1RSYSLOGD(8)               Linux System Administration              RSYSLOGD(8)
2
3
4

NAME

6       rsyslogd - reliable and extended syslogd
7

SYNOPSIS

9       rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -D ] [ -f config file ]
10       [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
11       [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]
12

DESCRIPTION

14       Rsyslogd  is  a  system  utility providing support for message logging.
15       Support of both internet and unix domain sockets enables  this  utility
16       to support both local and remote logging.
17
18       Note that this version of rsyslog ships with extensive documentation in
19       html format.  This is provided in the ./doc subdirectory  and  probably
20       in  a separate package if you installed rsyslog via a packaging system.
21       To use rsyslog's advanced features, you need to look at the html  docu‐
22       mentation, because the man pages only cover basic aspects of operation.
23       For details and configuration examples, see the  rsyslog.conf  (5)  man
24       page and the online documentation at http://www.rsyslog.com/doc
25
26       Rsyslogd(8)  is  derived  from  the  sysklogd  package which in turn is
27       derived from the stock BSD sources.
28
29       Rsyslogd provides a kind of logging  that  many  modern  programs  use.
30       Every  logged  message  contains  at least a time and a hostname field,
31       normally a program name field, too, but that depends on how trusty  the
32       logging  program  is.  The  rsyslog package supports free definition of
33       output formats via templates. It also supports precise  timestamps  and
34       writing  directly  to  databases. If the database option is used, tools
35       like phpLogCon can be used to view the log data.
36
37       While the rsyslogd sources have been heavily modified a couple of notes
38       are  in  order.   First  of  all there has been a systematic attempt to
39       ensure that rsyslogd follows its default,  standard  BSD  behavior.  Of
40       course,  some configuration file changes are necessary in order to sup‐
41       port the template system. However, rsyslogd should be  able  to  use  a
42       standard  syslog.conf  and  act  like the original syslogd. However, an
43       original syslogd will not work correctly with a  rsyslog-enhanced  con‐
44       figuration  file.  At  best, it will generate funny looking file names.
45       The second important concept to note is that this version  of  rsyslogd
46       interacts  transparently  with the version of syslog found in the stan‐
47       dard libraries.  If a binary linked to the  standard  shared  libraries
48       fails  to  function correctly we would like an example of the anomalous
49       behavior.
50
51       The main configuration file /etc/rsyslog.conf or an  alternative  file,
52       given  with  the  -f  option, is read at startup.  Any lines that begin
53       with the hash mark (``#'') and empty lines are ignored.   If  an  error
54       occurs  during  parsing  the  error  element is ignored. It is tried to
55       parse the rest of the line.
56
57

OPTIONS

59       -A     When sending UDP messages, there are potentially multiple  paths
60              to  the  target  destination. By default, rsyslogd only sends to
61              the first target it can successfully send to. If  -A  is  given,
62              messages  are sent to all targets. This may improve reliability,
63              but may also cause message duplication. This  option  should  be
64              enabled only if it is fully understood.
65
66       -4     Causes rsyslogd to listen to IPv4 addresses only.  If neither -4
67              nor -6 is given, rsyslogd listens to all configured addresses of
68              the system.
69
70       -6     Causes rsyslogd to listen to IPv6 addresses only.  If neither -4
71              nor -6 is given, rsyslogd listens to all configured addresses of
72              the system.
73
74       -c version
75              This  option  has been obsoleted and has no function any longer.
76              It is still accepted in order not  to  break  existing  scripts.
77              However, future versions may not support it.
78
79       -D     Runs  the  Bison config parser in debug mode. This may help when
80              hard to find syntax errors are reported. Please  note  that  the
81              output  generated  is  deeply  technical  and orignally targeted
82              towards developers.
83
84       -d     Turns on debug mode. See the DEBUGGING section for more informa‐
85              tion.
86
87       -f config file
88              Specify  an alternative configuration file instead of /etc/rsys‐
89              log.conf, which is the default.
90
91       -i pid file
92              Specify an alternative pid file  instead  of  the  default  one.
93              This  option  must  be  used  if  multiple instances of rsyslogd
94              should run on a single machine.
95
96       -l hostlist
97              Specify a hostname that should be logged only  with  its  simple
98              hostname  and  not  the  fqdn.   Multiple hosts may be specified
99              using the colon (``:'') separator.
100
101       -n     Avoid auto-backgrounding.  This  is  needed  especially  if  the
102              rsyslogd is started and controlled by init(8).
103
104       -N  level
105              Do  a  coNfig check. Do NOT run in regular mode, just check con‐
106              figuration file correctness.  This option is meant to  verify  a
107              config file. To do so, run rsyslogd interactively in foreground,
108              specifying -f <config-file> and -N level.   The  level  argument
109              modifies  behaviour.  Currently, 0 is the same as not specifying
110              the -N option at all (so this makes limited sense) and  1  actu‐
111              ally  activates  the  code.  Later, higher levels will mean more
112              verbosity (this is a forward-compatibility option).  rsyslogd is
113              started and controlled by init(8).
114
115       -q add hostname if DNS fails during ACL processing
116              During  ACL  processing,  hostnames are resolved to IP addresses
117              for performance reasons. If DNS fails during that  process,  the
118              hostname is added as wildcard text, which results in proper, but
119              somewhat slower operation once DNS is up again.
120
121       -Q do not resolve hostnames during ACL processing
122              Do not resolve hostnames to IP addresses during ACL processing.
123
124       -s domainlist
125              Specify a domainname that should be stripped off before logging.
126              Multiple  domains may be specified using the colon (``:'') sepa‐
127              rator.  Please be advised that no sub-domains may  be  specified
128              but  only  entire domains.  For example if -s north.de is speci‐
129              fied and the host logging resolves to satu.infodrom.north.de  no
130              domain  would be cut, you will have to specify two domains like:
131              -s north.de:infodrom.north.de.
132
133       -u userlevel
134              This is a "catch all" option for some  very  seldomly-used  user
135              settings.  The "userlevel" variable selects multiple things. Add
136              the specific values to get the combined effect of them.  A value
137              of  1  prevents  rsyslogd from parsing hostnames and tags inside
138              messages.  A value of 2 prevents rsyslogd from changing  to  the
139              root  directory.  This is almost never a good idea in production
140              use. This option was introduced in support of the internal test‐
141              bed.  To combine these two features, use a userlevel of 3 (1+2).
142              Whenever you use an -u option, make sure you  really  understand
143              what you do and why you do it.
144
145       -v     Print version and exit.
146
147       -w     Suppress  warnings  issued  when messages are received from non-
148              authorized machines (those, that are in no AllowedSender list).
149
150       -x     Disable DNS for remote messages.
151

SIGNALS

153       Rsyslogd reacts to a set of signals.  You may easily send a  signal  to
154       rsyslogd using the following:
155
156              kill -SIGNAL $(cat /var/run/syslogd.pid)
157
158       Note  that -SIGNAL must be replaced with the actual signal you are try‐
159       ing to send, e.g. with HUP. So it then becomes:
160
161              kill -HUP $(cat /var/run/syslogd.pid)
162
163       HUP    This lets rsyslogd perform close all open files.  Also, in v3  a
164              full restart will be done in order to read changed configuration
165              files.  Note that this means a full rsyslogd  restart  is  done.
166              This  has, among others, the consequence that TCP and other con‐
167              nections are torn down. Also, if any queues are not  running  in
168              disk  assisted  mode or are not set to persist data on shutdown,
169              queue data is lost. HUPing rsyslogd is  an  extremely  expensive
170              operation and should only be done when actually necessary. Actu‐
171              ally, it is a rsyslgod stop immediately followed by  a  restart.
172              Future  versions  will  remove this restart functionality of HUP
173              (it will go away in v5). So it is advised to use  HUP  only  for
174              closing  files,  and  a  "real restart" (e.g. /etc/rc.d/rsyslogd
175              restart) to activate configuration changes.
176
177       TERM ,  INT ,  QUIT
178              Rsyslogd will die.
179
180       USR1   Switch debugging on/off.  This option can only be used if  rsys‐
181              logd is started with the -d debug option.
182
183       CHLD   Wait for childs if some were born, because of wall'ing messages.
184

SECURITY THREATS

186       There  is the potential for the rsyslogd daemon to be used as a conduit
187       for a denial of service attack.  A rogue program(mer) could very easily
188       flood  the  rsyslogd  daemon  with syslog messages resulting in the log
189       files consuming all the remaining space on the filesystem.   Activating
190       logging  over the inet domain sockets will of course expose a system to
191       risks outside of programs or individuals on the local machine.
192
193       There are a number of methods of protecting a machine:
194
195       1.     Implement kernel firewalling to limit which  hosts  or  networks
196              have access to the 514/UDP socket.
197
198       2.     Logging  can  be  directed to an isolated or non-root filesystem
199              which, if filled, will not impair the machine.
200
201       3.     The ext2 filesystem can be used which can be configured to limit
202              a  certain  percentage  of  a  filesystem to usage by root only.
203              NOTE that this will require rsyslogd to be  run  as  a  non-root
204              process.   ALSO NOTE that this will prevent usage of remote log‐
205              ging on the default port since rsyslogd will be unable  to  bind
206              to the 514/UDP socket.
207
208       4.     Disabling  inet  domain  sockets  will  limit  risk to the local
209              machine.
210
211   Message replay and spoofing
212       If remote logging is  enabled,  messages  can  easily  be  spoofed  and
213       replayed.   As  the messages are transmitted in clear-text, an attacker
214       might use the information  obtained  from  the  packets  for  malicious
215       things.  Also,  an  attacker  might replay recorded messages or spoof a
216       sender's IP address, which could lead to a wrong perception  of  system
217       activity.  These  can  be prevented by using GSS-API authentication and
218       encryption. Be sure to  think  about  syslog  network  security  before
219       enabling it.
220

DEBUGGING

222       When  debugging  is  turned  on  using the -d option, rsyslogd produces
223       debugging information according to the RSYSLOG_DEBUG environment  vari‐
224       able  and the signals received. When run in foreground, the information
225       is written to stdout. An additional output file can be specified  using
226       the RSYSLOG_DEBUGLOG environment variable.
227

FILES

229       /etc/rsyslog.conf
230              Configuration  file for rsyslogd.  See rsyslog.conf(5) for exact
231              information.
232       /dev/log
233              The Unix domain socket to from where local syslog  messages  are
234              read.
235       /var/run/syslogd.pid
236              The file containing the process id of rsyslogd.
237       prefix/lib/rsyslog
238              Default  directory for rsyslogd modules. The prefix is specified
239              during compilation (e.g. /usr/local).

ENVIRONMENT

241       RSYSLOG_DEBUG
242              Controls runtime debug support. It  contains  an  option  string
243              with the following options possible (all are case insensitive):
244
245              Debug  Turns  on  debugging  and  prevents forking. This is pro‐
246                     cessed earlier in the startup than command  line  options
247                     (i.e.  -d)  and as such enables earlier debugging output.
248                     Mutually exclusive with DebugOnDemand.
249              DebugOnDemand
250                     Enables debugging but turns off debug output. The  output
251                     can  be  toggled  by  sending SIGUSR1. Mutually exclusive
252                     with Debug.
253              LogFuncFlow
254                     Print out the logical flow  of  functions  (entering  and
255                     exiting them)
256              FileTrace
257                     Specifies  which  files  to trace LogFuncFlow. If not set
258                     (the default), a LogFuncFlow trace is  provided  for  all
259                     files.  Set  to limit it to the files specified.FileTrace
260                     may be specified multiple  times,  one  file  each  (e.g.
261                     export  RSYSLOG_DEBUG="LogFuncFlow  FileTrace=vm.c  File‐
262                     Trace=expr.c"
263              PrintFuncDB
264                     Print the content of the debug function database whenever
265                     debug information is printed (e.g. abort case)!
266              PrintAllDebugInfoOnExit
267                     Print  all  debug information immediately before rsyslogd
268                     exits (currently not implemented!)
269              PrintMutexAction
270                     Print mutex action as  it  happens.  Useful  for  finding
271                     deadlocks and such.
272              NoLogTimeStamp
273                     Do  not  prefix log lines with a timestamp (default is to
274                     do that).
275              NoStdOut
276                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
277                     is  not  set, this means no messages will be displayed at
278                     all.
279              Help   Display a very short list of commands - hopefully a  life
280                     saver if you can't access the documentation...
281
282       RSYSLOG_DEBUGLOG
283              If  set,  writes (almost) all debug message to the specified log
284              file in addition to stdout.
285       RSYSLOG_MODDIR
286              Provides the default directory in which loadable modules reside.
287

BUGS

289       Please review the file BUGS for up-to-date information  on  known  bugs
290       and annoyances.
291

Further Information

293       Please  visit  http://www.rsyslog.com/doc  for  additional information,
294       tutorials and a support forum.
295

SEE ALSO

297       rsyslog.conf(5),   logger(1),   syslog(2),   syslog(3),    services(5),
298       savelog(8)
299

COLLABORATORS

301       rsyslogd is derived from sysklogd sources, which in turn was taken from
302       the BSD sources. Special thanks  to  Greg  Wettstein  (greg@wind.enjel‐
303       lic.com) and Martin Schulze (joey@linux.de) for the fine sysklogd pack‐
304       age.
305
306       Rainer Gerhards
307       Adiscon GmbH
308       Grossrinderfeld, Germany
309       rgerhards@adiscon.com
310
311
312
313Version 6.4.3                   16 October 2012                    RSYSLOGD(8)
Impressum