')  and  empty
       lines  are ignored.  If an error occurs during parsing the error element is ignored. It is
       tried to parse the rest of the line.

       For details and configuration examples, see the rsyslog.conf (5) man page.

OPTIONS
       -A     When sending UDP messages, there are potentially multiple pathes to the target des-
              tination.  By  default, rsyslogd only sends to the first target it can successfully
              send to. If -A is given, messages are sent to all targets. This may improve  relia-
              bility,  but  may also cause message duplicaton. This option should enabled only if
              it is fully understood.

       -4     Causes rsyslogd to listen to IPv4 addresses only.  If neither -4 nor -6  is  given,
              rsyslogd listens to all configured addresses of the system.

       -6     Causes  rsyslogd  to listen to IPv6 addresses only.  If neither -4 nor -6 is given,
              rsyslogd listens to all configured addresses of the system.

       -d     Turns on debug mode.  Using this the daemon will not proceed a fork(2) to  set  it-
              self  in the background, but opposite to that stay in the foreground and write much
              debug information on the current tty.  See the DEBUGGING section for more  informa-
              tion.

       -f config file
              Specify  an  alternative  configuration file instead of /etc/rsyslog.conf, which is
              the default.

       -i pid file
              Specify an alternative pid file instead of the default one.  This  option  must  be
              used if multiple instances of rsyslogd should run on a single machine.

       -l hostlist
              Specify  a hostname that should be logged only with its simple hostname and not the
              fqdn.  Multiple hosts may be specified using the colon (``:'') separator.

       -n     Avoid auto-backgrounding.  This is needed especially if the rsyslogd is started and
              controlled by init(8).

       -q add hostname if DNS fails during ACL processing
              During  ACL  processing, hostnames are resolved to IP addreses for performance rea-
              sons. If DNS fails during that process, the hostname is  added  as  wildcard  text,
              which results in proper, but somewhat slower operation once DNS is up again.

       -Q do not resolve hostnames during ACL processing
              Do not resolve hostnames to IP addresses during ACL processing.

       -s domainlist
              Specify  a domainname that should be stripped off before logging.  Multiple domains
              may be specified using the colon (``:'') separator.  Please be advised that no sub-
              domains  may  be  specified but only entire domains.  For example if -s north.de is
              specified and the host logging resolves to satu.infodrom.north.de no  domain  would
              be cut, you will have to specify two domains like: -s north.de:infodrom.north.de.

       -v     Print version and exit.

       -w     Supress  warnings  issued  when  messages are received from non-authorized machines
              (those, that are in no AllowedSender list).

       -x     Disable DNS for remote messages.

SIGNALS
       Rsyslogd reacts to a set of signals.  You may easily send a signal to rsyslogd  using  the
       following:

              kill -SIGNAL $(cat /var/run/syslogd.pid)

       Note  that  -SIGNAL  must  be replaced with the actual signal you are trying to send, e.g.
       with HUP. So it then becomes:

              kill -HUP $(cat /var/run/syslogd.pid)

       HUP    This lets rsyslogd perform a re-initialization.  All open  files  are  closed,  the
              configuration file (default is /etc/rsyslog.conf) will be reread and the rsyslog(3)
              facility is started again.

       TERM ,  INT ,  QUIT
              Rsyslogd will die.

       USR1   Switch debugging on/off.  This option can only be used if rsyslogd is started  with
              the -d debug option.

       CHLD   Wait for childs if some were born, because of wall'ing messages.

SUPPORT FOR REMOTE LOGGING
       Rsyslogd  provides  network  support  to the syslogd facility.  Network support means that
       messages can be forwarded from one node running rsyslogd to another node running  rsyslogd
       (or a compatible syslog implementation).  actually logged to a disk file.

       To  enable  this,  proper  configuration commands must be entered in rsyslog.conf. See the
       rsyslog.conf html documentation for details.

       The strategy is to have rsyslogd listen on a unix domain socket for locally generated  log
       messages.  This behavior will allow rsyslogd to inter-operate with the syslog found in the
       standard C library.  At the same time rsyslogd listens on the  standard  syslog  port  for
       messages forwarded from other hosts.

OUTPUT TO DATABASES
       Rsyslogd  has  support  for  writing  data to database tables. The exact specifics are de-
       scribed in the rsyslog.conf (5) html documentation. Be sure to read it if you plan to  use
       database logging.

OUTPUT TO NAMED PIPES (FIFOs)
       Rsyslogd  has support for logging output to named pipes (fifos).  A fifo or named pipe can
       be used as a destination for log messages by prepending a pipy symbol (``|'') to the  name
       of  the  file.   This is handy for debugging.  Note that the fifo must be created with the
       mkfifo command before rsyslogd is started.

              The following configuration file routes debug messages from the kernel to a fifo:

                   # Sample configuration to route kernel debugging
                   # messages ONLY to /usr/adm/debug which is a
                   # named pipe.
                   kern.=debug              |/usr/adm/debug

SECURITY THREATS
       There is the potential for the rsyslogd daemon to be used as a conduit  for  a  denial  of
       service  attack.   A  rogue  program(mer) could very easily flood the rsyslogd daemon with
       syslog messages resulting in the log files  consuming  all  the  remaining  space  on  the
       filesystem.   Activating logging over the inet domain sockets will of course expose a sys-
       tem to risks outside of programs or individuals on the local machine.

       There are a number of methods of protecting a machine:

       1.     Implement kernel firewalling to limit which hosts or networks have  access  to  the
              514/UDP socket.

       2.     Logging  can  be  directed  to an isolated or non-root filesystem which, if filled,
              will not impair the machine.

       3.     The ext2 filesystem can be used which can be configured to limit a certain percent-
              age of a filesystem to usage by root only.  NOTE that this will require rsyslogd to
              be run as a non-root process.  ALSO NOTE that this will  prevent  usage  of  remote
              logging  on  the  default port since rsyslogd will be unable to bind to the 514/UDP
              socket.

       4.     Disabling inet domain sockets will limit risk to the local machine.

   Message replay and spoofing
       If remote logging is enabled, messages can easily be spoofed and replayed.   As  the  mes-
       sages  are  transmitted in clear-text, an attacker might use the information obtained from
       the packets for malicious things. Also, an attacker might reply recorded messages or spoof
       a  sender's  IP  address, which could lead to a wrong perception of system activity. These
       can be prevented by using GSS-API authentication and encryption. Be sure  to  think  about
       syslog network security before enabling it.

DEBUGGING
       When  debugging is turned on using -d option then rsyslogd will be very verbose by writing
       much of what it does on stdout.

FILES
       /etc/rsyslog.conf
              Configuration file for rsyslogd.  See rsyslog.conf(5) for exact information.
       /dev/log
              The Unix domain socket to from where local syslog messages are read.
       /var/run/rsyslogd.pid
              The file containing the process id of rsyslogd.

BUGS
       Please review the file BUGS for up-to-date information on known bugs and annouyances.

Further Information
       Please visit http://www.rsyslog.com/doc for additional information, tutorials and  a  sup-
       port forum.

SEE ALSO
       rsyslog.conf(5), logger(1), syslog(2), syslog(3), services(5), savelog(8)

COLLABORATORS
       rsyslogd  is  derived from sysklogd sources, which in turn was taken from the BSD sources.
       Special  thanks  to   Greg   Wettstein   (greg@wind.enjellic.com)   and   Martin   Schulze
       (joey@linux.de) for the fine sysklogd package.

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld, Germany
       rgerhards@adiscon.com

Version 3.12.5 (devel)                    28 March 2008                               RSYSLOGD(8)