path: root/tools/rsyslog.conf.5

RSYSLOG.CONF(5)                    Linux System Administration                    RSYSLOG.CONF(5)

NAME
       rsyslog.conf - rsyslogd(8) configuration file

DESCRIPTION
       The rsyslog.conf file is the main configuration file for the rsyslogd(8) which logs system
       messages on *nix systems.  This file specifies rules for logging.   For  special  features
       see  the  rsyslogd(8)  manpage.  Ryslog.conf  is  backward-compatible with sysklogd's sys-
       log.conf file. So if you migrate from syklogd you can rename it and it should work.

       Note that this version of rsyslog ships with extensive documentation in html format.  This
       is  provided in the ./doc subdirectory and probably in a separate package if you installed
       rsyslog via a packaging system.  To use rsyslog's advanced features, you need to  look  at
       the html documentation, because the man pages only cover basic aspects of operation.

MODULES
       Rsyslog  has a modular design. Consequently, there is a growing number of modules. See the
       html documentation for their full description.

       omsnmp SNMP trap output module

       omgssapi
              Output module for GSS-enabled syslog

       ommysql
              Output module for MySQL

       omprelp
              Output module for the reliable RELP protocol (prevents message loss).  For details,
              see below at imrelp and the html documentation.  It can be used like this:

              *.*  :omrelp:server:port

              *.*  :omrelp:192.168.0.1:2514 # actual sample

       ompgsql
              Output module for PostgreSQL

       omlibdbi
              Generic  database  output  module (Firebird/Interbase, MS SQL, Sybase, SQLLite, In-
              gres, Oracle, mSQL)

       imfile Input module for text files

       imudp  Input plugin for UDP syslog. Replaces the deprecated -r option. Can  be  used  like
              this:

              $ModLoad imudp

              $InputUDPServerRun 514

       imtcp  Input  plugin  for plain TCP syslog. Replaces the deprecated -t option. Can be used
              like this:

              $ModLoad imtcp

              $InputTCPServerRun 514

       imtcp
              Input plugin for the RELP protocol. RELP can be used instead of UDP  or  plain  TCP
              syslog  to provide reliable delivery of syslog messages. Please note that plain TCP
              syslog does NOT provide truly reliable delivery, with it messages may be lost  when
              there is a connection problem or the server shuts down.  RELP prevents message loss
              in those cases.  It can be used like this:

              $ModLoad imrelp

              $InputRELPServerRun 2514

       imgssapi
              Input plugin for plain TCP and GSS-enable syslog

       immark Support for mark messages

       imklog Kernel logging. To include kernel log messages, you need to do

              $ModLoad imklog

              Please note that the klogd daemon is no longer necessary and consequently no longer
              provided by the rsyslog package.

       imuxsock
              Unix sockets, including the system log socket. You need to specify

              $ModLoad imudp

              in order to receive log messages from local system processes. This config directive
              should only left out if you know exactly what you are doing.

BASIC STRUCTURE
       Lines starting with a hash mark ('#') and empty lines are  ignored.   Rsyslog.conf  should
       contain following sections (sorted by recommended order in file):

       Global directives
              Global  directives  set some global properties of whole rsyslog daemon, for example
              size of main message queue ($MainMessageQueueSize), loading external modules ($Mod-
              Load) and so on.  All global directives need to be specified on a line by their own
              and must start with a dollar-sign. The complete list of global  directives  can  be
              found in html documentation in doc directory or online on web pages.

       Templates
              Templates allow you to specify format of the logged message. They are also used for
              dynamic file name generation. They have to be  defined  before  they  are  used  in
              rules. For more info about templates see TEMPLATES section of this manpage.

       Output channels
              Output  channels  provide  an  umbrella  for any type of output that the user might
              want.  They have to be defined before they are used in rules. For more  info  about
              output channels see OUTPUT CHANNELS section of this manpage.

       Rules (selector + action)
              Every rule line consists of two fields, a selector field and an action field. These
              two fields are separated by one or more spaces or tabs. The selector  field  speci-
              fies a pattern of facilities and priorities belonging to the specified action.

ACTIONS
       The action field of a rule describes what to do with the message. In general, message con-
       tent is written to a kind of "logfile". But also other actions might be done, like writing
       to a database table or forwarding to another host.

   Regular file
       Typically  messages are logged to real files. The file has to be specified with full path-
       name, beginning with a slash ('/').

       Example:
              *.*     /var/log/traditionalfile.log;RSYSLOG_TraditionalFormat      # log to a file
              in the traditional format

       Note:  if  you  would like to use high-precision timestamps in your log files, just remove
       the ";RSYSLOG_TraditionalFormat". That will select the default  template,  which,  if  not
       changed, uses RFC 3339 timestamps.

       Example:
              *.*     /var/log/file.log # log to a file with RFC3339 timestamps

   Named pipes
       This  version of rsyslogd(8) has support for logging output to named pipes (fifos). A fifo
       or named pipe can be used as a destination for log messages by prepending  a  pipe  symbol
       ('|')  to  the  name  of the file. This is handy for debugging. Note that the fifo must be
       created with the mkfifo(1) command before rsyslogd(8) is started.

   Terminal and console
       If the file you specified is a tty, special tty-handling is done, same with /dev/console.

   Remote machine
       There are three ways to forward message: the traditional UDP transport, which is extremely
       lossy but standard, the plain TCP based transport which loses messages only during certain
       situations but is widely available and the RELP transport which does not lose messages but
       is currently available only as part of rsyslogd 3.15.0 and above.

       To  forward messages to another host via UDP, prepend the hostname with the at sign ("@").
       To forward it via plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend the
       string ":omrelp:" in front of the hostname.

       Example:
              *.* @192.168.0.1

       In  the example above, messages are forwarded via UDP to the machine 192.168.0.1, the des-
       tination port defaults to 514. Due to the nature of UDP, you will probably lose some  mes-
       sages in transit.  If you expect high traffic volume, you can expect to lose a quite noti-
       cable number of messages (the higher the traffic, the more likely and  severe  is  message
       loss).

       If you would like to prevent message loss, use RELP:
              *.* :omrelp:192.168.0.1:2514

       Note that a port number was given as there is no standard port for relp.

       Keep  in  mind  that  you need to load the correct input and output plugins (see "Modules"
       above).

       Please note that rsyslogd offers a variety of options in regarding to  remote  forwarding.
       For full details, please see the html documentation.

   List of users
       Usually critical messages are also directed to ``root'' on that machine. You can specify a
       list of users that shall get the message by simply writing the login. You may specify more
       than one user by separating them with commas (','). If they're logged in they get the mes-
       sage. Don't think a mail would be sent, that might be too late.

   Everyone logged on
       Emergency messages often go to all users currently online to notify  them  that  something
       strange  is  happening  with  the  system. To specify this wall(1)-feature use an asterisk
       ('*').

   Database table
       This allows logging of the message to a database table.  By default, a MonitorWare-compat-
       ible schema is required for this to work. You can create that schema with the createDB.SQL
       file that came with the rsyslog package. You can also use any other schema of your  liking
       - you just need to define a proper template and assign this template to the action.

       See the html documentation for further details on database logging.

   Discard
       If  the discard action is carried out, the received message is immediately discarded. Dis-
       card can be highly effective if you want to filter out some annoying messages that  other-
       wise  would  fill  your log files. To do that, place the discard actions early in your log
       files.  This often plays well with property-based filters, giving  you  great  freedom  in
       specifying what you do not want.

       Discard is just the single tilde character with no further parameters.

       Example:
              *.*   ~      # discards everything.

   Output channel
       Binds  an output channel definition (see there for details) to this action. Output channel
       actions must start with a $-sign, e.g. if you would like to bind your output channel defi-
       nition "mychannel" to the action, use "$mychannel". Output channels support template defi-
       nitions like all all other actions.

   Shell execute
       This executes a program in a subshell. The program is passed the  template-generated  mes-
       sage  as  the  only command line parameter. Rsyslog waits until the program terminates and
       only then continues to run.

       Example:
              ^program-to-execute;template

       The program-to-execute can be any valid executable. It receives the template string  as  a
       single parameter (argv[1]).

FILTER CONDITIONS
       Rsyslog offers three different types "filter conditions":
          * "traditional" severity and facility based selectors
          * property-based filters
          * expression-based filters

   Blocks
       Rsyslogd  supports  BSD-style blocks inside rsyslog.conf. Each block of lines is separated
       from the previous block by a program or hostname specification. A block will only log mes-
       sages  corresponding to the most recent program and hostname specifications given. Thus, a
       block which selects "ppp" as the program, directly followed by a block that  selects  mes-
       sages  from the hostname "dialhost", then the second block will only log messages from the
       ppp program on dialhost.

   Selectors
       Selectors are the traditional way of filtering syslog messages.  They have  been  kept  in
       rsyslog  with  their  original syntax, because it is well-known, highly effective and also
       needed for compatibility with stock syslogd configuration files. If you just need to  fil-
       ter  based  on priority and facility, you should do this with selector lines. They are not
       second-class citizens in rsyslog and offer the best performance for this job.

   Property-Based Filters
       Property-based filters are unique to rsyslogd. They allow to filter on any property,  like
       HOSTNAME, syslogtag and msg.

       A  property-based  filter must start with a colon in column 0. This tells rsyslogd that it
       is the new filter type. The colon must be followed by the property name, a comma, the name
       of  the  compare  operation  to  carry  out,  another  comma and then the value to compare
       against. This value must be quoted.  There can be spaces  and  tabs  between  the  commas.
       Property  names  and compare operations are case-sensitive, so "msg" works, while "MSG" is
       an invalid property name. In brief, the syntax is as follows:

              :property, [!]compare-operation, "value"

       The following compare-operations are currently supported:

              contains
                     Checks if the string provided in value is contained in the property

              isequal
                     Compares the "value" string provided and the property  contents.  These  two
                     values must be exactly equal to match.

              startswith
                     Checks if the value is found exactly at the beginning of the property value

              regex
                     Compares the property against the provided regular expression.

   Expression-Based Filters
       See the html documentation for this feature.

TEMPLATES
       Every  output  in rsyslog uses templates - this holds true for files, user messages and so
       on. Templates compatible with the stock syslogd formats are hardcoded into rsyslogd. If no
       template  is specified, we use one of these hardcoded templates. Search for "template_" in
       syslogd.c and you will find the hardcoded ones.

       A template consists of a template directive, a name, the actual template text and optional
       options. A sample is:

              $template MyTemplateName,"\7Text %property% some more text\n",<options>

       The "$template" is the template directive. It tells rsyslog that this line contains a tem-
       plate. The backslash is an escape character. For example, \7 rings the bell  (this  is  an
       ASCII value), \n is a new line. The set in rsyslog is a bit restricted currently.

       All  text in the template is used literally, except for things within percent signs. These
       are properties and allow you access to the contents of the syslog message. Properties  are
       accessed via the property replacer and it can for example pick a substring or do date-spe-
       cific formatting. More on this is the PROPERTY REPLACER section of this manpage.

       To escape:
          % = \%
          \ = \\ --> '\' is used to escape (as in C)
       $template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%0

       Properties can be accessed by the property replacer (see there for details).

       Please note that templates can also by used to generate selector lines with  dynamic  file
       names.   For  example,  if you would like to split syslog messages from different hosts to
       different files (one per host), you can define the following template:

              $template DynFile,"/var/log/system-%HOSTNAME%.log"

       This template can then be used when defining an output selector line. It  will  result  in
       something like "/var/log/system-localhost.log"

   Template options
       The <options> part is optional. It carries options influencing the template as whole.  See
       details below. Be sure NOT to mistake template options with property options -  the  later
       ones  are processed by the property replacer and apply to a SINGLE property, only (and not
       the whole template).

       Template options are case-insensitive. Currently defined are:

              sql    format the string suitable for a SQL statement in MySQL  format.  This  will
                     replace  single quotes ("'") and the backslash character by their backslash-
                     escaped counterpart ("'" and "\") inside each field.  Please  note  that  in
                     MySQL  configuration,  the  NO_BACKSLASH_ESCAPES mode must be turned off for
                     this format to work (this is the default).

              stdsql format the string suitable for a SQL statement that is to be sent to a stan-
                     dards-compliant  sql  server.  This  will replace single quotes ("'") by two
                     single quotes ("''") inside each field.  You must use stdsql  together  with
                     MySQL if in MySQL configuration the NO_BACKSLASH_ESCAPES is turned on.

       Either the sql or stdsql option MUST be specified when a template is used for writing to a
       database, otherwise injection might occur. Please note that due to  the  unfortunate  fact
       that  several vendors have violated the sql standard and introduced their own escape meth-
       ods, it is impossible to have a single option doing all the work.  So  you  yourself  must
       make sure you are using the right format.  If you choose the wrong one, you are still vul-
       nerable to sql injection.

       Please note that the database writer *checks* that the sql option is present in  the  tem-
       plate.  If it is not present, the write database action is disabled.  This is to guard you
       against accidental forgetting it and then becoming vulnerable to SQL  injection.  The  sql
       option  can also be useful with files - especially if you want to import them into a data-
       base on another machine for performance reasons. However, do NOT use it if you do not have
       a  real  need  for it - among others, it takes some toll on the processing time. Not much,
       but on a really busy system you might notice it ;)

       The default template for the write to database action has the sql option set.

   Template examples
       Please note that the samples are split across multiple lines. A template MUST NOT actually
       be split across multiple lines.

       A template that resembles traditional syslogd file output:

              $template TraditionalFormat,"%timegenerated% %HOSTNAME%
              %syslogtag%%msg:::drop-last-lf%0

       A template that tells you a little more about the message:

              $template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,
              %syslogtag%,%msg%0

       A template for RFC 3164 format:

              $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"

       A template for the format traditionally used for user messages:

              $template usermsg," XXXX%syslogtag%%msg%0r"

       And a template with the traditional wall-message format:

              $template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%"

       A  template  that  can be used for writing to a database (please note the SQL template op-
       tion)

              $template MySQLInsert,"insert iut, message, receivedat values ('%iut%', '%msg:::UP-
              PERCASE%', '%timegenerated:::date-mysql%') into systemevents\r\n", SQL

              NOTE 1: This template is embedded into core application under name StdDBFmt , so
              you don't need to define it.

              NOTE 2: You have to have MySQL module installed to use this template.

OUTPUT CHANNELS
       Output Channels are a new concept first introduced in rsyslog 0.9.0. As of  this  writing,
       it  is most likely that they will be replaced by something different in the future.  So if
       you use them, be prepared to change you configuration file syntax when you  upgrade  to  a
       later release.

       Output channels are defined via an $outchannel directive. It's syntax is as follows:

              $outchannel name,file-name,max-size,action-on-max-size

       name  is  the  name of the output channel (not the file), file-name is the file name to be
       written to, max-size the maximum allowed size and action-on-max-size a command to  be  is-
       sued  when the max size is reached. This command always has exactly one parameter. The bi-
       nary is that part of action-on-max-size before the first space, its  parameter  is  every-
       thing behind that space.

       Keep in mind that $outchannel just defines a channel with "name". It does not activate it.
       To do so, you must use a selector line (see below). That selector line includes the  chan-
       nel name plus an $ sign in front of it. A sample might be:

              *.* $mychannel

PROPERTY REPLACER
       The  property  replacer  is a core component in rsyslogd's output system. A syslog message
       has a number of well-defined properties (see below). Each of this properties  can  be  ac-
       cessed and manipulated by the property replacer. With it, it is easy to use only part of a
       property value or manipulate the value, e.g. by converting all characters to lower case.

   Accessing Properties
       Syslog message properties are used inside templates. They are accessed by putting them be-
       tween  percent signs. Properties can be modified by the property replacer. The full syntax
       is as follows:

              %propname:fromChar:toChar:options%

       propname is the name of the property to access.  It is case-sensitive.

   Available Properties
       msg    the MSG part of the message (aka "the message" ;))

       rawmsg the message exactly as it was received from the socket. Should be useful for debug-
              ging.

       HOSTNAME
              hostname from the message

       FROMHOST
              hostname of the system the message was received from (in a relay chain, this is the
              system immediately in front of us and not necessarily the original sender)

       syslogtag
              TAG from the message

       programname
              the "static" part of the tag, as defined by BSD syslogd. For example, when  TAG  is
              "named[12345]", programname is "named".

       PRI    PRI part of the message - undecoded (single value)

       PRI-text
              the PRI part of the message in a textual form (e.g. "syslog.info")

       IUT    the monitorware InfoUnitType - used when talking to a MonitorWare backend (also for
              phpLogCon)

       syslogfacility
              the facility from the message - in numerical form

       syslogfacility-text
              the facility from the message - in text form

       syslogseverity
              severity from the message - in numerical form

       syslogseverity-text
              severity from the message - in text form

       timegenerated
              timestamp when the message was RECEIVED. Always in high resolution

       timereported
              timestamp from the message. Resolution depends on what was provided in the  message
              (in most cases, only seconds)

       TIMESTAMP
              alias for timereported

       PROTOCOL-VERSION
              The contents of the PROTOCOL-VERSION field from IETF draft draft-ietf-syslog-proto-
              col

       STRUCTURED-DATA
              The contents of the STRUCTURED-DATA field from IETF draft  draft-ietf-syslog-proto-
              col

       APP-NAME
              The contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol

       PROCID The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol

       MSGID  The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol

       $NOW   The current date stamp in the format YYYY-MM-DD

       $YEAR  The current year (4-digit)

       $MONTH The current month (2-digit)

       $DAY   The current day of the month (2-digit)

       $HOUR  The current hour in military (24 hour) time (2-digit)

       $MINUTE
              The current minute (2-digit)

       Properties  starting with a $-sign are so-called system properties. These do NOT stem from
       the message but are rather internally-generated.

   Character Positions
       FromChar and toChar are used to build substrings.  They  specify  the  offset  within  the
       string  that  should  be copied. Offset counting starts at 1, so if you need to obtain the
       first 2 characters of the message text, you can use this syntax: "%msg:1:2%".  If  you  do
       not  wish  to  specify from and to, but you want to specify options, you still need to in-
       clude the colons. For example, if you would like to convert the full message text to lower
       case,  use "%msg:::lowercase%". If you would like to extract from a position until the end
       of the string, you can place a dollar-sign ("$") in toChar (e.g.  %msg:10:$%,  which  will
       extract from position 10 to the end of the string).

       There  is also support for regular expressions.  To use them, you need to place a "R" into
       FromChar.  This tells rsyslog that a regular expression instead of position-based  extrac-
       tion  is desired. The actual regular expression must then be provided in toChar. The regu-
       lar expression must be followed by the string "--end". It denotes the end of  the  regular
       expression  and  will  not  become  part of it.  If you are using regular expressions, the
       property replacer will return the part of the property text that matches the  regular  ex-
       pression.  An  example  for  a  property  replacer  sequence with a regular expression is:
       "%msg:R:.*Sev:. \(.*\) \[.*--end%"

       Also, extraction can be done based on so-called "fields". To do so, place a "F" into From-
       Char. A field in its current definition is anything that is delimited by a delimiter char-
       acter. The delimiter by default is TAB (US-ASCII value 9). However, if can be  changed  to
       any  other  US-ASCII character by specifying a comma and the decimal US-ASCII value of the
       delimiter immediately after the "F". For example, to use comma (",") as a  delimiter,  use
       this  field specifier: "F,44".  If your syslog data is delimited, this is a quicker way to
       extract than via regular expressions (actually, a  *much*  quicker  way).  Field  counting
       starts  at  1.  Field zero is accepted, but will always lead to a "field not found" error.
       The same happens if a field number higher than the number of fields in the property is re-
       quested.  The  field number must be placed in the "ToChar" parameter. An example where the
       3rd field  (delimited  by  TAB)  from  the  msg  property  is  extracted  is  as  follows:
       "%msg:F:3%". The same example with semicolon as delimiter is "%msg:F,59:3%".

       Please  note  that  the special characters "F" and "R" are case-sensitive. Only upper case
       works, lower case will return an error. There are no white spaces permitted inside the se-
       quence (that will lead to error messages and will NOT provide the intended result).

   Property Options
       Property options are case-insensitive. Currently, the following options are defined:

       uppercase
              convert property to lowercase only

       lowercase
              convert property text to uppercase only

       drop-last-lf
              The last LF in the message (if any), is dropped. Especially useful for PIX.

       date-mysql
              format as mysql date

       date-rfc3164
              format as RFC 3164 date

       date-rfc3339
              format as RFC 3339 date

       escape-cc
              replace control characters (ASCII value 127 and values less then 32) with an escape
              sequence. The sequence is "#<charval>" where charval is the 3-digit  decimal  value
              of the control character. For example, a tabulator would be replaced by "#009".

       space-cc
              replace control characters by spaces

       drop-cc
              drop control characters - the resulting string will neither contain control charac-
              ters, escape sequences nor any other replacement character like space.

QUEUED OPERATIONS
       Rsyslogd supports queued operations to handle offline outputs (like  remote  syslogd's  or
       database  servers  being  down). When running in queued mode, rsyslogd buffers messages to
       memory and optionally to disk (on an as-needed basis). Queues survive rsyslogd restarts.

       It is highly suggested to use remote forwarding and database writing in queued mode, only.

       To learn more about queued operations, see the html documentation.

FILES
       /etc/rsyslog.conf
              Configuration file for rsyslogd

SEE ALSO
       rsyslogd(8), logger(1), syslog(3)

       The complete documentation can be found in the doc folder of the rsyslog  distribution  or
       online at

              http://www.rsyslog.com/doc

       Please note that the man page reflects only a subset of the configuration options. Be sure
       to read the html documentation for all features and details. This is especially  vital  if
       you plan to set up a more-then-extremely-simple system.

AUTHORS
       rsyslogd  is  taken from sysklogd sources, which have been heavily modified by Rainer Ger-
       hards (rgerhards@adiscon.com) and others.

Version 3.17.0                            07 April 2008                           RSYSLOG.CONF(5)