1RSYSLOG.CONF(5) Linux System Administration RSYSLOG.CONF(5)
2
3
4
6 rsyslog.conf - rsyslogd(8) configuration file
7
9 The rsyslog.conf file is the main configuration file for the rsys‐
10 logd(8) which logs system messages on *nix systems. This file speci‐
11 fies rules for logging. For special features see the rsyslogd(8) man‐
12 page. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf
13 file. So if you migrate from sysklogd you can rename it and it should
14 work.
15
16 Note that this version of rsyslog ships with extensive documentation in
17 html format. This is provided in the ./doc subdirectory and probably
18 in a separate package if you installed rsyslog via a packaging system.
19 To use rsyslog's advanced features, you need to look at the html docu‐
20 mentation, because the man pages only cover basic aspects of operation.
21
22
23
25 Rsyslog has a modular design. Consequently, there is a growing number
26 of modules. See the html documentation for their full description.
27
28
29 omsnmp SNMP trap output module
30
31 omgssapi
32 Output module for GSS-enabled syslog
33
34 ommysql
35 Output module for MySQL
36
37 omrelp Output module for the reliable RELP protocol (prevents message
38 loss). For details, see below at imrelp and the html documenta‐
39 tion. It can be used like this:
40
41 *.* :omrelp:server:port
42
43 *.* :omrelp:192.168.0.1:2514 # actual sample
44
45 ompgsql
46 Output module for PostgreSQL
47
48 omlibdbi
49 Generic database output module (Firebird/Interbase, MS SQL,
50 Sybase, SQLite, Ingres, Oracle, mSQL)
51
52 imfile Input module for text files
53
54 imudp Input plugin for UDP syslog. Replaces the deprecated -r option.
55 Can be used like this:
56
57 $ModLoad imudp
58
59 $UDPServerRun 514
60
61 imtcp Input plugin for plain TCP syslog. Replaces the deprecated -t
62 option. Can be used like this:
63
64 $ModLoad imtcp
65
66 $InputTCPServerRun 514
67
68
69 imrelp Input plugin for the RELP protocol. RELP can be used
70 instead of UDP or plain TCP syslog to provide reliable
71 delivery of syslog messages. Please note that plain TCP
72 syslog does NOT provide truly reliable delivery, with it
73 messages may be lost when there is a connection problem
74 or the server shuts down. RELP prevents message loss in
75 those cases. It can be used like this:
76
77 $ModLoad imrelp
78
79 $InputRELPServerRun 2514
80
81 imgssapi
82 Input plugin for plain TCP and GSS-enable syslog
83
84 immark Support for mark messages
85
86 imklog Kernel logging. To include kernel log messages, you need
87 to do
88
89 $ModLoad imklog
90
91 Please note that the klogd daemon is no longer necessary
92 and consequently no longer provided by the rsyslog pack‐
93 age.
94
95 imuxsock
96 Unix sockets, including the system log socket. You need
97 to specify
98
99 $ModLoad imuxsock
100
101 in order to receive log messages from local system pro‐
102 cesses. This config directive should only left out if you
103 know exactly what you are doing.
104
105
106
108 Lines starting with a hash mark ('#') and empty lines are
109 ignored. Rsyslog.conf should contain following sections (sorted
110 by recommended order in file):
111
112
113 Global directives
114 Global directives set some global properties of whole
115 rsyslog daemon, for example size of main message queue
116 ($MainMessageQueueSize), loading external modules ($Mod‐
117 Load) and so on. All global directives need to be speci‐
118 fied on a line by their own and must start with a dollar-
119 sign. The complete list of global directives can be found
120 in html documentation in doc directory or online on web
121 pages.
122
123
124 Templates
125 Templates allow you to specify format of the logged mes‐
126 sage. They are also used for dynamic file name genera‐
127 tion. They have to be defined before they are used in
128 rules. For more info about templates see TEMPLATES sec‐
129 tion of this manpage.
130
131
132 Output channels
133 Output channels provide an umbrella for any type of out‐
134 put that the user might want. They have to be defined
135 before they are used in rules. For more info about output
136 channels see OUTPUT CHANNELS section of this manpage.
137
138
139 Rules (selector + action)
140 Every rule line consists of two fields, a selector field
141 and an action field. These two fields are separated by
142 one or more spaces or tabs. The selector field specifies
143 a pattern of facilities and priorities belonging to the
144 specified action.
145
146
148 The selector field itself again consists of two parts, a facil‐
149 ity and a priority, separated by a period ('.'). Both parts are
150 case insensitive and can also be specified as decimal numbers,
151 but don't do that, you have been warned. Both facilities and
152 priorities are described in syslog(3). The names mentioned below
153 correspond to the similar LOG_-values in /usr/include/syslog.h.
154
155 The facility is one of the following keywords: auth, authpriv,
156 cron, daemon, kern, lpr, mail, mark, news, security (same as
157 auth), syslog, user, uucp and local0 through local7. The keyword
158 security should not be used anymore and mark is only for inter‐
159 nal use and therefore should not be used in applications. Any‐
160 way, you may want to specify and redirect these messages here.
161 The facility specifies the subsystem that produced the message,
162 i.e. all mail programs log with the mail facility (LOG_MAIL) if
163 they log using syslog.
164
165 The priority is one of the following keywords, in ascending
166 order: debug, info, notice, warning, warn (same as warning),
167 err, error (same as err), crit, alert, emerg, panic (same as
168 emerg). The keywords error, warn and panic are deprecated and
169 should not be used anymore. The priority defines the severity of
170 the message.
171
172 The behavior of the original BSD syslogd is that all messages of
173 the specified priority and higher are logged according to the
174 given action. Rsyslogd behaves the same, but has some exten‐
175 sions.
176
177 In addition to the above mentioned names the rsyslogd(8) under‐
178 stands the following extensions: An asterisk ('*') stands for
179 all facilities or all priorities, depending on where it is used
180 (before or after the period). The keyword none stands for no
181 priority of the given facility.
182
183 You can specify multiple facilities with the same priority pat‐
184 tern in one statement using the comma (',') operator. You may
185 specify as much facilities as you want. Remember that only the
186 facility part from such a statement is taken, a priority part
187 would be skipped.
188
189 Multiple selectors may be specified for a single action using
190 the semicolon (';') separator. Remember that each selector in
191 the selector field is capable to overwrite the preceding ones.
192 Using this behavior you can exclude some priorities from the
193 pattern.
194
195 Rsyslogd has a syntax extension to the original BSD source, that
196 makes its use more intuitively. You may precede every priority
197 with an equals sign ('=') to specify only this single priority
198 and not any of the above. You may also (both is valid, too) pre‐
199 cede the priority with an exclamation mark ('!') to ignore all
200 that priorities, either exact this one or this and any higher
201 priority. If you use both extensions than the exclamation mark
202 must occur before the equals sign, just use it intuitively.
203
204
206 The action field of a rule describes what to do with the mes‐
207 sage. In general, message content is written to a kind of "log‐
208 file". But also other actions might be done, like writing to a
209 database table or forwarding to another host.
210
211
212 Regular file
213 Typically messages are logged to real files. The file has to be
214 specified with full pathname, beginning with a slash ('/').
215
216 Example:
217 *.* /var/log/traditionalfile.log;RSYSLOG_Traditional‐
218 FileFormat # log to a file in the traditional format
219
220 Note: if you would like to use high-precision timestamps in your
221 log files, just remove the ";RSYSLOG_TraditionalFormat". That
222 will select the default template, which, if not changed, uses
223 RFC 3339 timestamps.
224
225 Example:
226 *.* /var/log/file.log # log to a file with RFC3339
227 timestamps
228
229 You may prefix each entry with the minus "-" sign to omit sync‐
230 ing the file after every logging. Note that you might lose
231 information if the system crashes right behind a write attempt.
232 Nevertheless this might give you back some performance, espe‐
233 cially if you run programs that use logging in a very verbose
234 manner.
235
236
237 Named pipes
238 This version of rsyslogd(8) has support for logging output to
239 named pipes (fifos). A fifo or named pipe can be used as a des‐
240 tination for log messages by prepending a pipe symbol ('|') to
241 the name of the file. This is handy for debugging. Note that the
242 fifo must be created with the mkfifo(1) command before rsys‐
243 logd(8) is started.
244
245
246 Terminal and console
247 If the file you specified is a tty, special tty-handling is
248 done, same with /dev/console.
249
250
251 Remote machine
252 There are three ways to forward message: the traditional UDP
253 transport, which is extremely lossy but standard, the plain TCP
254 based transport which loses messages only during certain situa‐
255 tions but is widely available and the RELP transport which does
256 not lose messages but is currently available only as part of
257 rsyslogd 3.15.0 and above.
258
259 To forward messages to another host via UDP, prepend the host‐
260 name with the at sign ("@"). To forward it via plain tcp,
261 prepend two at signs ("@@"). To forward via RELP, prepend the
262 string ":omrelp:" in front of the hostname.
263
264 Example:
265 *.* @192.168.0.1
266
267 In the example above, messages are forwarded via UDP to the
268 machine 192.168.0.1, the destination port defaults to 514. Due
269 to the nature of UDP, you will probably lose some messages in
270 transit. If you expect high traffic volume, you can expect to
271 lose a quite noticeable number of messages (the higher the traf‐
272 fic, the more likely and severe is message loss).
273
274 If you would like to prevent message loss, use RELP:
275 *.* :omrelp:192.168.0.1:2514
276
277 Note that a port number was given as there is no standard port
278 for relp.
279
280 Keep in mind that you need to load the correct input and output
281 plugins (see "Modules" above).
282
283 Please note that rsyslogd offers a variety of options in regard‐
284 ing to remote forwarding. For full details, please see the html
285 documentation.
286
287
288 List of users
289 Usually critical messages are also directed to ``root'' on that
290 machine. You can specify a list of users that shall get the mes‐
291 sage by simply writing ":omusrmsg:" followed by the login name.
292 You may specify more than one user by separating them with com‐
293 mas (','). If they're logged in they get the message (for exam‐
294 ple: ":omusrmsg:root,user1,user2").
295
296
297 Everyone logged on
298 Emergency messages often go to all users currently online to
299 notify them that something strange is happening with the system.
300 To specify this wall(1)-feature use an ":omusrmsg:*".
301
302
303 Database table
304 This allows logging of the message to a database table. By
305 default, a MonitorWare-compatible schema is required for this to
306 work. You can create that schema with the createDB.SQL file that
307 came with the rsyslog package. You can also use any other schema
308 of your liking - you just need to define a proper template and
309 assign this template to the action.
310
311 See the html documentation for further details on database log‐
312 ging.
313
314
315 Discard
316 If the discard action is carried out, the received message is
317 immediately discarded. Discard can be highly effective if you
318 want to filter out some annoying messages that otherwise would
319 fill your log files. To do that, place the discard actions early
320 in your log files. This often plays well with property-based
321 filters, giving you great freedom in specifying what you do not
322 want.
323
324 Discard is just the single tilde character with no further
325 parameters.
326
327 Example:
328 *.* ~ # discards everything.
329
330
331
332 Output channel
333 Binds an output channel definition (see there for details) to
334 this action. Output channel actions must start with a $-sign,
335 e.g. if you would like to bind your output channel definition
336 "mychannel" to the action, use "$mychannel". Output channels
337 support template definitions like all all other actions.
338
339
340 Shell execute
341 This executes a program in a subshell. The program is passed the
342 template-generated message as the only command line parameter.
343 Rsyslog waits until the program terminates and only then contin‐
344 ues to run.
345
346 Example:
347 ^program-to-execute;template
348
349 The program-to-execute can be any valid executable. It receives
350 the template string as a single parameter (argv[1]).
351
352
354 Rsyslog offers three different types "filter conditions":
355 * "traditional" severity and facility based selectors
356 * property-based filters
357 * expression-based filters
358
359
360 Selectors
361 Selectors are the traditional way of filtering syslog messages.
362 They have been kept in rsyslog with their original syntax,
363 because it is well-known, highly effective and also needed for
364 compatibility with stock syslogd configuration files. If you
365 just need to filter based on priority and facility, you should
366 do this with selector lines. They are not second-class citizens
367 in rsyslog and offer the best performance for this job.
368
369
370 Property-Based Filters
371 Property-based filters are unique to rsyslogd. They allow to
372 filter on any property, like HOSTNAME, syslogtag and msg.
373
374 A property-based filter must start with a colon in column 0.
375 This tells rsyslogd that it is the new filter type. The colon
376 must be followed by the property name, a comma, the name of the
377 compare operation to carry out, another comma and then the value
378 to compare against. This value must be quoted. There can be
379 spaces and tabs between the commas. Property names and compare
380 operations are case-sensitive, so "msg" works, while "MSG" is an
381 invalid property name. In brief, the syntax is as follows:
382
383 :property, [!]compare-operation, "value"
384
385 The following compare-operations are currently supported:
386
387 contains
388 Checks if the string provided in value is con‐
389 tained in the property
390
391 isequal
392 Compares the "value" string provided and the prop‐
393 erty contents. These two values must be exactly
394 equal to match.
395
396 startswith
397 Checks if the value is found exactly at the begin‐
398 ning of the property value
399
400 regex
401 Compares the property against the provided regular
402 expression.
403
404
405 Expression-Based Filters
406 See the html documentation for this feature.
407
408
409
411 Every output in rsyslog uses templates - this holds true for
412 files, user messages and so on. Templates compatible with the
413 stock syslogd formats are hardcoded into rsyslogd. If no tem‐
414 plate is specified, we use one of these hardcoded templates.
415 Search for "template_" in syslogd.c and you will find the hard‐
416 coded ones.
417
418 A template consists of a template directive, a name, the actual
419 template text and optional options. A sample is:
420
421 $template MyTemplateName,"\7Text %property% some more
422 text\n",<options>
423
424 The "$template" is the template directive. It tells rsyslog that
425 this line contains a template. The backslash is an escape char‐
426 acter. For example, \7 rings the bell (this is an ASCII value),
427 \n is a new line. The set in rsyslog is a bit restricted cur‐
428 rently.
429
430 All text in the template is used literally, except for things
431 within percent signs. These are properties and allow you access
432 to the contents of the syslog message. Properties are accessed
433 via the property replacer and it can for example pick a sub‐
434 string or do date-specific formatting. More on this is the PROP‐
435 ERTY REPLACER section of this manpage.
436
437 To escape:
438 % = \%
439 \ = \\ --> '\' is used to escape (as in C)
440 $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslog‐
441 tag%%msg%\n"
442
443 Properties can be accessed by the property replacer (see there
444 for details).
445
446 Please note that templates can also by used to generate selector
447 lines with dynamic file names. For example, if you would like
448 to split syslog messages from different hosts to different files
449 (one per host), you can define the following template:
450
451 $template DynFile,"/var/log/system-%HOSTNAME%.log"
452
453 This template can then be used when defining an output selector
454 line. It will result in something like "/var/log/system-local‐
455 host.log"
456
457
458 Template options
459 The <options> part is optional. It carries options influencing
460 the template as whole. See details below. Be sure NOT to mis‐
461 take template options with property options - the later ones are
462 processed by the property replacer and apply to a SINGLE prop‐
463 erty, only (and not the whole template).
464
465 Template options are case-insensitive. Currently defined are:
466
467
468 sql format the string suitable for a SQL statement in
469 MySQL format. This will replace single quotes
470 ("'") and the backslash character by their back‐
471 slash-escaped counterpart ("´" and "\") inside
472 each field. Please note that in MySQL configura‐
473 tion, the NO_BACKSLASH_ESCAPES mode must be turned
474 off for this format to work (this is the default).
475
476
477 stdsql format the string suitable for a SQL statement
478 that is to be sent to a standards-compliant sql
479 server. This will replace single quotes ("'") by
480 two single quotes ("''") inside each field. You
481 must use stdsql together with MySQL if in MySQL
482 configuration the NO_BACKSLASH_ESCAPES is turned
483 on.
484
485 Either the sql or stdsql option MUST be specified when a tem‐
486 plate is used for writing to a database, otherwise injection
487 might occur. Please note that due to the unfortunate fact that
488 several vendors have violated the sql standard and introduced
489 their own escape methods, it is impossible to have a single
490 option doing all the work. So you yourself must make sure you
491 are using the right format. If you choose the wrong one, you
492 are still vulnerable to sql injection.
493
494 Please note that the database writer *checks* that the sql
495 option is present in the template. If it is not present, the
496 write database action is disabled. This is to guard you against
497 accidental forgetting it and then becoming vulnerable to SQL
498 injection. The sql option can also be useful with files - espe‐
499 cially if you want to import them into a database on another
500 machine for performance reasons. However, do NOT use it if you
501 do not have a real need for it - among others, it takes some
502 toll on the processing time. Not much, but on a really busy sys‐
503 tem you might notice it ;)
504
505 The default template for the write to database action has the
506 sql option set.
507
508
509 Template examples
510 Please note that the samples are split across multiple lines. A
511 template MUST NOT actually be split across multiple lines.
512
513 A template that resembles traditional syslogd file output:
514
515 $template TraditionalFormat,"%timegenerated% %HOSTNAME%
516 %syslogtag%%msg:::drop-last-lf%\n"
517
518 A template that tells you a little more about the message:
519
520 $template precise,"%syslogpriority%,%syslogfacil‐
521 ity%,%timegenerated%,%HOSTNAME%,
522 %syslogtag%,%msg%\n"
523
524 A template for RFC 3164 format:
525
526 $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %sys‐
527 logtag%%msg%"
528
529 A template for the format traditionally used for user messages:
530
531 $template usermsg," XXXX%syslogtag%%msg%\n\r"
532
533 And a template with the traditional wall-message format:
534
535 $template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME%
536 at %timegenerated%"
537
538 A template that can be used for writing to a database (please
539 note the SQL template option)
540
541 $template MySQLInsert,"insert iut, message, receivedat
542 values ('%iut%', '%msg:::UPPERCASE%', '%timegener‐
543 ated:::date-mysql%') into systemevents\r\n", SQL
544
545 NOTE 1: This template is embedded into core application
546 under name StdDBFmt , so you don't need to define it.
547
548 NOTE 2: You have to have MySQL module installed to use
549 this template.
550
551
553 Output Channels are a new concept first introduced in rsyslog
554 0.9.0. As of this writing, it is most likely that they will be
555 replaced by something different in the future. So if you use
556 them, be prepared to change you configuration file syntax when
557 you upgrade to a later release.
558
559 Output channels are defined via an $outchannel directive. It's
560 syntax is as follows:
561
562 $outchannel name,file-name,max-size,action-on-max-size
563
564 name is the name of the output channel (not the file), file-name
565 is the file name to be written to, max-size the maximum allowed
566 size and action-on-max-size a command to be issued when the max
567 size is reached. This command always has exactly one parameter.
568 The binary is that part of action-on-max-size before the first
569 space, its parameter is everything behind that space.
570
571 Keep in mind that $outchannel just defines a channel with
572 "name". It does not activate it. To do so, you must use a
573 selector line (see below). That selector line includes the chan‐
574 nel name plus ":omfile:$" in front of it. A sample might be:
575
576 *.* :omfile:$mychannel
577
578
580 The property replacer is a core component in rsyslogd's output
581 system. A syslog message has a number of well-defined properties
582 (see below). Each of this properties can be accessed and manipu‐
583 lated by the property replacer. With it, it is easy to use only
584 part of a property value or manipulate the value, e.g. by con‐
585 verting all characters to lower case.
586
587
588 Accessing Properties
589 Syslog message properties are used inside templates. They are
590 accessed by putting them between percent signs. Properties can
591 be modified by the property replacer. The full syntax is as fol‐
592 lows:
593
594 %propname:fromChar:toChar:options%
595
596 propname is the name of the property to access. It is case-sen‐
597 sitive.
598
599
600 Available Properties
601 msg the MSG part of the message (aka "the message" ;))
602
603 rawmsg the message exactly as it was received from the socket.
604 Should be useful for debugging.
605
606 HOSTNAME
607 hostname from the message
608
609 FROMHOST
610 hostname of the system the message was received from (in
611 a relay chain, this is the system immediately in front of
612 us and not necessarily the original sender)
613
614 syslogtag
615 TAG from the message
616
617 programname
618 the "static" part of the tag, as defined by BSD syslogd.
619 For example, when TAG is "named[12345]", programname is
620 "named".
621
622 PRI PRI part of the message - undecoded (single value)
623
624 PRI-text
625 the PRI part of the message in a textual form (e.g. "sys‐
626 log.info")
627
628 IUT the monitorware InfoUnitType - used when talking to a
629 MonitorWare backend (also for phpLogCon)
630
631 syslogfacility
632 the facility from the message - in numerical form
633
634 syslogfacility-text
635 the facility from the message - in text form
636
637 syslogseverity
638 severity from the message - in numerical form
639
640 syslogseverity-text
641 severity from the message - in text form
642
643 timegenerated
644 timestamp when the message was RECEIVED. Always in high
645 resolution
646
647 timereported
648 timestamp from the message. Resolution depends on what
649 was provided in the message (in most cases, only seconds)
650
651 TIMESTAMP
652 alias for timereported
653
654 PROTOCOL-VERSION
655 The contents of the PROTOCOL-VERSION field from IETF
656 draft draft-ietf-syslog-protocol
657
658 STRUCTURED-DATA
659 The contents of the STRUCTURED-DATA field from IETF draft
660 draft-ietf-syslog-protocol
661
662 APP-NAME
663 The contents of the APP-NAME field from IETF draft draft-
664 ietf-syslog-protocol
665
666 PROCID The contents of the PROCID field from IETF draft draft-
667 ietf-syslog-protocol
668
669 MSGID The contents of the MSGID field from IETF draft draft-
670 ietf-syslog-protocol
671
672 $NOW The current date stamp in the format YYYY-MM-DD
673
674 $YEAR The current year (4-digit)
675
676 $MONTH The current month (2-digit)
677
678 $DAY The current day of the month (2-digit)
679
680 $HOUR The current hour in military (24 hour) time (2-digit)
681
682 $MINUTE
683 The current minute (2-digit)
684
685
686 Properties starting with a $-sign are so-called system proper‐
687 ties. These do NOT stem from the message but are rather inter‐
688 nally-generated.
689
690
691 Character Positions
692 FromChar and toChar are used to build substrings. They specify
693 the offset within the string that should be copied. Offset
694 counting starts at 1, so if you need to obtain the first 2 char‐
695 acters of the message text, you can use this syntax:
696 "%msg:1:2%". If you do not wish to specify from and to, but you
697 want to specify options, you still need to include the colons.
698 For example, if you would like to convert the full message text
699 to lower case, use "%msg:::lowercase%". If you would like to
700 extract from a position until the end of the string, you can
701 place a dollar-sign ("$") in toChar (e.g. %msg:10:$%, which will
702 extract from position 10 to the end of the string).
703
704 There is also support for regular expressions. To use them, you
705 need to place a "R" into FromChar. This tells rsyslog that a
706 regular expression instead of position-based extraction is
707 desired. The actual regular expression must then be provided in
708 toChar. The regular expression must be followed by the string
709 "--end". It denotes the end of the regular expression and will
710 not become part of it. If you are using regular expressions,
711 the property replacer will return the part of the property text
712 that matches the regular expression. An example for a property
713 replacer sequence with a regular expression is: "%msg:R:.*Sev:.
714 \(.*\) \[.*--end%"
715
716 Also, extraction can be done based on so-called "fields". To do
717 so, place a "F" into FromChar. A field in its current definition
718 is anything that is delimited by a delimiter character. The
719 delimiter by default is TAB (US-ASCII value 9). However, if can
720 be changed to any other US-ASCII character by specifying a comma
721 and the decimal US-ASCII value of the delimiter immediately
722 after the "F". For example, to use comma (",") as a delimiter,
723 use this field specifier: "F,44". If your syslog data is delim‐
724 ited, this is a quicker way to extract than via regular expres‐
725 sions (actually, a *much* quicker way). Field counting starts at
726 1. Field zero is accepted, but will always lead to a "field not
727 found" error. The same happens if a field number higher than the
728 number of fields in the property is requested. The field number
729 must be placed in the "ToChar" parameter. An example where the
730 3rd field (delimited by TAB) from the msg property is extracted
731 is as follows: "%msg:F:3%". The same example with semicolon as
732 delimiter is "%msg:F,59:3%".
733
734 Please note that the special characters "F" and "R" are case-
735 sensitive. Only upper case works, lower case will return an
736 error. There are no white spaces permitted inside the sequence
737 (that will lead to error messages and will NOT provide the
738 intended result).
739
740
741 Property Options
742 Property options are case-insensitive. Currently, the following
743 options are defined:
744
745 uppercase
746 convert property to lowercase only
747
748 lowercase
749 convert property text to uppercase only
750
751 drop-last-lf
752 The last LF in the message (if any), is dropped. Espe‐
753 cially useful for PIX.
754
755 date-mysql
756 format as mysql date
757
758 date-rfc3164
759 format as RFC 3164 date
760
761 date-rfc3339
762 format as RFC 3339 date
763
764 escape-cc
765 replace control characters (ASCII value 127 and values
766 less then 32) with an escape sequence. The sequence is
767 "#<charval>" where charval is the 3-digit decimal value
768 of the control character. For example, a tabulator would
769 be replaced by "#009".
770
771 space-cc
772 replace control characters by spaces
773
774 drop-cc
775 drop control characters - the resulting string will nei‐
776 ther contain control characters, escape sequences nor any
777 other replacement character like space.
778
779
781 Rsyslogd supports queued operations to handle offline outputs
782 (like remote syslogd's or database servers being down). When
783 running in queued mode, rsyslogd buffers messages to memory and
784 optionally to disk (on an as-needed basis). Queues survive rsys‐
785 logd restarts.
786
787 It is highly suggested to use remote forwarding and database
788 writing in queued mode, only.
789
790 To learn more about queued operations, see the html documenta‐
791 tion.
792
793
795 /etc/rsyslog.conf
796 Configuration file for rsyslogd
797
799 rsyslogd(8), logger(1), syslog(3)
800
801 The complete documentation can be found in the doc folder of the
802 rsyslog distribution or online at
803
804 http://www.rsyslog.com/doc
805
806 Please note that the man page reflects only a subset of the con‐
807 figuration options. Be sure to read the html documentation for
808 all features and details. This is especially vital if you plan
809 to set up a more-then-extremely-simple system.
810
812 rsyslogd is taken from sysklogd sources, which have been heavily
813 modified by Rainer Gerhards (rgerhards@adiscon.com) and others.
814
815
816
817Version 7.2.0 22 October 2012 RSYSLOG.CONF(5)