1RSYSLOGD(8) Linux System Administration RSYSLOGD(8)
2
6 rsyslogd - reliable and extended syslogd
7
9 rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
10 [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
11 [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]
12
14 Rsyslogd is a system utility providing support for message logging.
15 Support of both internet and unix domain sockets enables this utility
16 to support both local and remote logging.
17 Note that this version of rsyslog ships with extensive documentation in
19 html format. This is provided in the ./doc subdirectory and probably
20 in a separate package if you installed rsyslog via a packaging system.
21 To use rsyslog's advanced features, you need to look at the html docu‐
22 mentation, because the man pages only cover basic aspects of operation.
23 For details and configuration examples, see the rsyslog.conf (5) man
24 page and the online documentation at http://www.rsyslog.com/doc
25 Rsyslogd(8) is derived from the sysklogd package which in turn is
27 derived from the stock BSD sources.
28 Rsyslogd provides a kind of logging that many modern programs use.
30 Every logged message contains at least a time and a hostname field,
31 normally a program name field, too, but that depends on how trusty the
32 logging program is. The rsyslog package supports free definition of
33 output formats via templates. It also supports precise timestamps and
34 writing directly to databases. If the database option is used, tools
35 like phpLogCon can be used to view the log data.
36 While the rsyslogd sources have been heavily modified a couple of notes
38 are in order. First of all there has been a systematic attempt to
39 ensure that rsyslogd follows its default, standard BSD behavior. Of
40 course, some configuration file changes are necessary in order to sup‐
41 port the template system. However, rsyslogd should be able to use a
42 standard syslog.conf and act like the original syslogd. However, an
43 original syslogd will not work correctly with a rsyslog-enhanced con‐
44 figuration file. At best, it will generate funny looking file names.
45 The second important concept to note is that this version of rsyslogd
46 interacts transparently with the version of syslog found in the stan‐
47 dard libraries. If a binary linked to the standard shared libraries
48 fails to function correctly we would like an example of the anomalous
49 behavior.
50 The main configuration file /etc/rsyslog.conf or an alternative file,
52 given with the -f option, is read at startup. Any lines that begin
53 with the hash mark (``#'') and empty lines are ignored. If an error
54 occurs during parsing the error element is ignored. It is tried to
55 parse the rest of the line.
56
59 Note that in version 3 of rsyslog a number of command line options have
60 been deprecated and replaced with config file directives. The -c option
61 controls the backward compatibility mode in use.
62 -A When sending UDP messages, there are potentially multiple paths
64 to the target destination. By default, rsyslogd only sends to
65 the first target it can successfully send to. If -A is given,
66 messages are sent to all targets. This may improve reliability,
67 but may also cause message duplication. This option should be
68 enabled only if it is fully understood.
69 -4 Causes rsyslogd to listen to IPv4 addresses only. If neither -4
71 nor -6 is given, rsyslogd listens to all configured addresses of
72 the system.
73 -6 Causes rsyslogd to listen to IPv6 addresses only. If neither -4
75 nor -6 is given, rsyslogd listens to all configured addresses of
76 the system.
77 -c version
79 Selects the desired backward compatibility mode. It must always
80 be the first option on the command line, as it influences pro‐
81 cessing of the other options. To use the rsyslog v3 native
82 interface, specify -c3. To use compatibility mode , either do
83 not use -c at all or use -c<version> where version is the rsys‐
84 log version that it shall be compatible with. Using -c0 tells
85 rsyslog to be command-line compatible to sysklogd, which is the
86 default if -c is not given. Please note that rsyslogd issues
87 warning messages if the -c3 command line option is not given.
88 This is to alert you that your are running in compatibility
89 mode. Compatibility mode interferes with your rsyslog.conf com‐
90 mands and may cause some undesired side-effects. It is meant to
91 be used with a plain old rsyslog.conf - if you use new features,
92 things become messy. So the best advice is to work through this
93 document, convert your options and config file and then use
94 rsyslog in native mode. In order to aid you in this process,
95 rsyslog logs every compatibility-mode config file directive it
96 has generated. So you can simply copy them from your logfile and
97 paste them to the config.
98 -d Turns on debug mode. Using this the daemon will not proceed a
100 fork(2) to set itself in the background, but opposite to that
101 stay in the foreground and write much debug information on the
102 current tty. See the DEBUGGING section for more information.
103 -f config file
105 Specify an alternative configuration file instead of /etc/rsys‐
106 log.conf, which is the default.
107 -i pid file
109 Specify an alternative pid file instead of the default one.
110 This option must be used if multiple instances of rsyslogd
111 should run on a single machine.
112 -l hostlist
114 Specify a hostname that should be logged only with its simple
115 hostname and not the fqdn. Multiple hosts may be specified
116 using the colon (``:'') separator.
117 -n Avoid auto-backgrounding. This is needed especially if the
119 rsyslogd is started and controlled by init(8).
120 -N level
122 Do a coNfig check. Do NOT run in regular mode, just check con‐
123 figuration file correctness. This option is meant to verify a
124 config file. To do so, run rsyslogd interactively in foreground,
125 specifying -f <config-file> and -N level. The level argument
126 modifies behaviour. Currently, 0 is the same as not specifying
127 the -N option at all (so this makes limited sense) and 1 actu‐
128 ally activates the code. Later, higher levels will mean more
129 verbosity (this is a forward-compatibility option). rsyslogd is
130 started and controlled by init(8).
131 -q add hostname if DNS fails during ACL processing
133 During ACL processing, hostnames are resolved to IP addresses
134 for performance reasons. If DNS fails during that process, the
135 hostname is added as wildcard text, which results in proper, but
136 somewhat slower operation once DNS is up again.
137 -Q do not resolve hostnames during ACL processing
139 Do not resolve hostnames to IP addresses during ACL processing.
140 -s domainlist
142 Specify a domainname that should be stripped off before logging.
143 Multiple domains may be specified using the colon (``:'') sepa‐
144 rator. Please be advised that no sub-domains may be specified
145 but only entire domains. For example if -s north.de is speci‐
146 fied and the host logging resolves to satu.infodrom.north.de no
147 domain would be cut, you will have to specify two domains like:
148 -s north.de:infodrom.north.de.
149 -u userlevel
151 This is a "catch all" option for some very seldomly-used user
152 settings. The "userlevel" variable selects multiple things. Add
153 the specific values to get the combined effect of them. A value
154 of 1 prevents rsyslogd from parsing hostnames and tags inside
155 messages. A value of 2 prevents rsyslogd from changing to the
156 root directory. This is almost never a good idea in production
157 use. This option was introduced in support of the internal test‐
158 bed. To combine these two features, use a userlevel of 3 (1+2).
159 Whenever you use an -u option, make sure you really understand
160 what you do and why you do it.
161 -v Print version and exit.
163 -w Suppress warnings issued when messages are received from non-
165 authorized machines (those, that are in no AllowedSender list).
166 -x Disable DNS for remote messages.
168
170 Rsyslogd reacts to a set of signals. You may easily send a signal to
171 rsyslogd using the following:
172 kill -SIGNAL $(cat /var/run/rsyslogd.pid)
174 Note that -SIGNAL must be replaced with the actual signal you are try‐
176 ing to send, e.g. with HUP. So it then becomes:
177 kill -HUP $(cat /var/run/rsyslogd.pid)
179 HUP This lets rsyslogd perform close all open files. Also, in v3 a
181 full restart will be done in order to read changed configuration
182 files. Note that this means a full rsyslogd restart is done.
183 This has, among others, the consequence that TCP and other con‐
184 nections are torn down. Also, if any queues are not running in
185 disk assisted mode or are not set to persist data on shutdown,
186 queue data is lost. HUPing rsyslogd is an extremely expensive
187 operation and should only be done when actually necessary. Actu‐
188 ally, it is a rsyslgod stop immediately followed by a restart.
189 Future versions will remove this restart functionality of HUP
190 (it will go away in v5). So it is advised to use HUP only for
191 closing files, and a "real restart" (e.g. /etc/rc.d/rsyslogd
192 restart) to activate configuration changes.
193 TERM , INT , QUIT
195 Rsyslogd will die.
196 USR1 Switch debugging on/off. This option can only be used if rsys‐
198 logd is started with the -d debug option.
199 CHLD Wait for childs if some were born, because of wall'ing messages.
201
203 There is the potential for the rsyslogd daemon to be used as a conduit
204 for a denial of service attack. A rogue program(mer) could very easily
205 flood the rsyslogd daemon with syslog messages resulting in the log
206 files consuming all the remaining space on the filesystem. Activating
207 logging over the inet domain sockets will of course expose a system to
208 risks outside of programs or individuals on the local machine.
209 There are a number of methods of protecting a machine:
211 1. Implement kernel firewalling to limit which hosts or networks
213 have access to the 514/UDP socket.
214 2. Logging can be directed to an isolated or non-root filesystem
216 which, if filled, will not impair the machine.
217 3. The ext2 filesystem can be used which can be configured to limit
219 a certain percentage of a filesystem to usage by root only.
220 NOTE that this will require rsyslogd to be run as a non-root
221 process. ALSO NOTE that this will prevent usage of remote log‐
222 ging on the default port since rsyslogd will be unable to bind
223 to the 514/UDP socket.
224 4. Disabling inet domain sockets will limit risk to the local
226 machine.
227 Message replay and spoofing
229 If remote logging is enabled, messages can easily be spoofed and
230 replayed. As the messages are transmitted in clear-text, an attacker
231 might use the information obtained from the packets for malicious
232 things. Also, an attacker might replay recorded messages or spoof a
233 sender's IP address, which could lead to a wrong perception of system
234 activity. These can be prevented by using GSS-API authentication and
235 encryption. Be sure to think about syslog network security before
236 enabling it.
237
239 When debugging is turned on using -d option then rsyslogd will be very
240 verbose by writing much of what it does on stdout.
241
243 /etc/rsyslog.conf
244 Configuration file for rsyslogd. See rsyslog.conf(5) for exact
245 information.
246 /dev/log
247 The Unix domain socket to from where local syslog messages are
248 read.
249 /var/run/rsyslogd.pid
250 The file containing the process id of rsyslogd.
251 prefix/lib/rsyslog
252 Default directory for rsyslogd modules. The prefix is specified
253 during compilation (e.g. /usr/local).
255 RSYSLOG_DEBUG
256 Controls runtime debug support.It contains an option string with
257 the following options possible (all are case insensitive):
258 LogFuncFlow
260 Print out the logical flow of functions (entering and
261 exiting them)
262 FileTrace
263 Specifies which files to trace LogFuncFlow. If not set
264 (the default), a LogFuncFlow trace is provided for all
265 files. Set to limit it to the files specified.FileTrace
266 may be specified multiple times, one file each (e.g.
267 export RSYSLOG_DEBUG="LogFuncFlow FileTrace=vm.c File‐
268 Trace=expr.c"
269 PrintFuncDB
270 Print the content of the debug function database whenever
271 debug information is printed (e.g. abort case)!
272 PrintAllDebugInfoOnExit
273 Print all debug information immediately before rsyslogd
274 exits (currently not implemented!)
275 PrintMutexAction
276 Print mutex action as it happens. Useful for finding
277 deadlocks and such.
278 NoLogTimeStamp
279 Do not prefix log lines with a timestamp (default is to
280 do that).
281 NoStdOut
282 Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
283 is not set, this means no messages will be displayed at
284 all.
285 Help Display a very short list of commands - hopefully a life
286 saver if you can't access the documentation...
287 RSYSLOG_DEBUGLOG
289 If set, writes (almost) all debug message to the specified log
290 file in addition to stdout.
291 RSYSLOG_MODDIR
292 Provides the default directory in which loadable modules reside.
293
295 Please review the file BUGS for up-to-date information on known bugs
296 and annoyances.
297
299 Please visit http://www.rsyslog.com/doc for additional information,
300 tutorials and a support forum.
301
303 rsyslog.conf(5), logger(1), syslog(2), syslog(3), services(5),
304 savelog(8)
305
307 rsyslogd is derived from sysklogd sources, which in turn was taken from
308 the BSD sources. Special thanks to Greg Wettstein (greg@wind.enjel‐
309 lic.com) and Martin Schulze (joey@linux.de) for the fine sysklogd pack‐
310 age.
311 Rainer Gerhards
313 Adiscon GmbH
314 Grossrinderfeld, Germany
315 rgerhards@adiscon.com
316Version 3.21.1 29 July 2008 RSYSLOGD(8)