1RSYSLOG.CONF(5) Linux System Administration RSYSLOG.CONF(5)
2
6 rsyslog.conf - rsyslogd(8) configuration file
7
9 The rsyslog.conf file is the main configuration file for the rsys‐
10 logd(8) which logs system messages on *nix systems. This file speci‐
11 fies rules for logging. For special features see the rsyslogd(8) man‐
12 page. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf
13 file. So if you migrate from sysklogd you can rename it and it should
14 work.
15 Note that this version of rsyslog ships with extensive documentation in
17 html format. This is provided in the ./doc subdirectory and probably
18 in a separate package if you installed rsyslog via a packaging system.
19 To use rsyslog's advanced features, you need to look at the html docu‐
20 mentation, because the man pages only cover basic aspects of operation.
21
25 Rsyslog has a modular design. Consequently, there is a growing number
26 of modules. See the html documentation for their full description.
27 omsnmp SNMP trap output module
30 omgssapi
32 Output module for GSS-enabled syslog
33 ommysql
35 Output module for MySQL
36 omrelp Output module for the reliable RELP protocol (prevents message
38 loss). For details, see below at imrelp and the html documenta‐
39 tion. It can be used like this:
40 *.* :omrelp:server:port
42 *.* :omrelp:192.168.0.1:2514 # actual sample
44 ompgsql
46 Output module for PostgreSQL
47 omlibdbi
49 Generic database output module (Firebird/Interbase, MS SQL,
50 Sybase, SQLite, Ingres, Oracle, mSQL)
51 imfile Input module for text files
53 imudp Input plugin for UDP syslog. Replaces the deprecated -r option.
55 Can be used like this:
56 $ModLoad imudp
58 $UDPServerRun 514
60 imtcp Input plugin for plain TCP syslog. Replaces the deprecated -t
62 option. Can be used like this:
63 $ModLoad imtcp
65 $InputTCPServerRun 514
67 imrelp Input plugin for the RELP protocol. RELP can be used
70 instead of UDP or plain TCP syslog to provide reliable
71 delivery of syslog messages. Please note that plain TCP
72 syslog does NOT provide truly reliable delivery, with it
73 messages may be lost when there is a connection problem
74 or the server shuts down. RELP prevents message loss in
75 those cases. It can be used like this:
76 $ModLoad imrelp
78 $InputRELPServerRun 2514
80 imgssapi
82 Input plugin for plain TCP and GSS-enable syslog
83 immark Support for mark messages
85 imklog Kernel logging. To include kernel log messages, you need
87 to do
88 $ModLoad imklog
90 Please note that the klogd daemon is no longer necessary
92 and consequently no longer provided by the rsyslog pack‐
93 age.
94 imuxsock
96 Unix sockets, including the system log socket. You need
97 to specify
98 $ModLoad imudp
100 in order to receive log messages from local system pro‐
102 cesses. This config directive should only left out if you
103 know exactly what you are doing.
104
108 Lines starting with a hash mark ('#') and empty lines are
109 ignored. Rsyslog.conf should contain following sections (sorted
110 by recommended order in file):
111 Global directives
114 Global directives set some global properties of whole
115 rsyslog daemon, for example size of main message queue
116 ($MainMessageQueueSize), loading external modules ($Mod‐
117 Load) and so on. All global directives need to be speci‐
118 fied on a line by their own and must start with a dollar-
119 sign. The complete list of global directives can be found
120 in html documentation in doc directory or online on web
121 pages.
122 Templates
125 Templates allow you to specify format of the logged mes‐
126 sage. They are also used for dynamic file name genera‐
127 tion. They have to be defined before they are used in
128 rules. For more info about templates see TEMPLATES sec‐
129 tion of this manpage.
130 Output channels
133 Output channels provide an umbrella for any type of out‐
134 put that the user might want. They have to be defined
135 before they are used in rules. For more info about output
136 channels see OUTPUT CHANNELS section of this manpage.
137 Rules (selector + action)
140 Every rule line consists of two fields, a selector field
141 and an action field. These two fields are separated by
142 one or more spaces or tabs. The selector field specifies
143 a pattern of facilities and priorities belonging to the
144 specified action.
145
148 The selector field itself again consists of two parts, a facil‐
149 ity and a priority, separated by a period ('.'). Both parts are
150 case insensitive and can also be specified as decimal numbers,
151 but don't do that, you have been warned. Both facilities and
152 priorities are described in syslog(3). The names mentioned below
153 correspond to the similar LOG_-values in /usr/include/syslog.h.
154 The facility is one of the following keywords: auth, authpriv,
156 cron, daemon, kern, lpr, mail, mark, news, security (same as
157 auth), syslog, user, uucp and local0 through local7. The keyword
158 security should not be used anymore and mark is only for inter‐
159 nal use and therefore should not be used in applications. Any‐
160 way, you may want to specify and redirect these messages here.
161 The facility specifies the subsystem that produced the message,
162 i.e. all mail programs log with the mail facility (LOG_MAIL) if
163 they log using syslog.
164 The priority is one of the following keywords, in ascending
166 order: debug, info, notice, warning, warn (same as warning),
167 err, error (same as err), crit, alert, emerg, panic (same as
168 emerg). The keywords error, warn and panic are deprecated and
169 should not be used anymore. The priority defines the severity of
170 the message.
171 The behavior of the original BSD syslogd is that all messages of
173 the specified priority and higher are logged according to the
174 given action. Rsyslogd behaves the same, but has some exten‐
175 sions.
176 In addition to the above mentioned names the rsyslogd(8) under‐
178 stands the following extensions: An asterisk ('*') stands for
179 all facilities or all priorities, depending on where it is used
180 (before or after the period). The keyword none stands for no
181 priority of the given facility.
182 You can specify multiple facilities with the same priority pat‐
184 tern in one statement using the comma (',') operator. You may
185 specify as much facilities as you want. Remember that only the
186 facility part from such a statement is taken, a priority part
187 would be skipped.
188 Multiple selectors may be specified for a single action using
190 the semicolon (';') separator. Remember that each selector in
191 the selector field is capable to overwrite the preceding ones.
192 Using this behavior you can exclude some priorities from the
193 pattern.
194 Rsyslogd has a syntax extension to the original BSD source, that
196 makes its use more intuitively. You may precede every priority
197 with an equation sign ('=') to specify only this single priority
198 and not any of the above. You may also (both is valid, too) pre‐
199 cede the priority with an exclamation mark ('!') to ignore all
200 that priorities, either exact this one or this and any higher
201 priority. If you use both extensions than the exclamation mark
202 must occur before the equation sign, just use it intuitively.
203
206 The action field of a rule describes what to do with the mes‐
207 sage. In general, message content is written to a kind of "log‐
208 file". But also other actions might be done, like writing to a
209 database table or forwarding to another host.
210 Regular file
213 Typically messages are logged to real files. The file has to be
214 specified with full pathname, beginning with a slash ('/').
215 Example:
217 *.* /var/log/traditionalfile.log;RSYSLOG_Traditional‐
218 Format # log to a file in the traditional format
219 Note: if you would like to use high-precision timestamps in your
221 log files, just remove the ";RSYSLOG_TraditionalFormat". That
222 will select the default template, which, if not changed, uses
223 RFC 3339 timestamps.
224 Example:
226 *.* /var/log/file.log # log to a file with RFC3339
227 timestamps
228 Named pipes
231 This version of rsyslogd(8) has support for logging output to
232 named pipes (fifos). A fifo or named pipe can be used as a des‐
233 tination for log messages by prepending a pipe symbol ('|') to
234 the name of the file. This is handy for debugging. Note that the
235 fifo must be created with the mkfifo(1) command before rsys‐
236 logd(8) is started.
237 Terminal and console
240 If the file you specified is a tty, special tty-handling is
241 done, same with /dev/console.
242 Remote machine
245 There are three ways to forward message: the traditional UDP
246 transport, which is extremely lossy but standard, the plain TCP
247 based transport which loses messages only during certain situa‐
248 tions but is widely available and the RELP transport which does
249 not lose messages but is currently available only as part of
250 rsyslogd 3.15.0 and above.
251 To forward messages to another host via UDP, prepend the host‐
253 name with the at sign ("@"). To forward it via plain tcp,
254 prepend two at signs ("@@"). To forward via RELP, prepend the
255 string ":omrelp:" in front of the hostname.
256 Example:
258 *.* @192.168.0.1
259 In the example above, messages are forwarded via UDP to the
261 machine 192.168.0.1, the destination port defaults to 514. Due
262 to the nature of UDP, you will probably lose some messages in
263 transit. If you expect high traffic volume, you can expect to
264 lose a quite noticeable number of messages (the higher the traf‐
265 fic, the more likely and severe is message loss).
266 If you would like to prevent message loss, use RELP:
268 *.* :omrelp:192.168.0.1:2514
269 Note that a port number was given as there is no standard port
271 for relp.
272 Keep in mind that you need to load the correct input and output
274 plugins (see "Modules" above).
275 Please note that rsyslogd offers a variety of options in regard‐
277 ing to remote forwarding. For full details, please see the html
278 documentation.
279 List of users
282 Usually critical messages are also directed to ``root'' on that
283 machine. You can specify a list of users that shall get the mes‐
284 sage by simply writing the login. You may specify more than one
285 user by separating them with commas (','). If they're logged in
286 they get the message. Don't think a mail would be sent, that
287 might be too late.
288 Everyone logged on
291 Emergency messages often go to all users currently online to
292 notify them that something strange is happening with the system.
293 To specify this wall(1)-feature use an asterisk ('*').
294 Database table
297 This allows logging of the message to a database table. By
298 default, a MonitorWare-compatible schema is required for this to
299 work. You can create that schema with the createDB.SQL file that
300 came with the rsyslog package. You can also use any other schema
301 of your liking - you just need to define a proper template and
302 assign this template to the action.
303 See the html documentation for further details on database log‐
305 ging.
306 Discard
309 If the discard action is carried out, the received message is
310 immediately discarded. Discard can be highly effective if you
311 want to filter out some annoying messages that otherwise would
312 fill your log files. To do that, place the discard actions early
313 in your log files. This often plays well with property-based
314 filters, giving you great freedom in specifying what you do not
315 want.
316 Discard is just the single tilde character with no further
318 parameters.
319 Example:
321 *.* ~ # discards everything.
322 Output channel
326 Binds an output channel definition (see there for details) to
327 this action. Output channel actions must start with a $-sign,
328 e.g. if you would like to bind your output channel definition
329 "mychannel" to the action, use "$mychannel". Output channels
330 support template definitions like all all other actions.
331 Shell execute
334 This executes a program in a subshell. The program is passed the
335 template-generated message as the only command line parameter.
336 Rsyslog waits until the program terminates and only then contin‐
337 ues to run.
338 Example:
340 ^program-to-execute;template
341 The program-to-execute can be any valid executable. It receives
343 the template string as a single parameter (argv[1]).
344
347 Rsyslog offers three different types "filter conditions":
348 * "traditional" severity and facility based selectors
349 * property-based filters
350 * expression-based filters
351 Blocks
354 Rsyslogd supports BSD-style blocks inside rsyslog.conf. Each
355 block of lines is separated from the previous block by a program
356 or hostname specification. A block will only log messages corre‐
357 sponding to the most recent program and hostname specifications
358 given. Thus, a block which selects "ppp" as the program,
359 directly followed by a block that selects messages from the
360 hostname "dialhost", then the second block will only log mes‐
361 sages from the ppp program on dialhost.
362 Selectors
365 Selectors are the traditional way of filtering syslog messages.
366 They have been kept in rsyslog with their original syntax,
367 because it is well-known, highly effective and also needed for
368 compatibility with stock syslogd configuration files. If you
369 just need to filter based on priority and facility, you should
370 do this with selector lines. They are not second-class citizens
371 in rsyslog and offer the best performance for this job.
372 Property-Based Filters
375 Property-based filters are unique to rsyslogd. They allow to
376 filter on any property, like HOSTNAME, syslogtag and msg.
377 A property-based filter must start with a colon in column 0.
379 This tells rsyslogd that it is the new filter type. The colon
380 must be followed by the property name, a comma, the name of the
381 compare operation to carry out, another comma and then the value
382 to compare against. This value must be quoted. There can be
383 spaces and tabs between the commas. Property names and compare
384 operations are case-sensitive, so "msg" works, while "MSG" is an
385 invalid property name. In brief, the syntax is as follows:
386 :property, [!]compare-operation, "value"
388 The following compare-operations are currently supported:
390 contains
392 Checks if the string provided in value is con‐
393 tained in the property
394 isequal
396 Compares the "value" string provided and the prop‐
397 erty contents. These two values must be exactly
398 equal to match.
399 startswith
401 Checks if the value is found exactly at the begin‐
402 ning of the property value
403 regex
405 Compares the property against the provided regular
406 expression.
407 Expression-Based Filters
410 See the html documentation for this feature.
411
415 Every output in rsyslog uses templates - this holds true for
416 files, user messages and so on. Templates compatible with the
417 stock syslogd formats are hardcoded into rsyslogd. If no tem‐
418 plate is specified, we use one of these hardcoded templates.
419 Search for "template_" in syslogd.c and you will find the hard‐
420 coded ones.
421 A template consists of a template directive, a name, the actual
423 template text and optional options. A sample is:
424 $template MyTemplateName,"\7Text %property% some more
426 text\n",<options>
427 The "$template" is the template directive. It tells rsyslog that
429 this line contains a template. The backslash is an escape char‐
430 acter. For example, \7 rings the bell (this is an ASCII value),
431 \n is a new line. The set in rsyslog is a bit restricted cur‐
432 rently.
433 All text in the template is used literally, except for things
435 within percent signs. These are properties and allow you access
436 to the contents of the syslog message. Properties are accessed
437 via the property replacer and it can for example pick a sub‐
438 string or do date-specific formatting. More on this is the PROP‐
439 ERTY REPLACER section of this manpage.
440 To escape:
442 % = \%
443 \ = \\ --> '\' is used to escape (as in C)
444 $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslog‐
445 tag%%msg%0
446 Properties can be accessed by the property replacer (see there
448 for details).
449 Please note that templates can also by used to generate selector
451 lines with dynamic file names. For example, if you would like
452 to split syslog messages from different hosts to different files
453 (one per host), you can define the following template:
454 $template DynFile,"/var/log/system-%HOSTNAME%.log"
456 This template can then be used when defining an output selector
458 line. It will result in something like "/var/log/system-local‐
459 host.log"
460 Template options
463 The <options> part is optional. It carries options influencing
464 the template as whole. See details below. Be sure NOT to mis‐
465 take template options with property options - the later ones are
466 processed by the property replacer and apply to a SINGLE prop‐
467 erty, only (and not the whole template).
468 Template options are case-insensitive. Currently defined are:
470 sql format the string suitable for a SQL statement in
473 MySQL format. This will replace single quotes
474 ("'") and the backslash character by their back‐
475 slash-escaped counterpart ("´" and "\") inside
476 each field. Please note that in MySQL configura‐
477 tion, the NO_BACKSLASH_ESCAPES mode must be turned
478 off for this format to work (this is the default).
479 stdsql format the string suitable for a SQL statement
482 that is to be sent to a standards-compliant sql
483 server. This will replace single quotes ("'") by
484 two single quotes ("''") inside each field. You
485 must use stdsql together with MySQL if in MySQL
486 configuration the NO_BACKSLASH_ESCAPES is turned
487 on.
488 Either the sql or stdsql option MUST be specified when a tem‐
490 plate is used for writing to a database, otherwise injection
491 might occur. Please note that due to the unfortunate fact that
492 several vendors have violated the sql standard and introduced
493 their own escape methods, it is impossible to have a single
494 option doing all the work. So you yourself must make sure you
495 are using the right format. If you choose the wrong one, you
496 are still vulnerable to sql injection.
497 Please note that the database writer *checks* that the sql
499 option is present in the template. If it is not present, the
500 write database action is disabled. This is to guard you against
501 accidental forgetting it and then becoming vulnerable to SQL
502 injection. The sql option can also be useful with files - espe‐
503 cially if you want to import them into a database on another
504 machine for performance reasons. However, do NOT use it if you
505 do not have a real need for it - among others, it takes some
506 toll on the processing time. Not much, but on a really busy sys‐
507 tem you might notice it ;)
508 The default template for the write to database action has the
510 sql option set.
511 Template examples
514 Please note that the samples are split across multiple lines. A
515 template MUST NOT actually be split across multiple lines.
516 A template that resembles traditional syslogd file output:
518 $template TraditionalFormat,"%timegenerated% %HOSTNAME%
520 %syslogtag%%msg:::drop-last-lf%0
521 A template that tells you a little more about the message:
523 $template precise,"%syslogpriority%,%syslogfacil‐
525 ity%,%timegenerated%,%HOSTNAME%,
526 %syslogtag%,%msg%0
527 A template for RFC 3164 format:
529 $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %sys‐
531 logtag%%msg%"
532 A template for the format traditionally used for user messages:
534 $template usermsg," XXXX%syslogtag%%msg%0r"
536 And a template with the traditional wall-message format:
538 $template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME%
540 at %timegenerated%"
541 A template that can be used for writing to a database (please
543 note the SQL template option)
544 $template MySQLInsert,"insert iut, message, receivedat
546 values ('%iut%', '%msg:::UPPERCASE%', '%timegener‐
547 ated:::date-mysql%') into systemevents\r\n", SQL
548 NOTE 1: This template is embedded into core application
550 under name StdDBFmt , so you don't need to define it.
551 NOTE 2: You have to have MySQL module installed to use
553 this template.
554
557 Output Channels are a new concept first introduced in rsyslog
558 0.9.0. As of this writing, it is most likely that they will be
559 replaced by something different in the future. So if you use
560 them, be prepared to change you configuration file syntax when
561 you upgrade to a later release.
562 Output channels are defined via an $outchannel directive. It's
564 syntax is as follows:
565 $outchannel name,file-name,max-size,action-on-max-size
567 name is the name of the output channel (not the file), file-name
569 is the file name to be written to, max-size the maximum allowed
570 size and action-on-max-size a command to be issued when the max
571 size is reached. This command always has exactly one parameter.
572 The binary is that part of action-on-max-size before the first
573 space, its parameter is everything behind that space.
574 Keep in mind that $outchannel just defines a channel with
576 "name". It does not activate it. To do so, you must use a
577 selector line (see below). That selector line includes the chan‐
578 nel name plus an $ sign in front of it. A sample might be:
579 *.* $mychannel
581
584 The property replacer is a core component in rsyslogd's output
585 system. A syslog message has a number of well-defined properties
586 (see below). Each of this properties can be accessed and manipu‐
587 lated by the property replacer. With it, it is easy to use only
588 part of a property value or manipulate the value, e.g. by con‐
589 verting all characters to lower case.
590 Accessing Properties
593 Syslog message properties are used inside templates. They are
594 accessed by putting them between percent signs. Properties can
595 be modified by the property replacer. The full syntax is as fol‐
596 lows:
597 %propname:fromChar:toChar:options%
599 propname is the name of the property to access. It is case-sen‐
601 sitive.
602 Available Properties
605 msg the MSG part of the message (aka "the message" ;))
606 rawmsg the message exactly as it was received from the socket.
608 Should be useful for debugging.
609 HOSTNAME
611 hostname from the message
612 FROMHOST
614 hostname of the system the message was received from (in
615 a relay chain, this is the system immediately in front of
616 us and not necessarily the original sender)
617 syslogtag
619 TAG from the message
620 programname
622 the "static" part of the tag, as defined by BSD syslogd.
623 For example, when TAG is "named[12345]", programname is
624 "named".
625 PRI PRI part of the message - undecoded (single value)
627 PRI-text
629 the PRI part of the message in a textual form (e.g. "sys‐
630 log.info")
631 IUT the monitorware InfoUnitType - used when talking to a
633 MonitorWare backend (also for phpLogCon)
634 syslogfacility
636 the facility from the message - in numerical form
637 syslogfacility-text
639 the facility from the message - in text form
640 syslogseverity
642 severity from the message - in numerical form
643 syslogseverity-text
645 severity from the message - in text form
646 timegenerated
648 timestamp when the message was RECEIVED. Always in high
649 resolution
650 timereported
652 timestamp from the message. Resolution depends on what
653 was provided in the message (in most cases, only seconds)
654 TIMESTAMP
656 alias for timereported
657 PROTOCOL-VERSION
659 The contents of the PROTOCOL-VERSION field from IETF
660 draft draft-ietf-syslog-protocol
661 STRUCTURED-DATA
663 The contents of the STRUCTURED-DATA field from IETF draft
664 draft-ietf-syslog-protocol
665 APP-NAME
667 The contents of the APP-NAME field from IETF draft draft-
668 ietf-syslog-protocol
669 PROCID The contents of the PROCID field from IETF draft draft-
671 ietf-syslog-protocol
672 MSGID The contents of the MSGID field from IETF draft draft-
674 ietf-syslog-protocol
675 $NOW The current date stamp in the format YYYY-MM-DD
677 $YEAR The current year (4-digit)
679 $MONTH The current month (2-digit)
681 $DAY The current day of the month (2-digit)
683 $HOUR The current hour in military (24 hour) time (2-digit)
685 $MINUTE
687 The current minute (2-digit)
688 Properties starting with a $-sign are so-called system proper‐
691 ties. These do NOT stem from the message but are rather inter‐
692 nally-generated.
693 Character Positions
696 FromChar and toChar are used to build substrings. They specify
697 the offset within the string that should be copied. Offset
698 counting starts at 1, so if you need to obtain the first 2 char‐
699 acters of the message text, you can use this syntax:
700 "%msg:1:2%". If you do not wish to specify from and to, but you
701 want to specify options, you still need to include the colons.
702 For example, if you would like to convert the full message text
703 to lower case, use "%msg:::lowercase%". If you would like to
704 extract from a position until the end of the string, you can
705 place a dollar-sign ("$") in toChar (e.g. %msg:10:$%, which will
706 extract from position 10 to the end of the string).
707 There is also support for regular expressions. To use them, you
709 need to place a "R" into FromChar. This tells rsyslog that a
710 regular expression instead of position-based extraction is
711 desired. The actual regular expression must then be provided in
712 toChar. The regular expression must be followed by the string
713 "--end". It denotes the end of the regular expression and will
714 not become part of it. If you are using regular expressions,
715 the property replacer will return the part of the property text
716 that matches the regular expression. An example for a property
717 replacer sequence with a regular expression is: "%msg:R:.*Sev:.
718 \(.*\) \[.*--end%"
719 Also, extraction can be done based on so-called "fields". To do
721 so, place a "F" into FromChar. A field in its current definition
722 is anything that is delimited by a delimiter character. The
723 delimiter by default is TAB (US-ASCII value 9). However, if can
724 be changed to any other US-ASCII character by specifying a comma
725 and the decimal US-ASCII value of the delimiter immediately
726 after the "F". For example, to use comma (",") as a delimiter,
727 use this field specifier: "F,44". If your syslog data is delim‐
728 ited, this is a quicker way to extract than via regular expres‐
729 sions (actually, a *much* quicker way). Field counting starts at
730 1. Field zero is accepted, but will always lead to a "field not
731 found" error. The same happens if a field number higher than the
732 number of fields in the property is requested. The field number
733 must be placed in the "ToChar" parameter. An example where the
734 3rd field (delimited by TAB) from the msg property is extracted
735 is as follows: "%msg:F:3%". The same example with semicolon as
736 delimiter is "%msg:F,59:3%".
737 Please note that the special characters "F" and "R" are case-
739 sensitive. Only upper case works, lower case will return an
740 error. There are no white spaces permitted inside the sequence
741 (that will lead to error messages and will NOT provide the
742 intended result).
743 Property Options
746 Property options are case-insensitive. Currently, the following
747 options are defined:
748 uppercase
750 convert property to lowercase only
751 lowercase
753 convert property text to uppercase only
754 drop-last-lf
756 The last LF in the message (if any), is dropped. Espe‐
757 cially useful for PIX.
758 date-mysql
760 format as mysql date
761 date-rfc3164
763 format as RFC 3164 date
764 date-rfc3339
766 format as RFC 3339 date
767 escape-cc
769 replace control characters (ASCII value 127 and values
770 less then 32) with an escape sequence. The sequence is
771 "#<charval>" where charval is the 3-digit decimal value
772 of the control character. For example, a tabulator would
773 be replaced by "#009".
774 space-cc
776 replace control characters by spaces
777 drop-cc
779 drop control characters - the resulting string will nei‐
780 ther contain control characters, escape sequences nor any
781 other replacement character like space.
782
785 Rsyslogd supports queued operations to handle offline outputs
786 (like remote syslogd's or database servers being down). When
787 running in queued mode, rsyslogd buffers messages to memory and
788 optionally to disk (on an as-needed basis). Queues survive rsys‐
789 logd restarts.
790 It is highly suggested to use remote forwarding and database
792 writing in queued mode, only.
793 To learn more about queued operations, see the html documenta‐
795 tion.
796
799 /etc/rsyslog.conf
800 Configuration file for rsyslogd
801
803 rsyslogd(8), logger(1), syslog(3)
804 The complete documentation can be found in the doc folder of the
806 rsyslog distribution or online at
807 http://www.rsyslog.com/doc
809 Please note that the man page reflects only a subset of the con‐
811 figuration options. Be sure to read the html documentation for
812 all features and details. This is especially vital if you plan
813 to set up a more-then-extremely-simple system.
814
816 rsyslogd is taken from sysklogd sources, which have been heavily
817 modified by Rainer Gerhards (rgerhards@adiscon.com) and others.
818Version 3.18.0 11 July 2008 RSYSLOG.CONF(5)