rsyslogd
. A list of log files maintained by rsyslogd
can be found in the /etc/rsyslog.conf
configuration file.
sysklogd
daemon. rsyslog supports the same functionality as sysklogd and extends it with enhanced filtering, encryption protected relaying of messages, various configuration options, or support for transportation via the TCP
or UDP
protocols. Note that rsyslog is compatible with sysklogd.
/etc/rsyslog.conf
. It consists of global directives, rules or comments (any empty lines or any text following a hash sign (#
)). Both, global directives and rules are extensively described in the sections below.
rsyslogd
daemon. They usually specify a value for a specific pre-defined variable that affects the behavior of the rsyslogd
daemon or a rule that follows. All of the global directives must start with a dollar sign ($
). Only one directive can be specified per line. The following is an example of a global directive that specifies the maximum size of the syslog message queue:
$MainMsgQueueSize 50000
10,000
messages) can be overridden by specifying a different value (as shown in the example above).
/etc/rsyslog.conf
configuration file. A directive affects the behavior of all configuration options until another occurrence of that same directive is detected.
/usr/share/doc/rsyslog/rsyslog_conf_global.html
.
$ModLoad <MODULE>
$ModLoad
is the global directive that loads the specified module and <MODULE> represents your desired module. For example, if you want to load the Text File Input Module
(imfile
— enables rsyslog to convert any standard text files into syslog messages), specify the following line in your /etc/rsyslog.conf
configuration file:
$ModLoad imfile
im
prefix, such as imfile
, imrelp
, etc.
om
prefix, such as omsnmp
, omrelp
, etc.
fm
prefix.
pm
prefix, such as pmrfc5424
, pmrfc3164
, etc.
sm
prefix, such as smfile
, smtradfile
, etc.
Make sure you use trustworthy modules only
/etc/rsyslog.conf
configuration file, define both, a filter and an action, on one line and separate them with one or more spaces or tabs. For more information on filters, refer to Section 17.1.3.1, “Filter Conditions” and for information on actions, refer to Section 17.1.3.2, “Actions”.
<FACILITY>.<PRIORITY>
mail
subsystem handles all mail related syslog messages. <FACILITY> can be represented by one of these keywords: auth
, authpriv
, cron
, daemon
, kern
, lpr
, mail
, news
, syslog
, user
, uucp
, and local0
through local7
.
debug
, info
, notice
, warning
, err
, crit
, alert
, and emerg
.
=
), you specify that only syslog messages with that priority will be selected. All other priorities will be ignored. Conversely, preceding a priority with an exclamation mark (!
) selects all syslog messages but those with the defined priority. By not using either of these two extensions, you specify a selection of syslog messages with the defined or higher priority.
*
) to define all facilities or priorities (depending on where you place the asterisk, before or after the dot). Specifying the keyword none
serves for facilities with no given priorities.
,
). To define multiple filters on one line, separate them with a semi-colon (;
).
kern.* # Selects all kernel syslog messages with any priority
mail.crit # Selects all mail syslog messages with priority crit
and higher.
cron.!info,!debug # Selects all cron syslog messages except those with theinfo
ordebug
priority.
timegenerated
or syslogtag
. For more information on properties, refer to Section 17.1.3.3.2, “Properties”. Each of the properties specified in the filters lets you compare it to a specific value using one of the compare-operations listed in Table 17.1, “Property-based compare-operations”.
Table 17.1. Property-based compare-operations
Compare-operation | Description |
---|---|
contains | Checks whether the provided string matches any part of the text provided by the property. |
isequal | Compares the provided string against all of the text provided by the property. |
startswith | Checks whether the provided string matches a prefix of the text provided by the property. |
regex | Compares the provided POSIX BRE (Basic Regular Expression) regular expression against the text provided by the property. |
ereregex | Compares the provided POSIX ERE (Extended Regular Expression) regular expression against the text provided by the property. |
:<PROPERTY>, [!]<COMPARE_OPERATION>, "<STRING>"
timegenerated
, hostname
, etc.).
!
) negates the output of the compare-operation (if prefixing the compare-operation).
"
)), use the backslash character (\
).
error
in their message text:
:msg, contains, "error"
host1
:
:hostname, isequal, "host1"
fatal
and error
with any or no text between them (for example, fatal lib error
):
:msg, !regex, "fatal .* error"
/usr/share/doc/rsyslog/rscript_abnf.html
along with examples of various expression-based filters.
if <EXPRESSION> then <ACTION>
$msg startswith 'DEVNAME'
or $syslogfacility-text == 'local0'
.
true
.
Define an expression-based filter on a single line
Do not use regular expressions
/etc/rsyslog.conf
configuration file. Each block consists of rules which are preceded with a program or hostname label. Use the '!<PROGRAM>' or '-<PROGRAM>' labels to include or exclude programs, respectively. Use the '+<HOSTNAME> ' or '-<HOSTNAME> ' labels include or exclude hostnames, respectively.
/var/log/cron.log
log file:
cron.* /var/log/cron.log
-
) as a prefix of the file path you specified if you want to omit syncing the desired log file after every syslog message is generated.
?
) prefix. For more information on templates, refer to Section 17.1.3.3.1, “Generating dynamic file names”.
/dev/console
device, syslog messages are sent to standard output (using special tty-handling) or your console (using special /dev/console
-handling) when using the X Window System, respectively.
@[(<OPTION>)]<HOST>:[<PORT>]
@
) indicates that the syslog messages are forwarded to a host using the UDP
protocol. To use the TCP
protocol, use two at signs with no space between them (@@
).
z<NUMBER>
. This option enables zlib compression for syslog messages; the <NUMBER> attribute specifies the level of compression. To define multiple options, simply separate each one of them with a comma (,
).
IPv6
address as the host, enclose the address in square brackets ([
, ]
).
*.* @192.168.0.1 # Forwards messages to 192.168.0.1 via the UDP
protocol
*.* @@example.com:18 # Forwards messages to "example.com" using port 18 and the TCP
protocol
*.* @(z9)[2001::1] # Compresses messages with zlib (level 9 compression)
# and forwards them to 2001::1 using the UDP
protocol
$outchannel <NAME>, <FILE_NAME>, <MAX_SIZE>, <ACTION>
$outchannel
directive and then used in a rule which selects every syslog message with any priority and executes the previously-defined output channel on the acquired syslog messages. Once the limit (in the example 100 MB
) is hit, the /home/joe/log_rotation_script
is executed. This script can contain anything from moving the file into a different folder, editing specific content out of it, or simply removing it.
Example 17.2. Output channel log rotation
$outchannel log_rotation,/var/log/test_log.log, 104857600, /home/joe/log_rotation_script *.* $log_rotation
Support for output channels is to be removed in the future
,
). To send messages to every user that is currently logged on, use an asterisk (*
).
system()
call to execute the program in shell. To specify a program to be executed, prefix it with a caret character (^
). Consequently, specify a template that formats the received message and passes it to the specified executable as a one line parameter (for more information on templates, refer to Section 17.1.3.3, “Templates”). In the following example, any syslog message with any priority is selected, formatted with the template
template and passed as a parameter to the test-program program, which is then executed with the provided parameter:
*.* ^test-program;template
Be careful when using the shell execute action
:<PLUGIN>:<DB_HOST>,<DB_NAME>,<DB_USER>,<DB_PASSWORD>;[<TEMPLATE>]
ommysql
plug-in).
Using MySQL and PostgreSQL
MySQL
(for more information, refer to /usr/share/doc/rsyslog/rsyslog_mysql.html
) and PostgreSQL
databases only. In order to use the MySQL
and PostgreSQL
database writer functionality, install the rsyslog-mysql and rsyslog-pgsql packages installed, respectively. Also, make sure you load the appropriate modules in your /etc/rsyslog.conf
configuration file:
$ModLoad ommysql # Output module for MySQL support $ModLoad ompgsql # Output module for PostgreSQL support
omlibdb
module. However, this module is currently not compiled.
~
). The following rule discards any cron syslog messages:
cron.* ~
kern.=crit joe & ^test-program;temp & @192.168.0.1
crit
) are send to user joe
, processed by the template temp
and passed on to the test-program
executable, and forwarded to 192.168.0.1
via the UDP
protocol.
;
) and specify the name of the template.
Using templates
$template <TEMPLATE_NAME>,"text %<PROPERTY>% more text", [<OPTION>]
$template
is the template directive that indicates that the text following it, defines a template.
<TEMPLATE_NAME>
is the name of the template. Use this name to refer to the template.
"
…"
) is the actual template text. Within this text, you are allowed to escape characters in order to use their functionality, such as \n
for new line or \r
for carriage return. Other characters, such as %
or "
, have to be escaped in case you want to those characters literally.
%
) specifies a property that is consequently replaced with the property's actual value. For more information on properties, refer to Section 17.1.3.3.2, “Properties”
<OPTION>
attribute specifies any options that modify the template functionality. Do not mistake these for property options, which are defined inside the template text (between "
…"
). The currently supported template options are sql
and stdsql
used for formatting the text as an SQL query.
The sql and stdsql options
sql
and stdsql
options are specified in the template. If they are not, the database writer does not perform any action. This is to prevent any possible security threats, such as SQL injection.
timegenerated
property to generate a unique file name for each syslog message:
$template DynamicFile,"/var/log/test_logs/%timegenerated%-test.log"
$template
directive only specifies the template. You must use it inside a rule for it to take effect:
*.* ?DynamicFile
%
)) allow you to access various contents of a syslog message through the use of a property replacer. To define a property inside a template (between the two quotation marks ("
…"
)), use the following syntax:
%<PROPERTY_NAME>[:<FROM_CHAR>:<TO_CHAR>:<OPTION>]%
/usr/share/doc/rsyslog/property_replacer.html
under the section Available Properties.
R
as the <FROM_CHAR> attribute and specify your desired regular expression as the <TO_CHAR> attribute.
/usr/share/doc/rsyslog/property_replacer.html
under the section Property Options.
%msg%
%msg:1:2%
%msg:::drop-last-lf%
%timegenerated:1:10:date-rfc3339%
Example 17.3. A verbose syslog message template
$template verbose,"%syslogseverity%,%syslogfacility%,%timegenerated%,%HOSTNAME%,%syslogtag%,%msg%\n"
mesg(1)
permission set to yes
). This template outputs the message text, along with a hostname, message tag and a timestamp, on a new line (using \r
and \n
) and rings the bell (using \7
).
Example 17.4. A wall message template
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag% %msg%\n\r"
sql
option at the end of the template specified as the template option. It tells the database writer to format the message as an MySQL SQL
query.
Example 17.5. A database formatted message template
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
RSYSLOG_
prefix. It is advisable to not create a template using this prefix to avoid any conflicts. The following list shows these predefined templates along with their definitions.
RSYSLOG_DebugFormat
"Debug line with all properties:\nFROMHOST: '%FROMHOST%', fromhost-ip: '%fromhost-ip%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n\"
RSYSLOG_SyslogProtocol23Format
"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n\"
RSYSLOG_FileFormat
"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n\"
RSYSLOG_TraditionalFileFormat
"%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n\"
RSYSLOG_ForwardFormat
"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\"
RSYSLOG_TraditionalForwardFormat
"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\"
-c
option. When no parameter is specified, rsyslog tries to be compatible with sysklogd. This is partially achieved by activating configuration directives that modify your configuration accordingly. Therefore, it is advisable to supply this option with a number that matches the major version of rsyslog that is in use and update your /etc/rsyslog.conf
configuration file accordingly. If you want to, for example, use sysklogd options (which were deprecated in version 3 of rsyslog), you can specify so by executing the following command:
~]# rsyslogd -c 2
rsyslogd
daemon, including the backward compatibility mode, can be specified in the /etc/sysconfig/rsyslog
configuration file.
rsyslogd
options, refer to man rsyslogd
.