1RSYSLOGD(8)               Linux System Administration              RSYSLOGD(8)
2
3
4

NAME

6       rsyslogd - reliable and extended syslogd
7

SYNOPSIS

9       rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
10       [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
11       [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]
12

DESCRIPTION

14       Rsyslogd  is  a  system  utility providing support for message logging.
15       Support of both internet and unix domain sockets enables  this  utility
16       to support both local and remote logging.
17
18       Note that this version of rsyslog ships with extensive documentation in
19       html format.  This is provided in the ./doc subdirectory  and  probably
20       in  a separate package if you installed rsyslog via a packaging system.
21       To use rsyslog's advanced features, you need to look at the html  docu‐
22       mentation, because the man pages only cover basic aspects of operation.
23       For details and configuration examples, see the  rsyslog.conf  (5)  man
24       page and the online documentation at http://www.rsyslog.com/doc
25
26       Rsyslogd(8)  is  derived  from  the  sysklogd  package which in turn is
27       derived from the stock BSD sources.
28
29       Rsyslogd provides a kind of logging  that  many  modern  programs  use.
30       Every  logged  message  contains  at least a time and a hostname field,
31       normally a program name field, too, but that depends on how trusty  the
32       logging  program  is.  The  rsyslog package supports free definition of
33       output formats via templates. It also supports precise  timestamps  and
34       writing  directly  to  databases. If the database option is used, tools
35       like phpLogCon can be used to view the log data.
36
37       While the rsyslogd sources have been heavily modified a couple of notes
38       are  in  order.   First  of  all there has been a systematic attempt to
39       ensure that rsyslogd follows its default,  standard  BSD  behavior.  Of
40       course,  some configuration file changes are necessary in order to sup‐
41       port the template system. However, rsyslogd should be  able  to  use  a
42       standard  syslog.conf  and  act  like the original syslogd. However, an
43       original syslogd will not work correctly with a  rsyslog-enhanced  con‐
44       figuration  file.  At  best, it will generate funny looking file names.
45       The second important concept to note is that this version  of  rsyslogd
46       interacts  transparently  with the version of syslog found in the stan‐
47       dard libraries.  If a binary linked to the  standard  shared  libraries
48       fails  to  function correctly we would like an example of the anomalous
49       behavior.
50
51       The main configuration file /etc/rsyslog.conf or an  alternative  file,
52       given  with  the  -f  option, is read at startup.  Any lines that begin
53       with the hash mark (``#'') and empty lines are ignored.   If  an  error
54       occurs  during  parsing  the  error  element is ignored. It is tried to
55       parse the rest of the line.
56
57

OPTIONS

59       Note that in version 3 of rsyslog a number of command line options have
60       been deprecated and replaced with config file directives. The -c option
61       controls the backward compatibility mode in use.
62
63       -A     When sending UDP messages, there are potentially multiple  paths
64              to  the  target  destination. By default, rsyslogd only sends to
65              the first target it can successfully send to. If  -A  is  given,
66              messages  are sent to all targets. This may improve reliability,
67              but may also cause message duplication. This  option  should  be
68              enabled only if it is fully understood.
69
70       -4     Causes rsyslogd to listen to IPv4 addresses only.  If neither -4
71              nor -6 is given, rsyslogd listens to all configured addresses of
72              the system.
73
74       -6     Causes rsyslogd to listen to IPv6 addresses only.  If neither -4
75              nor -6 is given, rsyslogd listens to all configured addresses of
76              the system.
77
78       -c version
79              Selects  the desired backward compatibility mode. It must always
80              be the first option on the command line, as it  influences  pro‐
81              cessing  of  the  other  options.  To  use the rsyslog v3 native
82              interface, specify -c3. To use compatibility mode  ,  either  do
83              not  use -c at all or use -c<version> where version is the rsys‐
84              log version that it shall be compatible with.  Using  -c0  tells
85              rsyslog  to be command-line compatible to sysklogd, which is the
86              default if -c is not given.  Please note  that  rsyslogd  issues
87              warning  messages  if  the -c3 command line option is not given.
88              This is to alert you that  your  are  running  in  compatibility
89              mode.  Compatibility mode interferes with your rsyslog.conf com‐
90              mands and may cause some undesired side-effects. It is meant  to
91              be used with a plain old rsyslog.conf - if you use new features,
92              things become messy. So the best advice is to work through  this
93              document,  convert  your  options  and  config file and then use
94              rsyslog in native mode. In order to aid  you  in  this  process,
95              rsyslog  logs  every compatibility-mode config file directive it
96              has generated. So you can simply copy them from your logfile and
97              paste them to the config.
98
99       -d     Turns  on  debug mode.  Using this the daemon will not proceed a
100              fork(2) to set itself in the background, but  opposite  to  that
101              stay  in  the foreground and write much debug information on the
102              current tty.  See the DEBUGGING section for more information.
103
104       -f config file
105              Specify an alternative configuration file instead of  /etc/rsys‐
106              log.conf, which is the default.
107
108       -i pid file
109              Specify  an  alternative  pid  file  instead of the default one.
110              This option must be  used  if  multiple  instances  of  rsyslogd
111              should run on a single machine.
112
113       -l hostlist
114              Specify  a  hostname  that should be logged only with its simple
115              hostname and not the fqdn.   Multiple  hosts  may  be  specified
116              using the colon (``:'') separator.
117
118       -n     Avoid  auto-backgrounding.   This  is  needed  especially if the
119              rsyslogd is started and controlled by init(8).
120
121       -N  level
122              Do a coNfig check. Do NOT run in regular mode, just  check  con‐
123              figuration  file  correctness.  This option is meant to verify a
124              config file. To do so, run rsyslogd interactively in foreground,
125              specifying  -f  <config-file>  and -N level.  The level argument
126              modifies behaviour. Currently, 0 is the same as  not  specifying
127              the  -N  option at all (so this makes limited sense) and 1 actu‐
128              ally activates the code. Later, higher  levels  will  mean  more
129              verbosity (this is a forward-compatibility option).  rsyslogd is
130              started and controlled by init(8).
131
132       -q add hostname if DNS fails during ACL processing
133              During ACL processing, hostnames are resolved  to  IP  addresses
134              for  performance  reasons. If DNS fails during that process, the
135              hostname is added as wildcard text, which results in proper, but
136              somewhat slower operation once DNS is up again.
137
138       -Q do not resolve hostnames during ACL processing
139              Do not resolve hostnames to IP addresses during ACL processing.
140
141       -s domainlist
142              Specify a domainname that should be stripped off before logging.
143              Multiple domains may be specified using the colon (``:'')  sepa‐
144              rator.   Please  be advised that no sub-domains may be specified
145              but only entire domains.  For example if -s north.de  is  speci‐
146              fied  and the host logging resolves to satu.infodrom.north.de no
147              domain would be cut, you will have to specify two domains  like:
148              -s north.de:infodrom.north.de.
149
150       -u userlevel
151              This  is  a  "catch all" option for some very seldomly-used user
152              settings.  The "userlevel" variable selects multiple things. Add
153              the specific values to get the combined effect of them.  A value
154              of 1 prevents rsyslogd from parsing hostnames  and  tags  inside
155              messages.   A  value of 2 prevents rsyslogd from changing to the
156              root directory. This is almost never a good idea  in  production
157              use. This option was introduced in support of the internal test‐
158              bed.  To combine these two features, use a userlevel of 3 (1+2).
159              Whenever  you  use an -u option, make sure you really understand
160              what you do and why you do it.
161
162       -v     Print version and exit.
163
164       -w     Suppress warnings issued when messages are  received  from  non-
165              authorized machines (those, that are in no AllowedSender list).
166
167       -x     Disable DNS for remote messages.
168

SIGNALS

170       Rsyslogd  reacts  to a set of signals.  You may easily send a signal to
171       rsyslogd using the following:
172
173              kill -SIGNAL $(cat /var/run/rsyslogd.pid)
174
175       Note that -SIGNAL must be replaced with the actual signal you are  try‐
176       ing to send, e.g. with HUP. So it then becomes:
177
178              kill -HUP $(cat /var/run/rsyslogd.pid)
179
180       HUP    This  lets rsyslogd perform close all open files.  Also, in v3 a
181              full restart will be done in order to read changed configuration
182              files.   Note  that  this means a full rsyslogd restart is done.
183              This has, among others, the consequence that TCP and other  con‐
184              nections  are  torn down. Also, if any queues are not running in
185              disk assisted mode or are not set to persist data  on  shutdown,
186              queue  data  is  lost. HUPing rsyslogd is an extremely expensive
187              operation and should only be done when actually necessary. Actu‐
188              ally,  it  is a rsyslgod stop immediately followed by a restart.
189              Future versions will remove this restart  functionality  of  HUP
190              (it  will  go  away in v5). So it is advised to use HUP only for
191              closing files, and a  "real  restart"  (e.g.  /etc/rc.d/rsyslogd
192              restart) to activate configuration changes.
193
194       TERM ,  INT ,  QUIT
195              Rsyslogd will die.
196
197       USR1   Switch  debugging on/off.  This option can only be used if rsys‐
198              logd is started with the -d debug option.
199
200       CHLD   Wait for childs if some were born, because of wall'ing messages.
201

SECURITY THREATS

203       There is the potential for the rsyslogd daemon to be used as a  conduit
204       for a denial of service attack.  A rogue program(mer) could very easily
205       flood the rsyslogd daemon with syslog messages  resulting  in  the  log
206       files  consuming all the remaining space on the filesystem.  Activating
207       logging over the inet domain sockets will of course expose a system  to
208       risks outside of programs or individuals on the local machine.
209
210       There are a number of methods of protecting a machine:
211
212       1.     Implement  kernel  firewalling  to limit which hosts or networks
213              have access to the 514/UDP socket.
214
215       2.     Logging can be directed to an isolated  or  non-root  filesystem
216              which, if filled, will not impair the machine.
217
218       3.     The ext2 filesystem can be used which can be configured to limit
219              a certain percentage of a filesystem  to  usage  by  root  only.
220              NOTE  that  this  will  require rsyslogd to be run as a non-root
221              process.  ALSO NOTE that this will prevent usage of remote  log‐
222              ging  on  the default port since rsyslogd will be unable to bind
223              to the 514/UDP socket.
224
225       4.     Disabling inet domain sockets  will  limit  risk  to  the  local
226              machine.
227
228   Message replay and spoofing
229       If  remote  logging  is  enabled,  messages  can  easily be spoofed and
230       replayed.  As the messages are transmitted in clear-text,  an  attacker
231       might  use  the  information  obtained  from  the packets for malicious
232       things. Also, an attacker might replay recorded  messages  or  spoof  a
233       sender's  IP  address, which could lead to a wrong perception of system
234       activity. These can be prevented by using  GSS-API  authentication  and
235       encryption.  Be  sure  to  think  about  syslog network security before
236       enabling it.
237

DEBUGGING

239       When debugging is turned on using -d option then rsyslogd will be  very
240       verbose by writing much of what it does on stdout.
241

FILES

243       /etc/rsyslog.conf
244              Configuration  file for rsyslogd.  See rsyslog.conf(5) for exact
245              information.
246       /dev/log
247              The Unix domain socket to from where local syslog  messages  are
248              read.
249       /var/run/rsyslogd.pid
250              The file containing the process id of rsyslogd.
251       prefix/lib/rsyslog
252              Default  directory for rsyslogd modules. The prefix is specified
253              during compilation (e.g. /usr/local).

ENVIRONMENT

255       RSYSLOG_DEBUG
256              Controls runtime debug support.It contains an option string with
257              the following options possible (all are case insensitive):
258
259              LogFuncFlow
260                     Print  out  the  logical  flow of functions (entering and
261                     exiting them)
262              FileTrace
263                     Specifies which files to trace LogFuncFlow.  If  not  set
264                     (the  default),  a  LogFuncFlow trace is provided for all
265                     files. Set to limit it to the  files  specified.FileTrace
266                     may  be  specified  multiple  times,  one file each (e.g.
267                     export  RSYSLOG_DEBUG="LogFuncFlow  FileTrace=vm.c  File‐
268                     Trace=expr.c"
269              PrintFuncDB
270                     Print the content of the debug function database whenever
271                     debug information is printed (e.g. abort case)!
272              PrintAllDebugInfoOnExit
273                     Print all debug information immediately  before  rsyslogd
274                     exits (currently not implemented!)
275              PrintMutexAction
276                     Print  mutex  action  as  it  happens. Useful for finding
277                     deadlocks and such.
278              NoLogTimeStamp
279                     Do not prefix log lines with a timestamp (default  is  to
280                     do that).
281              NoStdOut
282                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
283                     is not set, this means no messages will be  displayed  at
284                     all.
285              Help   Display  a very short list of commands - hopefully a life
286                     saver if you can't access the documentation...
287
288       RSYSLOG_DEBUGLOG
289              If set, writes (almost) all debug message to the  specified  log
290              file in addition to stdout.
291       RSYSLOG_MODDIR
292              Provides the default directory in which loadable modules reside.
293

BUGS

295       Please  review  the  file BUGS for up-to-date information on known bugs
296       and annoyances.
297

Further Information

299       Please visit  http://www.rsyslog.com/doc  for  additional  information,
300       tutorials and a support forum.
301

SEE ALSO

303       rsyslog.conf(5),    logger(1),   syslog(2),   syslog(3),   services(5),
304       savelog(8)
305

COLLABORATORS

307       rsyslogd is derived from sysklogd sources, which in turn was taken from
308       the  BSD  sources.  Special  thanks to Greg Wettstein (greg@wind.enjel‐
309       lic.com) and Martin Schulze (joey@linux.de) for the fine sysklogd pack‐
310       age.
311
312       Rainer Gerhards
313       Adiscon GmbH
314       Grossrinderfeld, Germany
315       rgerhards@adiscon.com
316
317
318
319Version 3.21.1                   29 July 2008                      RSYSLOGD(8)
Impressum