1RSYSLOGD(8) Linux System Administration RSYSLOGD(8)
2
6 rsyslogd - reliable and extended syslogd
7
9 rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
10 [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
11 [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]
12
14 Rsyslogd is a system utility providing support for message logging.
15 Support of both internet and unix domain sockets enables this utility
16 to support both local and remote logging.
17 Note that this version of rsyslog ships with extensive documentation in
19 html format. This is provided in the ./doc subdirectory and probably
20 in a separate package if you installed rsyslog via a packaging system.
21 To use rsyslog's advanced features, you need to look at the html docu‐
22 mentation, because the man pages only cover basic aspects of operation.
23 For details and configuration examples, see the rsyslog.conf (5) man
24 page and the online documentation at http://www.rsyslog.com/doc
25 Rsyslogd(8) is derived from the sysklogd package which in turn is
27 derived from the stock BSD sources.
28 Rsyslogd provides a kind of logging that many modern programs use.
30 Every logged message contains at least a time and a hostname field,
31 normally a program name field, too, but that depends on how trusty the
32 logging program is. The rsyslog package supports free definition of
33 output formats via templates. It also supports precise timestamps and
34 writing directly to databases. If the database option is used, tools
35 like phpLogCon can be used to view the log data.
36 While the rsyslogd sources have been heavily modified a couple of notes
38 are in order. First of all there has been a systematic attempt to
39 ensure that rsyslogd follows its default, standard BSD behavior. Of
40 course, some configuration file changes are necessary in order to sup‐
41 port the template system. However, rsyslogd should be able to use a
42 standard syslog.conf and act like the original syslogd. However, an
43 original syslogd will not work correctly with a rsyslog-enhanced con‐
44 figuration file. At best, it will generate funny looking file names.
45 The second important concept to note is that this version of rsyslogd
46 interacts transparently with the version of syslog found in the stan‐
47 dard libraries. If a binary linked to the standard shared libraries
48 fails to function correctly we would like an example of the anomalous
49 behavior.
50 The main configuration file /etc/rsyslog.conf or an alternative file,
52 given with the -f option, is read at startup. Any lines that begin
53 with the hash mark (``#'') and empty lines are ignored. If an error
54 occurs during parsing the error element is ignored. It is tried to
55 parse the rest of the line.
56
59 Note that in version 3 of rsyslog a number of command line options have
60 been deprecated and replaced with config file directives. The -c option
61 controls the backward compatibility mode in use.
62 -A When sending UDP messages, there are potentially multiple paths
64 to the target destination. By default, rsyslogd only sends to
65 the first target it can successfully send to. If -A is given,
66 messages are sent to all targets. This may improve reliability,
67 but may also cause message duplication. This option should be
68 enabled only if it is fully understood.
69 -4 Causes rsyslogd to listen to IPv4 addresses only. If neither -4
71 nor -6 is given, rsyslogd listens to all configured addresses of
72 the system.
73 -6 Causes rsyslogd to listen to IPv6 addresses only. If neither -4
75 nor -6 is given, rsyslogd listens to all configured addresses of
76 the system.
77 -c version
79 Selects the desired backward compatibility mode. It must always
80 be the first option on the command line, as it influences pro‐
81 cessing of the other options. To use the rsyslog v3 native
82 interface, specify -c3. To use compatibility mode , either do
83 not use -c at all or use -c<version> where version is the rsys‐
84 log version that it shall be compatible with. Using -c0 tells
85 rsyslog to be command-line compatible to sysklogd, which is the
86 default if -c is not given. Please note that rsyslogd issues
87 warning messages if the -c3 command line option is not given.
88 This is to alert you that your are running in compatibility
89 mode. Compatibility mode interferes with your rsyslog.conf com‐
90 mands and may cause some undesired side-effects. It is meant to
91 be used with a plain old rsyslog.conf - if you use new features,
92 things become messy. So the best advice is to work through this
93 document, convert your options and config file and then use
94 rsyslog in native mode. In order to aid you in this process,
95 rsyslog logs every compatibility-mode config file directive it
96 has generated. So you can simply copy them from your logfile and
97 paste them to the config.
98 -d Turns on debug mode. See the DEBUGGING section for more informa‐
100 tion.
101 -f config file
103 Specify an alternative configuration file instead of /etc/rsys‐
104 log.conf, which is the default.
105 -i pid file
107 Specify an alternative pid file instead of the default one.
108 This option must be used if multiple instances of rsyslogd
109 should run on a single machine.
110 -l hostlist
112 Specify a hostname that should be logged only with its simple
113 hostname and not the fqdn. Multiple hosts may be specified
114 using the colon (``:'') separator.
115 -n Avoid auto-backgrounding. This is needed especially if the
117 rsyslogd is started and controlled by init(8).
118 -N level
120 Do a coNfig check. Do NOT run in regular mode, just check con‐
121 figuration file correctness. This option is meant to verify a
122 config file. To do so, run rsyslogd interactively in foreground,
123 specifying -f <config-file> and -N level. The level argument
124 modifies behaviour. Currently, 0 is the same as not specifying
125 the -N option at all (so this makes limited sense) and 1 actu‐
126 ally activates the code. Later, higher levels will mean more
127 verbosity (this is a forward-compatibility option). rsyslogd is
128 started and controlled by init(8).
129 -q add hostname if DNS fails during ACL processing
131 During ACL processing, hostnames are resolved to IP addresses
132 for performance reasons. If DNS fails during that process, the
133 hostname is added as wildcard text, which results in proper, but
134 somewhat slower operation once DNS is up again.
135 -Q do not resolve hostnames during ACL processing
137 Do not resolve hostnames to IP addresses during ACL processing.
138 -s domainlist
140 Specify a domainname that should be stripped off before logging.
141 Multiple domains may be specified using the colon (``:'') sepa‐
142 rator. Please be advised that no sub-domains may be specified
143 but only entire domains. For example if -s north.de is speci‐
144 fied and the host logging resolves to satu.infodrom.north.de no
145 domain would be cut, you will have to specify two domains like:
146 -s north.de:infodrom.north.de.
147 -u userlevel
149 This is a "catch all" option for some very seldomly-used user
150 settings. The "userlevel" variable selects multiple things. Add
151 the specific values to get the combined effect of them. A value
152 of 1 prevents rsyslogd from parsing hostnames and tags inside
153 messages. A value of 2 prevents rsyslogd from changing to the
154 root directory. This is almost never a good idea in production
155 use. This option was introduced in support of the internal test‐
156 bed. To combine these two features, use a userlevel of 3 (1+2).
157 Whenever you use an -u option, make sure you really understand
158 what you do and why you do it.
159 -v Print version and exit.
161 -w Suppress warnings issued when messages are received from non-
163 authorized machines (those, that are in no AllowedSender list).
164 -x Disable DNS for remote messages.
166
168 Rsyslogd reacts to a set of signals. You may easily send a signal to
169 rsyslogd using the following:
170 kill -SIGNAL $(cat /var/run/rsyslogd.pid)
172 Note that -SIGNAL must be replaced with the actual signal you are try‐
174 ing to send, e.g. with HUP. So it then becomes:
175 kill -HUP $(cat /var/run/rsyslogd.pid)
177 HUP This lets rsyslogd perform close all open files.
179 TERM , INT , QUIT
181 Rsyslogd will die.
182 USR1 Switch debugging on/off. This option can only be used if rsys‐
184 logd is started with the -d debug option.
185 CHLD Wait for childs if some were born, because of wall'ing messages.
187
189 There is the potential for the rsyslogd daemon to be used as a conduit
190 for a denial of service attack. A rogue program(mer) could very easily
191 flood the rsyslogd daemon with syslog messages resulting in the log
192 files consuming all the remaining space on the filesystem. Activating
193 logging over the inet domain sockets will of course expose a system to
194 risks outside of programs or individuals on the local machine.
195 There are a number of methods of protecting a machine:
197 1. Implement kernel firewalling to limit which hosts or networks
199 have access to the 514/UDP socket.
200 2. Logging can be directed to an isolated or non-root filesystem
202 which, if filled, will not impair the machine.
203 3. The ext2 filesystem can be used which can be configured to limit
205 a certain percentage of a filesystem to usage by root only.
206 NOTE that this will require rsyslogd to be run as a non-root
207 process. ALSO NOTE that this will prevent usage of remote log‐
208 ging on the default port since rsyslogd will be unable to bind
209 to the 514/UDP socket.
210 4. Disabling inet domain sockets will limit risk to the local
212 machine.
213 Message replay and spoofing
215 If remote logging is enabled, messages can easily be spoofed and
216 replayed. As the messages are transmitted in clear-text, an attacker
217 might use the information obtained from the packets for malicious
218 things. Also, an attacker might replay recorded messages or spoof a
219 sender's IP address, which could lead to a wrong perception of system
220 activity. These can be prevented by using GSS-API authentication and
221 encryption. Be sure to think about syslog network security before
222 enabling it.
223
225 When debugging is turned on using the -d option, rsyslogd produces
226 debugging information according to the RSYSLOG_DEBUG environment vari‐
227 able and the signals received. When run in foreground, the information
228 is written to stdout. An additional output file can be specified using
229 the RSYSLOG_DEBUGLOG environment variable.
230
232 /etc/rsyslog.conf
233 Configuration file for rsyslogd. See rsyslog.conf(5) for exact
234 information.
235 /dev/log
236 The Unix domain socket to from where local syslog messages are
237 read.
238 /var/run/rsyslogd.pid
239 The file containing the process id of rsyslogd.
240 prefix/lib/rsyslog
241 Default directory for rsyslogd modules. The prefix is specified
242 during compilation (e.g. /usr/local).
244 RSYSLOG_DEBUG
245 Controls runtime debug support. It contains an option string
246 with the following options possible (all are case insensitive):
247 Debug Turns on debugging and prevents forking. This is pro‐
249 cessed earlier in the startup than command line options
250 (i.e. -d) and as such enables earlier debugging output.
251 Mutually exclusive with DebugOnDemand.
252 DebugOnDemand
253 Enables debugging but turns off debug output. The output
254 can be toggled by sending SIGUSR1. Mutually exclusive
255 with Debug.
256 LogFuncFlow
257 Print out the logical flow of functions (entering and
258 exiting them)
259 FileTrace
260 Specifies which files to trace LogFuncFlow. If not set
261 (the default), a LogFuncFlow trace is provided for all
262 files. Set to limit it to the files specified.FileTrace
263 may be specified multiple times, one file each (e.g.
264 export RSYSLOG_DEBUG="LogFuncFlow FileTrace=vm.c File‐
265 Trace=expr.c"
266 PrintFuncDB
267 Print the content of the debug function database whenever
268 debug information is printed (e.g. abort case)!
269 PrintAllDebugInfoOnExit
270 Print all debug information immediately before rsyslogd
271 exits (currently not implemented!)
272 PrintMutexAction
273 Print mutex action as it happens. Useful for finding
274 deadlocks and such.
275 NoLogTimeStamp
276 Do not prefix log lines with a timestamp (default is to
277 do that).
278 NoStdOut
279 Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
280 is not set, this means no messages will be displayed at
281 all.
282 Help Display a very short list of commands - hopefully a life
283 saver if you can't access the documentation...
284 RSYSLOG_DEBUGLOG
286 If set, writes (almost) all debug message to the specified log
287 file in addition to stdout.
288 RSYSLOG_MODDIR
289 Provides the default directory in which loadable modules reside.
290
292 Please review the file BUGS for up-to-date information on known bugs
293 and annoyances.
294
296 Please visit http://www.rsyslog.com/doc for additional information,
297 tutorials and a support forum.
298
300 rsyslog.conf(5), logger(1), syslog(2), syslog(3), services(5),
301 savelog(8)
302
304 rsyslogd is derived from sysklogd sources, which in turn was taken from
305 the BSD sources. Special thanks to Greg Wettstein (greg@wind.enjel‐
306 lic.com) and Martin Schulze (joey@linux.de) for the fine sysklogd pack‐
307 age.
308 Rainer Gerhards
310 Adiscon GmbH
311 Grossrinderfeld, Germany
312 rgerhards@adiscon.com
313Version 3.21.1 29 July 2008 RSYSLOGD(8)