1RSYSLOG.CONF(5) Linux System Administration RSYSLOG.CONF(5)
2
6 rsyslog.conf - rsyslogd(8) configuration file
7
9 The rsyslog.conf file is the main configuration file for the rsys‐
10 logd(8) which logs system messages on *nix systems. This file speci‐
11 fies rules for logging. For special features see the rsyslogd(8) man‐
12 page. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf
13 file. So if you migrate from sysklogd you can rename it and it should
14 work.
15 Note that this version of rsyslog ships with extensive documentation in
17 HTML format. This is provided in the ./doc subdirectory and probably
18 in a separate package if you installed rsyslog via a packaging system.
19 To use rsyslog's advanced features, you need to look at the HTML docu‐
20 mentation, because the man pages only cover basic aspects of operation.
21
25 Rsyslog has a modular design. Consequently, there is a growing number
26 of modules. See the HTML documentation for their full description.
27 omsnmp SNMP trap output module
30 omgssapi
32 Output module for GSS-enabled syslog
33 ommysql
35 Output module for MySQL
36 omrelp Output module for the reliable RELP protocol (prevents message
38 loss). For details, see below at imrelp and the HTML documenta‐
39 tion. It can be used like this:
40 *.* :omrelp:server:port
42 *.* :omrelp:192.168.0.1:2514 # actual sample
44 ompgsql
46 Output module for PostgreSQL
47 omlibdbi
49 Generic database output module (Firebird/Interbase, MS SQL,
50 Sybase, SQLite, Ingres, Oracle, mSQL)
51 imfile Input module for text files
53 imudp Input plugin for UDP syslog. Replaces the deprecated -r option.
55 Can be used like this:
56 $ModLoad imudp
58 $UDPServerRun 514
60 imtcp Input plugin for plain TCP syslog. Replaces the deprecated -t
62 option. Can be used like this:
63 $ModLoad imtcp
65 $InputTCPServerRun 514
67 imrelp Input plugin for the RELP protocol. RELP can be used instead of
70 UDP or plain TCP syslog to provide reliable delivery of syslog
71 messages. Please note that plain TCP syslog does NOT provide
72 truly reliable delivery, with it messages may be lost when there
73 is a connection problem or the server shuts down. RELP prevents
74 message loss in those cases. It can be used like this:
75 $ModLoad imrelp
77 $InputRELPServerRun 2514
79 imgssapi
81 Input plugin for plain TCP and GSS-enable syslog
82 immark Support for mark messages
84 imklog Kernel logging. To include kernel log messages, you need to do
86 $ModLoad imklog
88 Please note that the klogd daemon is no longer necessary and
90 consequently no longer provided by the rsyslog package.
91 imuxsock
93 Unix sockets, including the system log socket. You need to spec‐
94 ify
95 $ModLoad imuxsock
97 in order to receive log messages from local system processes.
99 This config directive should only left out if you know exactly
100 what you are doing.
101
105 Lines starting with a hash mark ('#') and empty lines are ignored.
106 Rsyslog.conf should contain following sections (sorted by recommended
107 order in file):
108 Global directives
111 Global directives set some global properties of whole rsyslog
112 daemon, for example size of main message queue ($MainMessage‐
113 QueueSize), loading external modules ($ModLoad) and so on. All
114 global directives need to be specified on a line by their own
115 and must start with a dollar-sign. The complete list of global
116 directives can be found in HTML documentation in doc directory
117 or online on web pages.
118 Templates
121 Templates allow you to specify format of the logged message.
122 They are also used for dynamic file name generation. They have
123 to be defined before they are used in rules. For more info about
124 templates see TEMPLATES section of this manpage.
125 Output channels
128 Output channels provide an umbrella for any type of output that
129 the user might want. They have to be defined before they are
130 used in rules. For more info about output channels see OUTPUT
131 CHANNELS section of this manpage.
132 Rules (selector + action)
135 Every rule line consists of two fields, a selector field and an
136 action field. These two fields are separated by one or more spa‐
137 ces or tabs. The selector field specifies a pattern of facili‐
138 ties and priorities belonging to the specified action.
139
142 The selector field itself again consists of two parts, a facility and a
143 priority, separated by a period ('.'). Both parts are case insensitive
144 and can also be specified as decimal numbers, but don't do that, you
145 have been warned. Both facilities and priorities are described in sys‐
146 log(3). The names mentioned below correspond to the similar LOG_-values
147 in /usr/include/syslog.h.
148 The facility is one of the following keywords: auth, authpriv, cron,
150 daemon, kern, lpr, mail, mark, news, security (same as auth), syslog,
151 user, uucp and local0 through local7. The keyword security should not
152 be used anymore and mark is only for internal use and therefore should
153 not be used in applications. Anyway, you may want to specify and redi‐
154 rect these messages here. The facility specifies the subsystem that
155 produced the message, i.e. all mail programs log with the mail facility
156 (LOG_MAIL) if they log using syslog.
157 The priority is one of the following keywords, in ascending order: de‐
159 bug, info, notice, warning, warn (same as warning), err, error (same as
160 err), crit, alert, emerg, panic (same as emerg). The keywords error,
161 warn and panic are deprecated and should not be used anymore. The pri‐
162 ority defines the severity of the message.
163 The behavior of the original BSD syslogd is that all messages of the
165 specified priority and higher are logged according to the given action.
166 Rsyslogd behaves the same, but has some extensions.
167 In addition to the above mentioned names the rsyslogd(8) understands
169 the following extensions: An asterisk ('*') stands for all facilities
170 or all priorities, depending on where it is used (before or after the
171 period). The keyword none stands for no priority of the given facility.
172 You can specify multiple facilities with the same priority pattern in
174 one statement using the comma (',') operator. You may specify as much
175 facilities as you want. Remember that only the facility part from such
176 a statement is taken, a priority part would be skipped.
177 Multiple selectors may be specified for a single action using the semi‐
179 colon (';') separator. Remember that each selector in the selector
180 field is capable to overwrite the preceding ones. Using this behavior
181 you can exclude some priorities from the pattern.
182 Rsyslogd has a syntax extension to the original BSD source, that makes
184 its use more intuitively. You may precede every priority with an equals
185 sign ('=') to specify only this single priority and not any of the
186 above. You may also (both is valid, too) precede the priority with an
187 exclamation mark ('!') to ignore all that priorities, either exact this
188 one or this and any higher priority. If you use both extensions then
189 the exclamation mark must occur before the equals sign, just use it in‐
190 tuitively.
191 However, please note that there are some restrictions over the tradi‐
193 tional BSD syslog behaviour. These restrictions stem back to sysklogd,
194 exist probably since at least the 1990's and as such have always been
195 in rsyslog.
196 Namely, in BSD syslogd you can craft a selector like this:
198 *.debug;local6.err
200 The intent is to log all facilities at debug or higher, except for lo‐
202 cal6, which should only log at err or higher.
203 Unfortunately, local6.err will permit error severity and higher, but
205 will not exclude lower severity messages from facility local6.
206 As an alternative, you can explicitly exclude all severities that you
208 do not want to match. For the above case, this selector is equivalent
209 to the BSD syslog selector:
210 *.debug;local6.!=info;local6.!=notice;local6.!=warn
212 An easier approach is probably to do if ... then based matching in
214 script.
215
218 The action field of a rule describes what to do with the message. In
219 general, message content is written to a kind of "logfile". But also
220 other actions might be done, like writing to a database table or for‐
221 warding to another host.
222 Regular file
225 Typically messages are logged to real files. The file has to be speci‐
226 fied with full pathname, beginning with a slash ('/').
227 Example:
229 *.* /var/log/traditionalfile.log;RSYSLOG_TraditionalFileFor‐
230 mat # log to a file in the traditional format
231 Note: if you would like to use high-precision timestamps in your log
233 files, just remove the ";RSYSLOG_TraditionalFormat". That will select
234 the default template, which, if not changed, uses RFC 3339 timestamps.
235 Example:
237 *.* /var/log/file.log # log to a file with RFC3339 time‐
238 stamps
239 By default, files are not synced after each write. To enable syncing of
241 log files globally, use either the "$ActionFileEnableSync" directive or
242 the "sync" parameter to omfile. Enabling this option degrades perfor‐
243 mance and it is advised not to enable syncing unless you know what you
244 are doing. To selectively disable syncing for certain files, you may
245 prefix the file path with a minus sign ("-").
246 Named pipes
249 This version of rsyslogd(8) has support for logging output to named
250 pipes (fifos). A fifo or named pipe can be used as a destination for
251 log messages by prepending a pipe symbol ('|') to the name of the file.
252 This is handy for debugging. Note that the fifo must be created with
253 the mkfifo(1) command before rsyslogd(8) is started.
254 Terminal and console
257 If the file you specified is a tty, special tty-handling is done, same
258 with /dev/console.
259 Remote machine
262 There are three ways to forward message: the traditional UDP transport,
263 which is extremely lossy but standard, the plain TCP based transport
264 which loses messages only during certain situations but is widely
265 available and the RELP transport which does not lose messages but is
266 currently available only as part of rsyslogd 3.15.0 and above.
267 To forward messages to another host via UDP, prepend the hostname with
269 the at sign ("@"). To forward it via plain tcp, prepend two at signs
270 ("@@"). To forward via RELP, prepend the string ":omrelp:" in front of
271 the hostname.
272 Example:
274 *.* @192.168.0.1
275 In the example above, messages are forwarded via UDP to the machine
277 192.168.0.1, the destination port defaults to 514. Due to the nature of
278 UDP, you will probably lose some messages in transit. If you expect
279 high traffic volume, you can expect to lose a quite noticeable number
280 of messages (the higher the traffic, the more likely and severe is mes‐
281 sage loss).
282 Sockets for forwarded messages can be bound to a specific device using
284 the "device" option for the omfwd module.
285 Example:
287 action(type="omfwd" Target="192.168.0.1" Device="eth0" Port=514
288 Protocol="udp")
289 In the example above, messages are forwarded via UDP to the machine
291 192.168.0.1 at port 514 over the device eth0. TCP can be used by set‐
292 ting Protocol to "tcp" in the above example.
293 For Linux with VRF support, the device option is used to specify the
295 VRF to send messages.
296 If you would like to prevent message loss, use RELP:
298 *.* :omrelp:192.168.0.1:2514
299 Note that a port number was given as there is no standard port for
301 relp.
302 Keep in mind that you need to load the correct input and output plugins
304 (see "Modules" above).
305 Please note that rsyslogd offers a variety of options in regarding to
307 remote forwarding. For full details, please see the HTML documentation.
308 List of users
311 Usually critical messages are also directed to ``root'' on that ma‐
312 chine. You can specify a list of users that shall get the message by
313 simply writing ":omusrmsg:" followed by the login name. You may specify
314 more than one user by separating them with commas (','). If they're
315 logged in they get the message (for example: ":omus‐
316 rmsg:root,user1,user2").
317 Everyone logged on
320 Emergency messages often go to all users currently online to notify
321 them that something strange is happening with the system. To specify
322 this wall(1)-feature use an ":omusrmsg:*".
323 Database table
326 This allows logging of the message to a database table. By default, a
327 MonitorWare-compatible schema is required for this to work. You can
328 create that schema with the createDB.SQL file that came with the rsys‐
329 log package. You can also use any other schema of your liking - you
330 just need to define a proper template and assign this template to the
331 action.
332 See the HTML documentation for further details on database logging.
334 Discard
337 If the discard action is carried out, the received message is immedi‐
338 ately discarded. Discard can be highly effective if you want to filter
339 out some annoying messages that otherwise would fill your log files. To
340 do that, place the discard actions early in your log files. This often
341 plays well with property-based filters, giving you great freedom in
342 specifying what you do not want.
343 Discard is just the single 'stop' command with no further parameters.
345 Example:
347 *.* stop # discards everything.
348 Output channel
352 Binds an output channel definition (see there for details) to this ac‐
353 tion. Output channel actions must start with a $-sign, e.g. if you
354 would like to bind your output channel definition "mychannel" to the
355 action, use "$mychannel". Output channels support template definitions
356 like all all other actions.
357 Shell execute
360 This executes a program in a subshell. The program is passed the tem‐
361 plate-generated message as the only command line parameter. Rsyslog
362 waits until the program terminates and only then continues to run.
363 Example:
365 ^program-to-execute;template
366 The program-to-execute can be any valid executable. It receives the
368 template string as a single parameter (argv[1]).
369
372 Rsyslog offers three different types "filter conditions":
373 * "traditional" severity and facility based selectors
374 * property-based filters
375 * expression-based filters
376 Selectors
379 Selectors are the traditional way of filtering syslog messages. They
380 have been kept in rsyslog with their original syntax, because it is
381 well-known, highly effective and also needed for compatibility with
382 stock syslogd configuration files. If you just need to filter based on
383 priority and facility, you should do this with selector lines. They are
384 not second-class citizens in rsyslog and offer the best performance for
385 this job.
386 Property-Based Filters
389 Property-based filters are unique to rsyslogd. They allow one to filter
390 on any property, like HOSTNAME, syslogtag and msg.
391 A property-based filter must start with a colon in column 0. This tells
393 rsyslogd that it is the new filter type. The colon must be followed by
394 the property name, a comma, the name of the compare operation to carry
395 out, another comma and then the value to compare against. This value
396 must be quoted. There can be spaces and tabs between the commas. Prop‐
397 erty names and compare operations are case-sensitive, so "msg" works,
398 while "MSG" is an invalid property name. In brief, the syntax is as
399 follows:
400 :property, [!]compare-operation, "value"
402 The following compare-operations are currently supported:
404 contains
406 Checks if the string provided in value is contained in
407 the property
408 isequal
410 Compares the "value" string provided and the property
411 contents. These two values must be exactly equal to
412 match.
413 startswith
415 Checks if the value is found exactly at the beginning of
416 the property value
417 regex
419 Compares the property against the provided regular ex‐
420 pression.
421 Expression-Based Filters
424 See the HTML documentation for this feature.
425
429 Every output in rsyslog uses templates - this holds true for files,
430 user messages and so on. Templates compatible with the stock syslogd
431 formats are hardcoded into rsyslogd. If no template is specified, we
432 use one of these hardcoded templates. Search for "template_" in sys‐
433 logd.c and you will find the hardcoded ones.
434 A template consists of a template directive, a name, the actual tem‐
436 plate text and optional options. A sample is:
437 $template MyTemplateName,"\7Text %property% some more
439 text\n",<options>
440 The "$template" is the template directive. It tells rsyslog that this
442 line contains a template. The backslash is an escape character. For ex‐
443 ample, \7 rings the bell (this is an ASCII value), \n is a new line.
444 The set in rsyslog is a bit restricted currently.
445 All text in the template is used literally, except for things within
447 percent signs. These are properties and allow you access to the con‐
448 tents of the syslog message. Properties are accessed via the property
449 replacer and it can for example pick a substring or do date-specific
450 formatting. More on this is the PROPERTY REPLACER section of this man‐
451 page.
452 To escape:
454 % = \%
455 \ = \\ --> '\' is used to escape (as in C)
456 $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslog‐
457 tag%%msg%\n"
458 Properties can be accessed by the property replacer (see there for de‐
460 tails).
461 Please note that templates can also by used to generate selector lines
463 with dynamic file names. For example, if you would like to split sys‐
464 log messages from different hosts to different files (one per host),
465 you can define the following template:
466 $template DynFile,"/var/log/system-%HOSTNAME%.log"
468 This template can then be used when defining an output selector line.
470 It will result in something like "/var/log/system-localhost.log"
471 Template options
474 The <options> part is optional. It carries options influencing the tem‐
475 plate as whole. See details below. Be sure NOT to mistake template op‐
476 tions with property options - the later ones are processed by the prop‐
477 erty replacer and apply to a SINGLE property, only (and not the whole
478 template).
479 Template options are case-insensitive. Currently defined are:
481 sql format the string suitable for a SQL statement in MySQL
484 format. This will replace single quotes ("'") and the
485 backslash character by their backslash-escaped counter‐
486 part ("´" and "\") inside each field. Please note that in
487 MySQL configuration, the NO_BACKSLASH_ESCAPES mode must
488 be turned off for this format to work (this is the de‐
489 fault).
490 stdsql format the string suitable for a SQL statement that is to
493 be sent to a standards-compliant sql server. This will
494 replace single quotes ("'") by two single quotes ("''")
495 inside each field. You must use stdsql together with
496 MySQL if in MySQL configuration the NO_BACKSLASH_ESCAPES
497 is turned on.
498 Either the sql or stdsql option MUST be specified when a template is
500 used for writing to a database, otherwise injection might occur. Please
501 note that due to the unfortunate fact that several vendors have vio‐
502 lated the sql standard and introduced their own escape methods, it is
503 impossible to have a single option doing all the work. So you yourself
504 must make sure you are using the right format. If you choose the wrong
505 one, you are still vulnerable to sql injection.
506 Please note that the database writer *checks* that the sql option is
508 present in the template. If it is not present, the write database ac‐
509 tion is disabled. This is to guard you against accidental forgetting
510 it and then becoming vulnerable to SQL injection. The sql option can
511 also be useful with files - especially if you want to import them into
512 a database on another machine for performance reasons. However, do NOT
513 use it if you do not have a real need for it - among others, it takes
514 some toll on the processing time. Not much, but on a really busy system
515 you might notice it ;)
516 The default template for the write to database action has the sql op‐
518 tion set.
519 Template examples
522 Please note that the samples are split across multiple lines. A tem‐
523 plate MUST NOT actually be split across multiple lines.
524 A template that resembles traditional syslogd file output:
526 $template TraditionalFormat,"%timegenerated% %HOSTNAME%
528 %syslogtag%%msg:::drop-last-lf%\n"
529 A template that tells you a little more about the message:
531 $template precise,"%syslogpriority%,%syslogfacility%,%timegener‐
533 ated%,%HOSTNAME%,
534 %syslogtag%,%msg%\n"
535 A template for RFC 3164 format:
537 $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslog‐
539 tag%%msg%"
540 A template for the format traditionally used for user messages:
542 $template usermsg," XXXX%syslogtag%%msg%\n\r"
544 And a template with the traditional wall-message format:
546 $template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at
548 %timegenerated%"
549 A template that can be used for writing to a database (please note the
551 SQL template option)
552 $template MySQLInsert,"insert iut, message, receivedat values
554 ('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')
555 into systemevents\r\n", SQL
556 NOTE 1: This template is embedded into core application under
558 name StdDBFmt , so you don't need to define it.
559 NOTE 2: You have to have MySQL module installed to use this tem‐
561 plate.
562
565 Output Channels are a new concept first introduced in rsyslog 0.9.0. As
566 of this writing, it is most likely that they will be replaced by some‐
567 thing different in the future. So if you use them, be prepared to
568 change you configuration file syntax when you upgrade to a later re‐
569 lease.
570 Output channels are defined via an $outchannel directive. It's syntax
572 is as follows:
573 $outchannel name,file-name,max-size,action-on-max-size
575 name is the name of the output channel (not the file), file-name is the
577 file name to be written to, max-size the maximum allowed size and ac‐
578 tion-on-max-size a command to be issued when the max size is reached.
579 This command always has exactly one parameter. The binary is that part
580 of action-on-max-size before the first space, its parameter is every‐
581 thing behind that space.
582 Keep in mind that $outchannel just defines a channel with "name". It
584 does not activate it. To do so, you must use a selector line (see be‐
585 low). That selector line includes the channel name plus ":omfile:$" in
586 front of it. A sample might be:
587 *.* :omfile:$mychannel
589
592 The property replacer is a core component in rsyslogd's output system.
593 A syslog message has a number of well-defined properties (see below).
594 Each of this properties can be accessed and manipulated by the property
595 replacer. With it, it is easy to use only part of a property value or
596 manipulate the value, e.g. by converting all characters to lower case.
597 Accessing Properties
600 Syslog message properties are used inside templates. They are accessed
601 by putting them between percent signs. Properties can be modified by
602 the property replacer. The full syntax is as follows:
603 %propname:fromChar:toChar:options%
605 propname is the name of the property to access. It is case-sensitive.
607 Available Properties
610 msg the MSG part of the message (aka "the message" ;))
611 rawmsg the message exactly as it was received from the socket. Should
613 be useful for debugging.
614 HOSTNAME
616 hostname from the message
617 FROMHOST
619 hostname of the system the message was received from (in a relay
620 chain, this is the system immediately in front of us and not
621 necessarily the original sender)
622 syslogtag
624 TAG from the message
625 programname
627 the "static" part of the tag, as defined by BSD syslogd. For ex‐
628 ample, when TAG is "named[12345]", programname is "named".
629 PRI PRI part of the message - undecoded (single value)
631 PRI-text
633 the PRI part of the message in a textual form (e.g. "sys‐
634 log.info")
635 IUT the monitorware InfoUnitType - used when talking to a Monitor‐
637 Ware backend (also for phpLogCon)
638 syslogfacility
640 the facility from the message - in numerical form
641 syslogfacility-text
643 the facility from the message - in text form
644 syslogseverity
646 severity from the message - in numerical form
647 syslogseverity-text
649 severity from the message - in text form
650 timegenerated
652 timestamp when the message was RECEIVED. Always in high resolu‐
653 tion
654 timereported
656 timestamp from the message. Resolution depends on what was pro‐
657 vided in the message (in most cases, only seconds)
658 TIMESTAMP
660 alias for timereported
661 PROTOCOL-VERSION
663 The contents of the PROTOCOL-VERSION field from IETF draft
664 draft-ietf-syslog-protocol
665 STRUCTURED-DATA
667 The contents of the STRUCTURED-DATA field from IETF draft draft-
668 ietf-syslog-protocol
669 APP-NAME
671 The contents of the APP-NAME field from IETF draft draft-ietf-
672 syslog-protocol
673 PROCID The contents of the PROCID field from IETF draft draft-ietf-sys‐
675 log-protocol
676 MSGID The contents of the MSGID field from IETF draft draft-ietf-sys‐
678 log-protocol
679 $NOW The current date stamp in the format YYYY-MM-DD
681 $YEAR The current year (4-digit)
683 $MONTH The current month (2-digit)
685 $DAY The current day of the month (2-digit)
687 $HOUR The current hour in military (24 hour) time (2-digit)
689 $MINUTE
691 The current minute (2-digit)
692 Properties starting with a $-sign are so-called system properties.
695 These do NOT stem from the message but are rather internally-generated.
696 Character Positions
699 FromChar and toChar are used to build substrings. They specify the off‐
700 set within the string that should be copied. Offset counting starts at
701 1, so if you need to obtain the first 2 characters of the message text,
702 you can use this syntax: "%msg:1:2%". If you do not wish to specify
703 from and to, but you want to specify options, you still need to include
704 the colons. For example, if you would like to convert the full message
705 text to lower case, use "%msg:::lowercase%". If you would like to ex‐
706 tract from a position until the end of the string, you can place a dol‐
707 lar-sign ("$") in toChar (e.g. %msg:10:$%, which will extract from po‐
708 sition 10 to the end of the string).
709 There is also support for regular expressions. To use them, you need
711 to place a "R" into FromChar. This tells rsyslog that a regular ex‐
712 pression instead of position-based extraction is desired. The actual
713 regular expression must then be provided in toChar. The regular expres‐
714 sion must be followed by the string "--end". It denotes the end of the
715 regular expression and will not become part of it. If you are using
716 regular expressions, the property replacer will return the part of the
717 property text that matches the regular expression. An example for a
718 property replacer sequence with a regular expression is:
719 "%msg:R:.*Sev:. \(.*\) \[.*--end%"
720 Also, extraction can be done based on so-called "fields". To do so,
722 place a "F" into FromChar. A field in its current definition is any‐
723 thing that is delimited by a delimiter character. The delimiter by de‐
724 fault is TAB (US-ASCII value 9). However, if can be changed to any
725 other US-ASCII character by specifying a comma and the decimal US-ASCII
726 value of the delimiter immediately after the "F". For example, to use
727 comma (",") as a delimiter, use this field specifier: "F,44". If your
728 syslog data is delimited, this is a quicker way to extract than via
729 regular expressions (actually, a *much* quicker way). Field counting
730 starts at 1. Field zero is accepted, but will always lead to a "field
731 not found" error. The same happens if a field number higher than the
732 number of fields in the property is requested. The field number must be
733 placed in the "ToChar" parameter. An example where the 3rd field (de‐
734 limited by TAB) from the msg property is extracted is as follows:
735 "%msg:F:3%". The same example with semicolon as delimiter is
736 "%msg:F,59:3%".
737 Please note that the special characters "F" and "R" are case-sensitive.
739 Only upper case works, lower case will return an error. There are no
740 white spaces permitted inside the sequence (that will lead to error
741 messages and will NOT provide the intended result).
742 Property Options
745 Property options are case-insensitive. Currently, the following options
746 are defined:
747 uppercase
749 convert property to lowercase only
750 lowercase
752 convert property text to uppercase only
753 drop-last-lf
755 The last LF in the message (if any), is dropped. Especially use‐
756 ful for PIX.
757 date-mysql
759 format as mysql date
760 date-rfc3164
762 format as RFC 3164 date
763 date-rfc3339
765 format as RFC 3339 date
766 escape-cc
768 replace control characters (ASCII value 127 and values less then
769 32) with an escape sequence. The sequence is "#<charval>" where
770 charval is the 3-digit decimal value of the control character.
771 For example, a tabulator would be replaced by "#009".
772 space-cc
774 replace control characters by spaces
775 drop-cc
777 drop control characters - the resulting string will neither con‐
778 tain control characters, escape sequences nor any other replace‐
779 ment character like space.
780
783 Rsyslogd supports queued operations to handle offline outputs (like re‐
784 mote syslogd's or database servers being down). When running in queued
785 mode, rsyslogd buffers messages to memory and optionally to disk (on an
786 as-needed basis). Queues survive rsyslogd restarts.
787 It is highly suggested to use remote forwarding and database writing in
789 queued mode, only.
790 To learn more about queued operations, see the HTML documentation.
792
795 /etc/rsyslog.conf
796 Configuration file for rsyslogd
797
799 rsyslogd(8), logger(1), syslog(3)
800 The complete documentation can be found in the doc folder of the rsys‐
802 log distribution or online at
803 https://www.rsyslog.com/doc/
805 Please note that the man page reflects only a subset of the configura‐
807 tion options. Be sure to read the HTML documentation for all features
808 and details. This is especially vital if you plan to set up a more-
809 then-extremely-simple system.
810
812 rsyslogd is taken from sysklogd sources, which have been heavily modi‐
813 fied by Rainer Gerhards (rgerhards@adiscon.com) and others.
814Version 7.2.0 22 October 2012 RSYSLOG.CONF(5)