1RSYSLOGD(8) Linux System Administration RSYSLOGD(8)
2
6 rsyslogd - reliable and extended syslogd
7
9 rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -D ] [ -f config file ]
10 [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
11 [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]
12
14 Rsyslogd is a system utility providing support for message logging.
15 Support of both internet and unix domain sockets enables this utility
16 to support both local and remote logging.
17 Note that this version of rsyslog ships with extensive documentation in
19 html format. This is provided in the ./doc subdirectory and probably
20 in a separate package if you installed rsyslog via a packaging system.
21 To use rsyslog's advanced features, you need to look at the html docu‐
22 mentation, because the man pages only cover basic aspects of operation.
23 For details and configuration examples, see the rsyslog.conf (5) man
24 page and the online documentation at http://www.rsyslog.com/doc
25 Rsyslogd(8) is derived from the sysklogd package which in turn is
27 derived from the stock BSD sources.
28 Rsyslogd provides a kind of logging that many modern programs use.
30 Every logged message contains at least a time and a hostname field,
31 normally a program name field, too, but that depends on how trusty the
32 logging program is. The rsyslog package supports free definition of
33 output formats via templates. It also supports precise timestamps and
34 writing directly to databases. If the database option is used, tools
35 like phpLogCon can be used to view the log data.
36 While the rsyslogd sources have been heavily modified a couple of notes
38 are in order. First of all there has been a systematic attempt to
39 ensure that rsyslogd follows its default, standard BSD behavior. Of
40 course, some configuration file changes are necessary in order to sup‐
41 port the template system. However, rsyslogd should be able to use a
42 standard syslog.conf and act like the original syslogd. However, an
43 original syslogd will not work correctly with a rsyslog-enhanced con‐
44 figuration file. At best, it will generate funny looking file names.
45 The second important concept to note is that this version of rsyslogd
46 interacts transparently with the version of syslog found in the stan‐
47 dard libraries. If a binary linked to the standard shared libraries
48 fails to function correctly we would like an example of the anomalous
49 behavior.
50 The main configuration file /etc/rsyslog.conf or an alternative file,
52 given with the -f option, is read at startup. Any lines that begin
53 with the hash mark (``#'') and empty lines are ignored. If an error
54 occurs during parsing the error element is ignored. It is tried to
55 parse the rest of the line.
56
59 -A When sending UDP messages, there are potentially multiple paths
60 to the target destination. By default, rsyslogd only sends to
61 the first target it can successfully send to. If -A is given,
62 messages are sent to all targets. This may improve reliability,
63 but may also cause message duplication. This option should be
64 enabled only if it is fully understood.
65 -4 Causes rsyslogd to listen to IPv4 addresses only. If neither -4
67 nor -6 is given, rsyslogd listens to all configured addresses of
68 the system.
69 -6 Causes rsyslogd to listen to IPv6 addresses only. If neither -4
71 nor -6 is given, rsyslogd listens to all configured addresses of
72 the system.
73 -c version
75 This option has been obsoleted and has no function any longer.
76 It is still accepted in order not to break existing scripts.
77 However, future versions may not support it.
78 -D Runs the Bison config parser in debug mode. This may help when
80 hard to find syntax errors are reported. Please note that the
81 output generated is deeply technical and orignally targeted
82 towards developers.
83 -d Turns on debug mode. See the DEBUGGING section for more informa‐
85 tion.
86 -f config file
88 Specify an alternative configuration file instead of /etc/rsys‐
89 log.conf, which is the default.
90 -i pid file
92 Specify an alternative pid file instead of the default one.
93 This option must be used if multiple instances of rsyslogd
94 should run on a single machine.
95 -l hostlist
97 Specify a hostname that should be logged only with its simple
98 hostname and not the fqdn. Multiple hosts may be specified
99 using the colon (``:'') separator.
100 -n Avoid auto-backgrounding. This is needed especially if the
102 rsyslogd is started and controlled by init(8).
103 -N level
105 Do a coNfig check. Do NOT run in regular mode, just check con‐
106 figuration file correctness. This option is meant to verify a
107 config file. To do so, run rsyslogd interactively in foreground,
108 specifying -f <config-file> and -N level. The level argument
109 modifies behaviour. Currently, 0 is the same as not specifying
110 the -N option at all (so this makes limited sense) and 1 actu‐
111 ally activates the code. Later, higher levels will mean more
112 verbosity (this is a forward-compatibility option). rsyslogd is
113 started and controlled by init(8).
114 -q add hostname if DNS fails during ACL processing
116 During ACL processing, hostnames are resolved to IP addresses
117 for performance reasons. If DNS fails during that process, the
118 hostname is added as wildcard text, which results in proper, but
119 somewhat slower operation once DNS is up again.
120 -Q do not resolve hostnames during ACL processing
122 Do not resolve hostnames to IP addresses during ACL processing.
123 -s domainlist
125 Specify a domainname that should be stripped off before logging.
126 Multiple domains may be specified using the colon (``:'') sepa‐
127 rator. Please be advised that no sub-domains may be specified
128 but only entire domains. For example if -s north.de is speci‐
129 fied and the host logging resolves to satu.infodrom.north.de no
130 domain would be cut, you will have to specify two domains like:
131 -s north.de:infodrom.north.de.
132 -u userlevel
134 This is a "catch all" option for some very seldomly-used user
135 settings. The "userlevel" variable selects multiple things. Add
136 the specific values to get the combined effect of them. A value
137 of 1 prevents rsyslogd from parsing hostnames and tags inside
138 messages. A value of 2 prevents rsyslogd from changing to the
139 root directory. This is almost never a good idea in production
140 use. This option was introduced in support of the internal test‐
141 bed. To combine these two features, use a userlevel of 3 (1+2).
142 Whenever you use an -u option, make sure you really understand
143 what you do and why you do it.
144 -v Print version and exit.
146 -w Suppress warnings issued when messages are received from non-
148 authorized machines (those, that are in no AllowedSender list).
149 -x Disable DNS for remote messages.
151
153 Rsyslogd reacts to a set of signals. You may easily send a signal to
154 rsyslogd using the following:
155 kill -SIGNAL $(cat /var/run/syslogd.pid)
157 Note that -SIGNAL must be replaced with the actual signal you are try‐
159 ing to send, e.g. with HUP. So it then becomes:
160 kill -HUP $(cat /var/run/syslogd.pid)
162 HUP This lets rsyslogd perform close all open files. Also, in v3 a
164 full restart will be done in order to read changed configuration
165 files. Note that this means a full rsyslogd restart is done.
166 This has, among others, the consequence that TCP and other con‐
167 nections are torn down. Also, if any queues are not running in
168 disk assisted mode or are not set to persist data on shutdown,
169 queue data is lost. HUPing rsyslogd is an extremely expensive
170 operation and should only be done when actually necessary. Actu‐
171 ally, it is a rsyslgod stop immediately followed by a restart.
172 Future versions will remove this restart functionality of HUP
173 (it will go away in v5). So it is advised to use HUP only for
174 closing files, and a "real restart" (e.g. /etc/rc.d/rsyslogd
175 restart) to activate configuration changes.
176 TERM , INT , QUIT
178 Rsyslogd will die.
179 USR1 Switch debugging on/off. This option can only be used if rsys‐
181 logd is started with the -d debug option.
182 CHLD Wait for childs if some were born, because of wall'ing messages.
184
186 There is the potential for the rsyslogd daemon to be used as a conduit
187 for a denial of service attack. A rogue program(mer) could very easily
188 flood the rsyslogd daemon with syslog messages resulting in the log
189 files consuming all the remaining space on the filesystem. Activating
190 logging over the inet domain sockets will of course expose a system to
191 risks outside of programs or individuals on the local machine.
192 There are a number of methods of protecting a machine:
194 1. Implement kernel firewalling to limit which hosts or networks
196 have access to the 514/UDP socket.
197 2. Logging can be directed to an isolated or non-root filesystem
199 which, if filled, will not impair the machine.
200 3. The ext2 filesystem can be used which can be configured to limit
202 a certain percentage of a filesystem to usage by root only.
203 NOTE that this will require rsyslogd to be run as a non-root
204 process. ALSO NOTE that this will prevent usage of remote log‐
205 ging on the default port since rsyslogd will be unable to bind
206 to the 514/UDP socket.
207 4. Disabling inet domain sockets will limit risk to the local
209 machine.
210 Message replay and spoofing
212 If remote logging is enabled, messages can easily be spoofed and
213 replayed. As the messages are transmitted in clear-text, an attacker
214 might use the information obtained from the packets for malicious
215 things. Also, an attacker might replay recorded messages or spoof a
216 sender's IP address, which could lead to a wrong perception of system
217 activity. These can be prevented by using GSS-API authentication and
218 encryption. Be sure to think about syslog network security before
219 enabling it.
220
222 When debugging is turned on using the -d option, rsyslogd produces
223 debugging information according to the RSYSLOG_DEBUG environment vari‐
224 able and the signals received. When run in foreground, the information
225 is written to stdout. An additional output file can be specified using
226 the RSYSLOG_DEBUGLOG environment variable.
227
229 /etc/rsyslog.conf
230 Configuration file for rsyslogd. See rsyslog.conf(5) for exact
231 information.
232 /dev/log
233 The Unix domain socket to from where local syslog messages are
234 read.
235 /var/run/syslogd.pid
236 The file containing the process id of rsyslogd.
237 prefix/lib/rsyslog
238 Default directory for rsyslogd modules. The prefix is specified
239 during compilation (e.g. /usr/local).
241 RSYSLOG_DEBUG
242 Controls runtime debug support. It contains an option string
243 with the following options possible (all are case insensitive):
244 Debug Turns on debugging and prevents forking. This is pro‐
246 cessed earlier in the startup than command line options
247 (i.e. -d) and as such enables earlier debugging output.
248 Mutually exclusive with DebugOnDemand.
249 DebugOnDemand
250 Enables debugging but turns off debug output. The output
251 can be toggled by sending SIGUSR1. Mutually exclusive
252 with Debug.
253 LogFuncFlow
254 Print out the logical flow of functions (entering and
255 exiting them)
256 FileTrace
257 Specifies which files to trace LogFuncFlow. If not set
258 (the default), a LogFuncFlow trace is provided for all
259 files. Set to limit it to the files specified.FileTrace
260 may be specified multiple times, one file each (e.g.
261 export RSYSLOG_DEBUG="LogFuncFlow FileTrace=vm.c File‐
262 Trace=expr.c"
263 PrintFuncDB
264 Print the content of the debug function database whenever
265 debug information is printed (e.g. abort case)!
266 PrintAllDebugInfoOnExit
267 Print all debug information immediately before rsyslogd
268 exits (currently not implemented!)
269 PrintMutexAction
270 Print mutex action as it happens. Useful for finding
271 deadlocks and such.
272 NoLogTimeStamp
273 Do not prefix log lines with a timestamp (default is to
274 do that).
275 NoStdOut
276 Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
277 is not set, this means no messages will be displayed at
278 all.
279 Help Display a very short list of commands - hopefully a life
280 saver if you can't access the documentation...
281 RSYSLOG_DEBUGLOG
283 If set, writes (almost) all debug message to the specified log
284 file in addition to stdout.
285 RSYSLOG_MODDIR
286 Provides the default directory in which loadable modules reside.
287
289 Please review the file BUGS for up-to-date information on known bugs
290 and annoyances.
291
293 Please visit http://www.rsyslog.com/doc for additional information,
294 tutorials and a support forum.
295
297 rsyslog.conf(5), logger(1), syslog(2), syslog(3), services(5),
298 savelog(8)
299
301 rsyslogd is derived from sysklogd sources, which in turn was taken from
302 the BSD sources. Special thanks to Greg Wettstein (greg@wind.enjel‐
303 lic.com) and Martin Schulze (joey@linux.de) for the fine sysklogd pack‐
304 age.
305 Rainer Gerhards
307 Adiscon GmbH
308 Grossrinderfeld, Germany
309 rgerhards@adiscon.com
310Version 6.4.3 16 October 2012 RSYSLOGD(8)