1RSYSLOG.CONF(5) Linux System Administration RSYSLOG.CONF(5)
2
6 rsyslog.conf - rsyslogd(8) configuration file
7
9 The rsyslog.conf file is the main configuration file for the rsys‐
10 logd(8) which logs system messages on *nix systems. This file speci‐
11 fies rules for logging. For special features see the rsyslogd(8) man‐
12 page. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf
13 file. So if you migrate from sysklogd you can rename it and it should
14 work.
15 Note that this version of rsyslog ships with extensive documentation in
17 html format. This is provided in the ./doc subdirectory and probably
18 in a separate package if you installed rsyslog via a packaging system.
19 To use rsyslog's advanced features, you need to look at the html docu‐
20 mentation, because the man pages only cover basic aspects of operation.
21
25 Rsyslog has a modular design. Consequently, there is a growing number
26 of modules. See the html documentation for their full description.
27 omsnmp SNMP trap output module
30 omgssapi
32 Output module for GSS-enabled syslog
33 ommysql
35 Output module for MySQL
36 omrelp Output module for the reliable RELP protocol (prevents message
38 loss). For details, see below at imrelp and the html documenta‐
39 tion. It can be used like this:
40 *.* :omrelp:server:port
42 *.* :omrelp:192.168.0.1:2514 # actual sample
44 ompgsql
46 Output module for PostgreSQL
47 omlibdbi
49 Generic database output module (Firebird/Interbase, MS SQL,
50 Sybase, SQLite, Ingres, Oracle, mSQL)
51 imfile Input module for text files
53 imudp Input plugin for UDP syslog. Replaces the deprecated -r option.
55 Can be used like this:
56 $ModLoad imudp
58 $UDPServerRun 514
60 imtcp Input plugin for plain TCP syslog. Replaces the deprecated -t
62 option. Can be used like this:
63 $ModLoad imtcp
65 $InputTCPServerRun 514
67 imrelp Input plugin for the RELP protocol. RELP can be used
70 instead of UDP or plain TCP syslog to provide reliable
71 delivery of syslog messages. Please note that plain TCP
72 syslog does NOT provide truly reliable delivery, with it
73 messages may be lost when there is a connection problem
74 or the server shuts down. RELP prevents message loss in
75 those cases. It can be used like this:
76 $ModLoad imrelp
78 $InputRELPServerRun 2514
80 imgssapi
82 Input plugin for plain TCP and GSS-enable syslog
83 immark Support for mark messages
85 imklog Kernel logging. To include kernel log messages, you need
87 to do
88 $ModLoad imklog
90 Please note that the klogd daemon is no longer necessary
92 and consequently no longer provided by the rsyslog pack‐
93 age.
94 imuxsock
96 Unix sockets, including the system log socket. You need
97 to specify
98 $ModLoad imuxsock
100 in order to receive log messages from local system pro‐
102 cesses. This config directive should only left out if you
103 know exactly what you are doing.
104
108 Lines starting with a hash mark ('#') and empty lines are
109 ignored. Rsyslog.conf should contain following sections (sorted
110 by recommended order in file):
111 Global directives
114 Global directives set some global properties of whole
115 rsyslog daemon, for example size of main message queue
116 ($MainMessageQueueSize), loading external modules ($Mod‐
117 Load) and so on. All global directives need to be speci‐
118 fied on a line by their own and must start with a dollar-
119 sign. The complete list of global directives can be found
120 in html documentation in doc directory or online on web
121 pages.
122 Templates
125 Templates allow you to specify format of the logged mes‐
126 sage. They are also used for dynamic file name genera‐
127 tion. They have to be defined before they are used in
128 rules. For more info about templates see TEMPLATES sec‐
129 tion of this manpage.
130 Output channels
133 Output channels provide an umbrella for any type of out‐
134 put that the user might want. They have to be defined
135 before they are used in rules. For more info about output
136 channels see OUTPUT CHANNELS section of this manpage.
137 Rules (selector + action)
140 Every rule line consists of two fields, a selector field
141 and an action field. These two fields are separated by
142 one or more spaces or tabs. The selector field specifies
143 a pattern of facilities and priorities belonging to the
144 specified action.
145
148 The selector field itself again consists of two parts, a facil‐
149 ity and a priority, separated by a period ('.'). Both parts are
150 case insensitive and can also be specified as decimal numbers,
151 but don't do that, you have been warned. Both facilities and
152 priorities are described in syslog(3). The names mentioned below
153 correspond to the similar LOG_-values in /usr/include/syslog.h.
154 The facility is one of the following keywords: auth, authpriv,
156 cron, daemon, kern, lpr, mail, mark, news, security (same as
157 auth), syslog, user, uucp and local0 through local7. The keyword
158 security should not be used anymore and mark is only for inter‐
159 nal use and therefore should not be used in applications. Any‐
160 way, you may want to specify and redirect these messages here.
161 The facility specifies the subsystem that produced the message,
162 i.e. all mail programs log with the mail facility (LOG_MAIL) if
163 they log using syslog.
164 The priority is one of the following keywords, in ascending
166 order: debug, info, notice, warning, warn (same as warning),
167 err, error (same as err), crit, alert, emerg, panic (same as
168 emerg). The keywords error, warn and panic are deprecated and
169 should not be used anymore. The priority defines the severity of
170 the message.
171 The behavior of the original BSD syslogd is that all messages of
173 the specified priority and higher are logged according to the
174 given action. Rsyslogd behaves the same, but has some exten‐
175 sions.
176 In addition to the above mentioned names the rsyslogd(8) under‐
178 stands the following extensions: An asterisk ('*') stands for
179 all facilities or all priorities, depending on where it is used
180 (before or after the period). The keyword none stands for no
181 priority of the given facility.
182 You can specify multiple facilities with the same priority pat‐
184 tern in one statement using the comma (',') operator. You may
185 specify as much facilities as you want. Remember that only the
186 facility part from such a statement is taken, a priority part
187 would be skipped.
188 Multiple selectors may be specified for a single action using
190 the semicolon (';') separator. Remember that each selector in
191 the selector field is capable to overwrite the preceding ones.
192 Using this behavior you can exclude some priorities from the
193 pattern.
194 Rsyslogd has a syntax extension to the original BSD source, that
196 makes its use more intuitively. You may precede every priority
197 with an equals sign ('=') to specify only this single priority
198 and not any of the above. You may also (both is valid, too) pre‐
199 cede the priority with an exclamation mark ('!') to ignore all
200 that priorities, either exact this one or this and any higher
201 priority. If you use both extensions than the exclamation mark
202 must occur before the equals sign, just use it intuitively.
203
206 The action field of a rule describes what to do with the mes‐
207 sage. In general, message content is written to a kind of "log‐
208 file". But also other actions might be done, like writing to a
209 database table or forwarding to another host.
210 Regular file
213 Typically messages are logged to real files. The file has to be
214 specified with full pathname, beginning with a slash ('/').
215 Example:
217 *.* /var/log/traditionalfile.log;RSYSLOG_Traditional‐
218 FileFormat # log to a file in the traditional format
219 Note: if you would like to use high-precision timestamps in your
221 log files, just remove the ";RSYSLOG_TraditionalFormat". That
222 will select the default template, which, if not changed, uses
223 RFC 3339 timestamps.
224 Example:
226 *.* /var/log/file.log # log to a file with RFC3339
227 timestamps
228 By default, files are not synced after earch write. To enable
230 syncing of log files globally, use either the "$ActionFileEn‐
231 ableSync" directive or the "sync" parameter to omfile. Enabling
232 this option degrades performance and it is advised not to enable
233 syncing unless you know what you are doing. To selectively dis‐
234 able syncing for certain files, you may prefix the file path
235 with a minus sign ("-").
236 Named pipes
239 This version of rsyslogd(8) has support for logging output to
240 named pipes (fifos). A fifo or named pipe can be used as a des‐
241 tination for log messages by prepending a pipe symbol ('|') to
242 the name of the file. This is handy for debugging. Note that the
243 fifo must be created with the mkfifo(1) command before rsys‐
244 logd(8) is started.
245 Terminal and console
248 If the file you specified is a tty, special tty-handling is
249 done, same with /dev/console.
250 Remote machine
253 There are three ways to forward message: the traditional UDP
254 transport, which is extremely lossy but standard, the plain TCP
255 based transport which loses messages only during certain situa‐
256 tions but is widely available and the RELP transport which does
257 not lose messages but is currently available only as part of
258 rsyslogd 3.15.0 and above.
259 To forward messages to another host via UDP, prepend the host‐
261 name with the at sign ("@"). To forward it via plain tcp,
262 prepend two at signs ("@@"). To forward via RELP, prepend the
263 string ":omrelp:" in front of the hostname.
264 Example:
266 *.* @192.168.0.1
267 In the example above, messages are forwarded via UDP to the
269 machine 192.168.0.1, the destination port defaults to 514. Due
270 to the nature of UDP, you will probably lose some messages in
271 transit. If you expect high traffic volume, you can expect to
272 lose a quite noticeable number of messages (the higher the traf‐
273 fic, the more likely and severe is message loss).
274 If you would like to prevent message loss, use RELP:
276 *.* :omrelp:192.168.0.1:2514
277 Note that a port number was given as there is no standard port
279 for relp.
280 Keep in mind that you need to load the correct input and output
282 plugins (see "Modules" above).
283 Please note that rsyslogd offers a variety of options in regard‐
285 ing to remote forwarding. For full details, please see the html
286 documentation.
287 List of users
290 Usually critical messages are also directed to ``root'' on that
291 machine. You can specify a list of users that shall get the mes‐
292 sage by simply writing ":omusrmsg:" followed by the login name.
293 You may specify more than one user by separating them with com‐
294 mas (','). If they're logged in they get the message (for exam‐
295 ple: ":omusrmsg:root,user1,user2").
296 Everyone logged on
299 Emergency messages often go to all users currently online to
300 notify them that something strange is happening with the system.
301 To specify this wall(1)-feature use an ":omusrmsg:*".
302 Database table
305 This allows logging of the message to a database table. By
306 default, a MonitorWare-compatible schema is required for this to
307 work. You can create that schema with the createDB.SQL file that
308 came with the rsyslog package. You can also use any other schema
309 of your liking - you just need to define a proper template and
310 assign this template to the action.
311 See the html documentation for further details on database log‐
313 ging.
314 Discard
317 If the discard action is carried out, the received message is
318 immediately discarded. Discard can be highly effective if you
319 want to filter out some annoying messages that otherwise would
320 fill your log files. To do that, place the discard actions early
321 in your log files. This often plays well with property-based
322 filters, giving you great freedom in specifying what you do not
323 want.
324 Discard is just the single tilde character with no further
326 parameters.
327 Example:
329 *.* ~ # discards everything.
330 Output channel
334 Binds an output channel definition (see there for details) to
335 this action. Output channel actions must start with a $-sign,
336 e.g. if you would like to bind your output channel definition
337 "mychannel" to the action, use "$mychannel". Output channels
338 support template definitions like all all other actions.
339 Shell execute
342 This executes a program in a subshell. The program is passed the
343 template-generated message as the only command line parameter.
344 Rsyslog waits until the program terminates and only then contin‐
345 ues to run.
346 Example:
348 ^program-to-execute;template
349 The program-to-execute can be any valid executable. It receives
351 the template string as a single parameter (argv[1]).
352
355 Rsyslog offers three different types "filter conditions":
356 * "traditional" severity and facility based selectors
357 * property-based filters
358 * expression-based filters
359 Selectors
362 Selectors are the traditional way of filtering syslog messages.
363 They have been kept in rsyslog with their original syntax,
364 because it is well-known, highly effective and also needed for
365 compatibility with stock syslogd configuration files. If you
366 just need to filter based on priority and facility, you should
367 do this with selector lines. They are not second-class citizens
368 in rsyslog and offer the best performance for this job.
369 Property-Based Filters
372 Property-based filters are unique to rsyslogd. They allow to
373 filter on any property, like HOSTNAME, syslogtag and msg.
374 A property-based filter must start with a colon in column 0.
376 This tells rsyslogd that it is the new filter type. The colon
377 must be followed by the property name, a comma, the name of the
378 compare operation to carry out, another comma and then the value
379 to compare against. This value must be quoted. There can be
380 spaces and tabs between the commas. Property names and compare
381 operations are case-sensitive, so "msg" works, while "MSG" is an
382 invalid property name. In brief, the syntax is as follows:
383 :property, [!]compare-operation, "value"
385 The following compare-operations are currently supported:
387 contains
389 Checks if the string provided in value is con‐
390 tained in the property
391 isequal
393 Compares the "value" string provided and the prop‐
394 erty contents. These two values must be exactly
395 equal to match.
396 startswith
398 Checks if the value is found exactly at the begin‐
399 ning of the property value
400 regex
402 Compares the property against the provided regular
403 expression.
404 Expression-Based Filters
407 See the html documentation for this feature.
408
412 Every output in rsyslog uses templates - this holds true for
413 files, user messages and so on. Templates compatible with the
414 stock syslogd formats are hardcoded into rsyslogd. If no tem‐
415 plate is specified, we use one of these hardcoded templates.
416 Search for "template_" in syslogd.c and you will find the hard‐
417 coded ones.
418 A template consists of a template directive, a name, the actual
420 template text and optional options. A sample is:
421 $template MyTemplateName,"\7Text %property% some more
423 text\n",<options>
424 The "$template" is the template directive. It tells rsyslog that
426 this line contains a template. The backslash is an escape char‐
427 acter. For example, \7 rings the bell (this is an ASCII value),
428 \n is a new line. The set in rsyslog is a bit restricted cur‐
429 rently.
430 All text in the template is used literally, except for things
432 within percent signs. These are properties and allow you access
433 to the contents of the syslog message. Properties are accessed
434 via the property replacer and it can for example pick a sub‐
435 string or do date-specific formatting. More on this is the PROP‐
436 ERTY REPLACER section of this manpage.
437 To escape:
439 % = \%
440 \ = \\ --> '\' is used to escape (as in C)
441 $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslog‐
442 tag%%msg%\n"
443 Properties can be accessed by the property replacer (see there
445 for details).
446 Please note that templates can also by used to generate selector
448 lines with dynamic file names. For example, if you would like
449 to split syslog messages from different hosts to different files
450 (one per host), you can define the following template:
451 $template DynFile,"/var/log/system-%HOSTNAME%.log"
453 This template can then be used when defining an output selector
455 line. It will result in something like "/var/log/system-local‐
456 host.log"
457 Template options
460 The <options> part is optional. It carries options influencing
461 the template as whole. See details below. Be sure NOT to mis‐
462 take template options with property options - the later ones are
463 processed by the property replacer and apply to a SINGLE prop‐
464 erty, only (and not the whole template).
465 Template options are case-insensitive. Currently defined are:
467 sql format the string suitable for a SQL statement in
470 MySQL format. This will replace single quotes
471 ("'") and the backslash character by their back‐
472 slash-escaped counterpart ("´" and "\") inside
473 each field. Please note that in MySQL configura‐
474 tion, the NO_BACKSLASH_ESCAPES mode must be turned
475 off for this format to work (this is the default).
476 stdsql format the string suitable for a SQL statement
479 that is to be sent to a standards-compliant sql
480 server. This will replace single quotes ("'") by
481 two single quotes ("''") inside each field. You
482 must use stdsql together with MySQL if in MySQL
483 configuration the NO_BACKSLASH_ESCAPES is turned
484 on.
485 Either the sql or stdsql option MUST be specified when a tem‐
487 plate is used for writing to a database, otherwise injection
488 might occur. Please note that due to the unfortunate fact that
489 several vendors have violated the sql standard and introduced
490 their own escape methods, it is impossible to have a single
491 option doing all the work. So you yourself must make sure you
492 are using the right format. If you choose the wrong one, you
493 are still vulnerable to sql injection.
494 Please note that the database writer *checks* that the sql
496 option is present in the template. If it is not present, the
497 write database action is disabled. This is to guard you against
498 accidental forgetting it and then becoming vulnerable to SQL
499 injection. The sql option can also be useful with files - espe‐
500 cially if you want to import them into a database on another
501 machine for performance reasons. However, do NOT use it if you
502 do not have a real need for it - among others, it takes some
503 toll on the processing time. Not much, but on a really busy sys‐
504 tem you might notice it ;)
505 The default template for the write to database action has the
507 sql option set.
508 Template examples
511 Please note that the samples are split across multiple lines. A
512 template MUST NOT actually be split across multiple lines.
513 A template that resembles traditional syslogd file output:
515 $template TraditionalFormat,"%timegenerated% %HOSTNAME%
517 %syslogtag%%msg:::drop-last-lf%\n"
518 A template that tells you a little more about the message:
520 $template precise,"%syslogpriority%,%syslogfacil‐
522 ity%,%timegenerated%,%HOSTNAME%,
523 %syslogtag%,%msg%\n"
524 A template for RFC 3164 format:
526 $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %sys‐
528 logtag%%msg%"
529 A template for the format traditionally used for user messages:
531 $template usermsg," XXXX%syslogtag%%msg%\n\r"
533 And a template with the traditional wall-message format:
535 $template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME%
537 at %timegenerated%"
538 A template that can be used for writing to a database (please
540 note the SQL template option)
541 $template MySQLInsert,"insert iut, message, receivedat
543 values ('%iut%', '%msg:::UPPERCASE%', '%timegener‐
544 ated:::date-mysql%') into systemevents\r\n", SQL
545 NOTE 1: This template is embedded into core application
547 under name StdDBFmt , so you don't need to define it.
548 NOTE 2: You have to have MySQL module installed to use
550 this template.
551
554 Output Channels are a new concept first introduced in rsyslog
555 0.9.0. As of this writing, it is most likely that they will be
556 replaced by something different in the future. So if you use
557 them, be prepared to change you configuration file syntax when
558 you upgrade to a later release.
559 Output channels are defined via an $outchannel directive. It's
561 syntax is as follows:
562 $outchannel name,file-name,max-size,action-on-max-size
564 name is the name of the output channel (not the file), file-name
566 is the file name to be written to, max-size the maximum allowed
567 size and action-on-max-size a command to be issued when the max
568 size is reached. This command always has exactly one parameter.
569 The binary is that part of action-on-max-size before the first
570 space, its parameter is everything behind that space.
571 Keep in mind that $outchannel just defines a channel with
573 "name". It does not activate it. To do so, you must use a
574 selector line (see below). That selector line includes the chan‐
575 nel name plus ":omfile:$" in front of it. A sample might be:
576 *.* :omfile:$mychannel
578
581 The property replacer is a core component in rsyslogd's output
582 system. A syslog message has a number of well-defined properties
583 (see below). Each of this properties can be accessed and manipu‐
584 lated by the property replacer. With it, it is easy to use only
585 part of a property value or manipulate the value, e.g. by con‐
586 verting all characters to lower case.
587 Accessing Properties
590 Syslog message properties are used inside templates. They are
591 accessed by putting them between percent signs. Properties can
592 be modified by the property replacer. The full syntax is as fol‐
593 lows:
594 %propname:fromChar:toChar:options%
596 propname is the name of the property to access. It is case-sen‐
598 sitive.
599 Available Properties
602 msg the MSG part of the message (aka "the message" ;))
603 rawmsg the message exactly as it was received from the socket.
605 Should be useful for debugging.
606 HOSTNAME
608 hostname from the message
609 FROMHOST
611 hostname of the system the message was received from (in
612 a relay chain, this is the system immediately in front of
613 us and not necessarily the original sender)
614 syslogtag
616 TAG from the message
617 programname
619 the "static" part of the tag, as defined by BSD syslogd.
620 For example, when TAG is "named[12345]", programname is
621 "named".
622 PRI PRI part of the message - undecoded (single value)
624 PRI-text
626 the PRI part of the message in a textual form (e.g. "sys‐
627 log.info")
628 IUT the monitorware InfoUnitType - used when talking to a
630 MonitorWare backend (also for phpLogCon)
631 syslogfacility
633 the facility from the message - in numerical form
634 syslogfacility-text
636 the facility from the message - in text form
637 syslogseverity
639 severity from the message - in numerical form
640 syslogseverity-text
642 severity from the message - in text form
643 timegenerated
645 timestamp when the message was RECEIVED. Always in high
646 resolution
647 timereported
649 timestamp from the message. Resolution depends on what
650 was provided in the message (in most cases, only seconds)
651 TIMESTAMP
653 alias for timereported
654 PROTOCOL-VERSION
656 The contents of the PROTOCOL-VERSION field from IETF
657 draft draft-ietf-syslog-protocol
658 STRUCTURED-DATA
660 The contents of the STRUCTURED-DATA field from IETF draft
661 draft-ietf-syslog-protocol
662 APP-NAME
664 The contents of the APP-NAME field from IETF draft draft-
665 ietf-syslog-protocol
666 PROCID The contents of the PROCID field from IETF draft draft-
668 ietf-syslog-protocol
669 MSGID The contents of the MSGID field from IETF draft draft-
671 ietf-syslog-protocol
672 $NOW The current date stamp in the format YYYY-MM-DD
674 $YEAR The current year (4-digit)
676 $MONTH The current month (2-digit)
678 $DAY The current day of the month (2-digit)
680 $HOUR The current hour in military (24 hour) time (2-digit)
682 $MINUTE
684 The current minute (2-digit)
685 Properties starting with a $-sign are so-called system proper‐
688 ties. These do NOT stem from the message but are rather inter‐
689 nally-generated.
690 Character Positions
693 FromChar and toChar are used to build substrings. They specify
694 the offset within the string that should be copied. Offset
695 counting starts at 1, so if you need to obtain the first 2 char‐
696 acters of the message text, you can use this syntax:
697 "%msg:1:2%". If you do not wish to specify from and to, but you
698 want to specify options, you still need to include the colons.
699 For example, if you would like to convert the full message text
700 to lower case, use "%msg:::lowercase%". If you would like to
701 extract from a position until the end of the string, you can
702 place a dollar-sign ("$") in toChar (e.g. %msg:10:$%, which will
703 extract from position 10 to the end of the string).
704 There is also support for regular expressions. To use them, you
706 need to place a "R" into FromChar. This tells rsyslog that a
707 regular expression instead of position-based extraction is
708 desired. The actual regular expression must then be provided in
709 toChar. The regular expression must be followed by the string
710 "--end". It denotes the end of the regular expression and will
711 not become part of it. If you are using regular expressions,
712 the property replacer will return the part of the property text
713 that matches the regular expression. An example for a property
714 replacer sequence with a regular expression is: "%msg:R:.*Sev:.
715 \(.*\) \[.*--end%"
716 Also, extraction can be done based on so-called "fields". To do
718 so, place a "F" into FromChar. A field in its current definition
719 is anything that is delimited by a delimiter character. The
720 delimiter by default is TAB (US-ASCII value 9). However, if can
721 be changed to any other US-ASCII character by specifying a comma
722 and the decimal US-ASCII value of the delimiter immediately
723 after the "F". For example, to use comma (",") as a delimiter,
724 use this field specifier: "F,44". If your syslog data is delim‐
725 ited, this is a quicker way to extract than via regular expres‐
726 sions (actually, a *much* quicker way). Field counting starts at
727 1. Field zero is accepted, but will always lead to a "field not
728 found" error. The same happens if a field number higher than the
729 number of fields in the property is requested. The field number
730 must be placed in the "ToChar" parameter. An example where the
731 3rd field (delimited by TAB) from the msg property is extracted
732 is as follows: "%msg:F:3%". The same example with semicolon as
733 delimiter is "%msg:F,59:3%".
734 Please note that the special characters "F" and "R" are case-
736 sensitive. Only upper case works, lower case will return an
737 error. There are no white spaces permitted inside the sequence
738 (that will lead to error messages and will NOT provide the
739 intended result).
740 Property Options
743 Property options are case-insensitive. Currently, the following
744 options are defined:
745 uppercase
747 convert property to lowercase only
748 lowercase
750 convert property text to uppercase only
751 drop-last-lf
753 The last LF in the message (if any), is dropped. Espe‐
754 cially useful for PIX.
755 date-mysql
757 format as mysql date
758 date-rfc3164
760 format as RFC 3164 date
761 date-rfc3339
763 format as RFC 3339 date
764 escape-cc
766 replace control characters (ASCII value 127 and values
767 less then 32) with an escape sequence. The sequence is
768 "#<charval>" where charval is the 3-digit decimal value
769 of the control character. For example, a tabulator would
770 be replaced by "#009".
771 space-cc
773 replace control characters by spaces
774 drop-cc
776 drop control characters - the resulting string will nei‐
777 ther contain control characters, escape sequences nor any
778 other replacement character like space.
779
782 Rsyslogd supports queued operations to handle offline outputs
783 (like remote syslogd's or database servers being down). When
784 running in queued mode, rsyslogd buffers messages to memory and
785 optionally to disk (on an as-needed basis). Queues survive rsys‐
786 logd restarts.
787 It is highly suggested to use remote forwarding and database
789 writing in queued mode, only.
790 To learn more about queued operations, see the html documenta‐
792 tion.
793
796 /etc/rsyslog.conf
797 Configuration file for rsyslogd
798
800 rsyslogd(8), logger(1), syslog(3)
801 The complete documentation can be found in the doc folder of the
803 rsyslog distribution or online at
804 http://www.rsyslog.com/doc
806 Please note that the man page reflects only a subset of the con‐
808 figuration options. Be sure to read the html documentation for
809 all features and details. This is especially vital if you plan
810 to set up a more-then-extremely-simple system.
811
813 rsyslogd is taken from sysklogd sources, which have been heavily
814 modified by Rainer Gerhards (rgerhards@adiscon.com) and others.
815Version 7.2.0 22 October 2012 RSYSLOG.CONF(5)