1RSYSLOG.CONF(5) Linux System Administration RSYSLOG.CONF(5)
2
6 rsyslog.conf - rsyslogd(8) configuration file
7
9 The rsyslog.conf file is the main configuration file for the rsys‐
10 logd(8) which logs system messages on *nix systems. This file speci‐
11 fies rules for logging. For special features see the rsyslogd(8) man‐
12 page. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf
13 file. So if you migrate from sysklogd you can rename it and it should
14 work.
15 Note that this version of rsyslog ships with extensive documentation in
17 HTML format. This is provided in the ./doc subdirectory and probably
18 in a separate package if you installed rsyslog via a packaging system.
19 To use rsyslog's advanced features, you need to look at the HTML docu‐
20 mentation, because the man pages only cover basic aspects of operation.
21
25 Rsyslog has a modular design. Consequently, there is a growing number
26 of modules. See the HTML documentation for their full description.
27 omsnmp SNMP trap output module
30 omgssapi
32 Output module for GSS-enabled syslog
33 ommysql
35 Output module for MySQL
36 omrelp Output module for the reliable RELP protocol (prevents message
38 loss). For details, see below at imrelp and the HTML documenta‐
39 tion. It can be used like this:
40 *.* :omrelp:server:port
42 *.* :omrelp:192.168.0.1:2514 # actual sample
44 ompgsql
46 Output module for PostgreSQL
47 omlibdbi
49 Generic database output module (Firebird/Interbase, MS SQL,
50 Sybase, SQLite, Ingres, Oracle, mSQL)
51 imfile Input module for text files
53 imudp Input plugin for UDP syslog. Replaces the deprecated -r option.
55 Can be used like this:
56 $ModLoad imudp
58 $UDPServerRun 514
60 imtcp Input plugin for plain TCP syslog. Replaces the deprecated -t
62 option. Can be used like this:
63 $ModLoad imtcp
65 $InputTCPServerRun 514
67 imrelp Input plugin for the RELP protocol. RELP can be used
70 instead of UDP or plain TCP syslog to provide reliable
71 delivery of syslog messages. Please note that plain TCP
72 syslog does NOT provide truly reliable delivery, with it
73 messages may be lost when there is a connection problem
74 or the server shuts down. RELP prevents message loss in
75 those cases. It can be used like this:
76 $ModLoad imrelp
78 $InputRELPServerRun 2514
80 imgssapi
82 Input plugin for plain TCP and GSS-enable syslog
83 immark Support for mark messages
85 imklog Kernel logging. To include kernel log messages, you need
87 to do
88 $ModLoad imklog
90 Please note that the klogd daemon is no longer necessary
92 and consequently no longer provided by the rsyslog pack‐
93 age.
94 imuxsock
96 Unix sockets, including the system log socket. You need
97 to specify
98 $ModLoad imuxsock
100 in order to receive log messages from local system pro‐
102 cesses. This config directive should only left out if you
103 know exactly what you are doing.
104
108 Lines starting with a hash mark ('#') and empty lines are
109 ignored. Rsyslog.conf should contain following sections (sorted
110 by recommended order in file):
111 Global directives
114 Global directives set some global properties of whole
115 rsyslog daemon, for example size of main message queue
116 ($MainMessageQueueSize), loading external modules ($Mod‐
117 Load) and so on. All global directives need to be speci‐
118 fied on a line by their own and must start with a dollar-
119 sign. The complete list of global directives can be found
120 in HTML documentation in doc directory or online on web
121 pages.
122 Templates
125 Templates allow you to specify format of the logged mes‐
126 sage. They are also used for dynamic file name genera‐
127 tion. They have to be defined before they are used in
128 rules. For more info about templates see TEMPLATES sec‐
129 tion of this manpage.
130 Output channels
133 Output channels provide an umbrella for any type of out‐
134 put that the user might want. They have to be defined
135 before they are used in rules. For more info about output
136 channels see OUTPUT CHANNELS section of this manpage.
137 Rules (selector + action)
140 Every rule line consists of two fields, a selector field
141 and an action field. These two fields are separated by
142 one or more spaces or tabs. The selector field specifies
143 a pattern of facilities and priorities belonging to the
144 specified action.
145
148 The selector field itself again consists of two parts, a facil‐
149 ity and a priority, separated by a period ('.'). Both parts are
150 case insensitive and can also be specified as decimal numbers,
151 but don't do that, you have been warned. Both facilities and
152 priorities are described in syslog(3). The names mentioned below
153 correspond to the similar LOG_-values in /usr/include/syslog.h.
154 The facility is one of the following keywords: auth, authpriv,
156 cron, daemon, kern, lpr, mail, mark, news, security (same as
157 auth), syslog, user, uucp and local0 through local7. The keyword
158 security should not be used anymore and mark is only for inter‐
159 nal use and therefore should not be used in applications. Any‐
160 way, you may want to specify and redirect these messages here.
161 The facility specifies the subsystem that produced the message,
162 i.e. all mail programs log with the mail facility (LOG_MAIL) if
163 they log using syslog.
164 The priority is one of the following keywords, in ascending
166 order: debug, info, notice, warning, warn (same as warning),
167 err, error (same as err), crit, alert, emerg, panic (same as
168 emerg). The keywords error, warn and panic are deprecated and
169 should not be used anymore. The priority defines the severity of
170 the message.
171 The behavior of the original BSD syslogd is that all messages of
173 the specified priority and higher are logged according to the
174 given action. Rsyslogd behaves the same, but has some exten‐
175 sions.
176 In addition to the above mentioned names the rsyslogd(8) under‐
178 stands the following extensions: An asterisk ('*') stands for
179 all facilities or all priorities, depending on where it is used
180 (before or after the period). The keyword none stands for no
181 priority of the given facility.
182 You can specify multiple facilities with the same priority pat‐
184 tern in one statement using the comma (',') operator. You may
185 specify as much facilities as you want. Remember that only the
186 facility part from such a statement is taken, a priority part
187 would be skipped.
188 Multiple selectors may be specified for a single action using
190 the semicolon (';') separator. Remember that each selector in
191 the selector field is capable to overwrite the preceding ones.
192 Using this behavior you can exclude some priorities from the
193 pattern.
194 Rsyslogd has a syntax extension to the original BSD source, that
196 makes its use more intuitively. You may precede every priority
197 with an equals sign ('=') to specify only this single priority
198 and not any of the above. You may also (both is valid, too) pre‐
199 cede the priority with an exclamation mark ('!') to ignore all
200 that priorities, either exact this one or this and any higher
201 priority. If you use both extensions then the exclamation mark
202 must occur before the equals sign, just use it intuitively.
203
206 The action field of a rule describes what to do with the mes‐
207 sage. In general, message content is written to a kind of "log‐
208 file". But also other actions might be done, like writing to a
209 database table or forwarding to another host.
210 Regular file
213 Typically messages are logged to real files. The file has to be
214 specified with full pathname, beginning with a slash ('/').
215 Example:
217 *.* /var/log/traditionalfile.log;RSYSLOG_Traditional‐
218 FileFormat # log to a file in the traditional format
219 Note: if you would like to use high-precision timestamps in your
221 log files, just remove the ";RSYSLOG_TraditionalFormat". That
222 will select the default template, which, if not changed, uses
223 RFC 3339 timestamps.
224 Example:
226 *.* /var/log/file.log # log to a file with RFC3339
227 timestamps
228 By default, files are not synced after each write. To enable
230 syncing of log files globally, use either the "$ActionFileEn‐
231 ableSync" directive or the "sync" parameter to omfile. Enabling
232 this option degrades performance and it is advised not to enable
233 syncing unless you know what you are doing. To selectively dis‐
234 able syncing for certain files, you may prefix the file path
235 with a minus sign ("-").
236 Named pipes
239 This version of rsyslogd(8) has support for logging output to
240 named pipes (fifos). A fifo or named pipe can be used as a des‐
241 tination for log messages by prepending a pipe symbol ('|') to
242 the name of the file. This is handy for debugging. Note that the
243 fifo must be created with the mkfifo(1) command before rsys‐
244 logd(8) is started.
245 Terminal and console
248 If the file you specified is a tty, special tty-handling is
249 done, same with /dev/console.
250 Remote machine
253 There are three ways to forward message: the traditional UDP
254 transport, which is extremely lossy but standard, the plain TCP
255 based transport which loses messages only during certain situa‐
256 tions but is widely available and the RELP transport which does
257 not lose messages but is currently available only as part of
258 rsyslogd 3.15.0 and above.
259 To forward messages to another host via UDP, prepend the host‐
261 name with the at sign ("@"). To forward it via plain tcp,
262 prepend two at signs ("@@"). To forward via RELP, prepend the
263 string ":omrelp:" in front of the hostname.
264 Example:
266 *.* @192.168.0.1
267 In the example above, messages are forwarded via UDP to the
269 machine 192.168.0.1, the destination port defaults to 514. Due
270 to the nature of UDP, you will probably lose some messages in
271 transit. If you expect high traffic volume, you can expect to
272 lose a quite noticeable number of messages (the higher the traf‐
273 fic, the more likely and severe is message loss).
274 Sockets for forwarded messages can be bound to a specific device
276 using the "device" option for the omfwd module.
277 Example:
279 action(type="omfwd" Target="192.168.0.1" Device="eth0"
280 Port=514 Protocol="udp")
281 In the example above, messages are forwarded via UDP to the
283 machine 192.168.0.1 at port 514 over the device eth0. TCP can be
284 used by setting Protocol to "tcp" in the above example.
285 For Linux with VRF support, the device option is used to specify
287 the VRF to send messages.
288 If you would like to prevent message loss, use RELP:
290 *.* :omrelp:192.168.0.1:2514
291 Note that a port number was given as there is no standard port
293 for relp.
294 Keep in mind that you need to load the correct input and output
296 plugins (see "Modules" above).
297 Please note that rsyslogd offers a variety of options in regard‐
299 ing to remote forwarding. For full details, please see the HTML
300 documentation.
301 List of users
304 Usually critical messages are also directed to ``root'' on that
305 machine. You can specify a list of users that shall get the mes‐
306 sage by simply writing ":omusrmsg:" followed by the login name.
307 You may specify more than one user by separating them with com‐
308 mas (','). If they're logged in they get the message (for exam‐
309 ple: ":omusrmsg:root,user1,user2").
310 Everyone logged on
313 Emergency messages often go to all users currently online to
314 notify them that something strange is happening with the system.
315 To specify this wall(1)-feature use an ":omusrmsg:*".
316 Database table
319 This allows logging of the message to a database table. By
320 default, a MonitorWare-compatible schema is required for this to
321 work. You can create that schema with the createDB.SQL file that
322 came with the rsyslog package. You can also use any other schema
323 of your liking - you just need to define a proper template and
324 assign this template to the action.
325 See the HTML documentation for further details on database log‐
327 ging.
328 Discard
331 If the discard action is carried out, the received message is
332 immediately discarded. Discard can be highly effective if you
333 want to filter out some annoying messages that otherwise would
334 fill your log files. To do that, place the discard actions early
335 in your log files. This often plays well with property-based
336 filters, giving you great freedom in specifying what you do not
337 want.
338 Discard is just the single 'stop' command with no further param‐
340 eters.
341 Example:
343 *.* stop # discards everything.
344 Output channel
348 Binds an output channel definition (see there for details) to
349 this action. Output channel actions must start with a $-sign,
350 e.g. if you would like to bind your output channel definition
351 "mychannel" to the action, use "$mychannel". Output channels
352 support template definitions like all all other actions.
353 Shell execute
356 This executes a program in a subshell. The program is passed the
357 template-generated message as the only command line parameter.
358 Rsyslog waits until the program terminates and only then contin‐
359 ues to run.
360 Example:
362 ^program-to-execute;template
363 The program-to-execute can be any valid executable. It receives
365 the template string as a single parameter (argv[1]).
366
369 Rsyslog offers three different types "filter conditions":
370 * "traditional" severity and facility based selectors
371 * property-based filters
372 * expression-based filters
373 Selectors
376 Selectors are the traditional way of filtering syslog messages.
377 They have been kept in rsyslog with their original syntax,
378 because it is well-known, highly effective and also needed for
379 compatibility with stock syslogd configuration files. If you
380 just need to filter based on priority and facility, you should
381 do this with selector lines. They are not second-class citizens
382 in rsyslog and offer the best performance for this job.
383 Property-Based Filters
386 Property-based filters are unique to rsyslogd. They allow to
387 filter on any property, like HOSTNAME, syslogtag and msg.
388 A property-based filter must start with a colon in column 0.
390 This tells rsyslogd that it is the new filter type. The colon
391 must be followed by the property name, a comma, the name of the
392 compare operation to carry out, another comma and then the value
393 to compare against. This value must be quoted. There can be
394 spaces and tabs between the commas. Property names and compare
395 operations are case-sensitive, so "msg" works, while "MSG" is an
396 invalid property name. In brief, the syntax is as follows:
397 :property, [!]compare-operation, "value"
399 The following compare-operations are currently supported:
401 contains
403 Checks if the string provided in value is con‐
404 tained in the property
405 isequal
407 Compares the "value" string provided and the prop‐
408 erty contents. These two values must be exactly
409 equal to match.
410 startswith
412 Checks if the value is found exactly at the begin‐
413 ning of the property value
414 regex
416 Compares the property against the provided regular
417 expression.
418 Expression-Based Filters
421 See the HTML documentation for this feature.
422
426 Every output in rsyslog uses templates - this holds true for
427 files, user messages and so on. Templates compatible with the
428 stock syslogd formats are hardcoded into rsyslogd. If no tem‐
429 plate is specified, we use one of these hardcoded templates.
430 Search for "template_" in syslogd.c and you will find the hard‐
431 coded ones.
432 A template consists of a template directive, a name, the actual
434 template text and optional options. A sample is:
435 $template MyTemplateName,"\7Text %property% some more
437 text\n",<options>
438 The "$template" is the template directive. It tells rsyslog that
440 this line contains a template. The backslash is an escape char‐
441 acter. For example, \7 rings the bell (this is an ASCII value),
442 \n is a new line. The set in rsyslog is a bit restricted cur‐
443 rently.
444 All text in the template is used literally, except for things
446 within percent signs. These are properties and allow you access
447 to the contents of the syslog message. Properties are accessed
448 via the property replacer and it can for example pick a sub‐
449 string or do date-specific formatting. More on this is the PROP‐
450 ERTY REPLACER section of this manpage.
451 To escape:
453 % = \%
454 \ = \\ --> '\' is used to escape (as in C)
455 $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslog‐
456 tag%%msg%\n"
457 Properties can be accessed by the property replacer (see there
459 for details).
460 Please note that templates can also by used to generate selector
462 lines with dynamic file names. For example, if you would like
463 to split syslog messages from different hosts to different files
464 (one per host), you can define the following template:
465 $template DynFile,"/var/log/system-%HOSTNAME%.log"
467 This template can then be used when defining an output selector
469 line. It will result in something like "/var/log/system-local‐
470 host.log"
471 Template options
474 The <options> part is optional. It carries options influencing
475 the template as whole. See details below. Be sure NOT to mis‐
476 take template options with property options - the later ones are
477 processed by the property replacer and apply to a SINGLE prop‐
478 erty, only (and not the whole template).
479 Template options are case-insensitive. Currently defined are:
481 sql format the string suitable for a SQL statement in
484 MySQL format. This will replace single quotes
485 ("'") and the backslash character by their back‐
486 slash-escaped counterpart ("´" and "\") inside
487 each field. Please note that in MySQL configura‐
488 tion, the NO_BACKSLASH_ESCAPES mode must be turned
489 off for this format to work (this is the default).
490 stdsql format the string suitable for a SQL statement
493 that is to be sent to a standards-compliant sql
494 server. This will replace single quotes ("'") by
495 two single quotes ("''") inside each field. You
496 must use stdsql together with MySQL if in MySQL
497 configuration the NO_BACKSLASH_ESCAPES is turned
498 on.
499 Either the sql or stdsql option MUST be specified when a tem‐
501 plate is used for writing to a database, otherwise injection
502 might occur. Please note that due to the unfortunate fact that
503 several vendors have violated the sql standard and introduced
504 their own escape methods, it is impossible to have a single
505 option doing all the work. So you yourself must make sure you
506 are using the right format. If you choose the wrong one, you
507 are still vulnerable to sql injection.
508 Please note that the database writer *checks* that the sql
510 option is present in the template. If it is not present, the
511 write database action is disabled. This is to guard you against
512 accidental forgetting it and then becoming vulnerable to SQL
513 injection. The sql option can also be useful with files - espe‐
514 cially if you want to import them into a database on another
515 machine for performance reasons. However, do NOT use it if you
516 do not have a real need for it - among others, it takes some
517 toll on the processing time. Not much, but on a really busy sys‐
518 tem you might notice it ;)
519 The default template for the write to database action has the
521 sql option set.
522 Template examples
525 Please note that the samples are split across multiple lines. A
526 template MUST NOT actually be split across multiple lines.
527 A template that resembles traditional syslogd file output:
529 $template TraditionalFormat,"%timegenerated% %HOSTNAME%
531 %syslogtag%%msg:::drop-last-lf%\n"
532 A template that tells you a little more about the message:
534 $template precise,"%syslogpriority%,%syslogfacil‐
536 ity%,%timegenerated%,%HOSTNAME%,
537 %syslogtag%,%msg%\n"
538 A template for RFC 3164 format:
540 $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %sys‐
542 logtag%%msg%"
543 A template for the format traditionally used for user messages:
545 $template usermsg," XXXX%syslogtag%%msg%\n\r"
547 And a template with the traditional wall-message format:
549 $template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME%
551 at %timegenerated%"
552 A template that can be used for writing to a database (please
554 note the SQL template option)
555 $template MySQLInsert,"insert iut, message, receivedat
557 values ('%iut%', '%msg:::UPPERCASE%', '%timegener‐
558 ated:::date-mysql%') into systemevents\r\n", SQL
559 NOTE 1: This template is embedded into core application
561 under name StdDBFmt , so you don't need to define it.
562 NOTE 2: You have to have MySQL module installed to use
564 this template.
565
568 Output Channels are a new concept first introduced in rsyslog
569 0.9.0. As of this writing, it is most likely that they will be
570 replaced by something different in the future. So if you use
571 them, be prepared to change you configuration file syntax when
572 you upgrade to a later release.
573 Output channels are defined via an $outchannel directive. It's
575 syntax is as follows:
576 $outchannel name,file-name,max-size,action-on-max-size
578 name is the name of the output channel (not the file), file-name
580 is the file name to be written to, max-size the maximum allowed
581 size and action-on-max-size a command to be issued when the max
582 size is reached. This command always has exactly one parameter.
583 The binary is that part of action-on-max-size before the first
584 space, its parameter is everything behind that space.
585 Keep in mind that $outchannel just defines a channel with
587 "name". It does not activate it. To do so, you must use a
588 selector line (see below). That selector line includes the chan‐
589 nel name plus ":omfile:$" in front of it. A sample might be:
590 *.* :omfile:$mychannel
592
595 The property replacer is a core component in rsyslogd's output
596 system. A syslog message has a number of well-defined properties
597 (see below). Each of this properties can be accessed and manipu‐
598 lated by the property replacer. With it, it is easy to use only
599 part of a property value or manipulate the value, e.g. by con‐
600 verting all characters to lower case.
601 Accessing Properties
604 Syslog message properties are used inside templates. They are
605 accessed by putting them between percent signs. Properties can
606 be modified by the property replacer. The full syntax is as fol‐
607 lows:
608 %propname:fromChar:toChar:options%
610 propname is the name of the property to access. It is case-sen‐
612 sitive.
613 Available Properties
616 msg the MSG part of the message (aka "the message" ;))
617 rawmsg the message exactly as it was received from the socket.
619 Should be useful for debugging.
620 HOSTNAME
622 hostname from the message
623 FROMHOST
625 hostname of the system the message was received from (in
626 a relay chain, this is the system immediately in front of
627 us and not necessarily the original sender)
628 syslogtag
630 TAG from the message
631 programname
633 the "static" part of the tag, as defined by BSD syslogd.
634 For example, when TAG is "named[12345]", programname is
635 "named".
636 PRI PRI part of the message - undecoded (single value)
638 PRI-text
640 the PRI part of the message in a textual form (e.g. "sys‐
641 log.info")
642 IUT the monitorware InfoUnitType - used when talking to a
644 MonitorWare backend (also for phpLogCon)
645 syslogfacility
647 the facility from the message - in numerical form
648 syslogfacility-text
650 the facility from the message - in text form
651 syslogseverity
653 severity from the message - in numerical form
654 syslogseverity-text
656 severity from the message - in text form
657 timegenerated
659 timestamp when the message was RECEIVED. Always in high
660 resolution
661 timereported
663 timestamp from the message. Resolution depends on what
664 was provided in the message (in most cases, only seconds)
665 TIMESTAMP
667 alias for timereported
668 PROTOCOL-VERSION
670 The contents of the PROTOCOL-VERSION field from IETF
671 draft draft-ietf-syslog-protocol
672 STRUCTURED-DATA
674 The contents of the STRUCTURED-DATA field from IETF draft
675 draft-ietf-syslog-protocol
676 APP-NAME
678 The contents of the APP-NAME field from IETF draft draft-
679 ietf-syslog-protocol
680 PROCID The contents of the PROCID field from IETF draft draft-
682 ietf-syslog-protocol
683 MSGID The contents of the MSGID field from IETF draft draft-
685 ietf-syslog-protocol
686 $NOW The current date stamp in the format YYYY-MM-DD
688 $YEAR The current year (4-digit)
690 $MONTH The current month (2-digit)
692 $DAY The current day of the month (2-digit)
694 $HOUR The current hour in military (24 hour) time (2-digit)
696 $MINUTE
698 The current minute (2-digit)
699 Properties starting with a $-sign are so-called system proper‐
702 ties. These do NOT stem from the message but are rather inter‐
703 nally-generated.
704 Character Positions
707 FromChar and toChar are used to build substrings. They specify
708 the offset within the string that should be copied. Offset
709 counting starts at 1, so if you need to obtain the first 2 char‐
710 acters of the message text, you can use this syntax:
711 "%msg:1:2%". If you do not wish to specify from and to, but you
712 want to specify options, you still need to include the colons.
713 For example, if you would like to convert the full message text
714 to lower case, use "%msg:::lowercase%". If you would like to
715 extract from a position until the end of the string, you can
716 place a dollar-sign ("$") in toChar (e.g. %msg:10:$%, which will
717 extract from position 10 to the end of the string).
718 There is also support for regular expressions. To use them, you
720 need to place a "R" into FromChar. This tells rsyslog that a
721 regular expression instead of position-based extraction is
722 desired. The actual regular expression must then be provided in
723 toChar. The regular expression must be followed by the string
724 "--end". It denotes the end of the regular expression and will
725 not become part of it. If you are using regular expressions,
726 the property replacer will return the part of the property text
727 that matches the regular expression. An example for a property
728 replacer sequence with a regular expression is: "%msg:R:.*Sev:.
729 \(.*\) \[.*--end%"
730 Also, extraction can be done based on so-called "fields". To do
732 so, place a "F" into FromChar. A field in its current definition
733 is anything that is delimited by a delimiter character. The
734 delimiter by default is TAB (US-ASCII value 9). However, if can
735 be changed to any other US-ASCII character by specifying a comma
736 and the decimal US-ASCII value of the delimiter immediately
737 after the "F". For example, to use comma (",") as a delimiter,
738 use this field specifier: "F,44". If your syslog data is delim‐
739 ited, this is a quicker way to extract than via regular expres‐
740 sions (actually, a *much* quicker way). Field counting starts at
741 1. Field zero is accepted, but will always lead to a "field not
742 found" error. The same happens if a field number higher than the
743 number of fields in the property is requested. The field number
744 must be placed in the "ToChar" parameter. An example where the
745 3rd field (delimited by TAB) from the msg property is extracted
746 is as follows: "%msg:F:3%". The same example with semicolon as
747 delimiter is "%msg:F,59:3%".
748 Please note that the special characters "F" and "R" are case-
750 sensitive. Only upper case works, lower case will return an
751 error. There are no white spaces permitted inside the sequence
752 (that will lead to error messages and will NOT provide the
753 intended result).
754 Property Options
757 Property options are case-insensitive. Currently, the following
758 options are defined:
759 uppercase
761 convert property to lowercase only
762 lowercase
764 convert property text to uppercase only
765 drop-last-lf
767 The last LF in the message (if any), is dropped. Espe‐
768 cially useful for PIX.
769 date-mysql
771 format as mysql date
772 date-rfc3164
774 format as RFC 3164 date
775 date-rfc3339
777 format as RFC 3339 date
778 escape-cc
780 replace control characters (ASCII value 127 and values
781 less then 32) with an escape sequence. The sequence is
782 "#<charval>" where charval is the 3-digit decimal value
783 of the control character. For example, a tabulator would
784 be replaced by "#009".
785 space-cc
787 replace control characters by spaces
788 drop-cc
790 drop control characters - the resulting string will nei‐
791 ther contain control characters, escape sequences nor any
792 other replacement character like space.
793
796 Rsyslogd supports queued operations to handle offline outputs
797 (like remote syslogd's or database servers being down). When
798 running in queued mode, rsyslogd buffers messages to memory and
799 optionally to disk (on an as-needed basis). Queues survive rsys‐
800 logd restarts.
801 It is highly suggested to use remote forwarding and database
803 writing in queued mode, only.
804 To learn more about queued operations, see the HTML documenta‐
806 tion.
807
810 /etc/rsyslog.conf
811 Configuration file for rsyslogd
812
814 rsyslogd(8), logger(1), syslog(3)
815 The complete documentation can be found in the doc folder of the
817 rsyslog distribution or online at
818 https://www.rsyslog.com/doc/
820 Please note that the man page reflects only a subset of the con‐
822 figuration options. Be sure to read the HTML documentation for
823 all features and details. This is especially vital if you plan
824 to set up a more-then-extremely-simple system.
825
827 rsyslogd is taken from sysklogd sources, which have been heavily
828 modified by Rainer Gerhards (rgerhards@adiscon.com) and others.
829Version 7.2.0 22 October 2012 RSYSLOG.CONF(5)