1RSYSLOGD(8)               Linux System Administration              RSYSLOGD(8)
2
3
4

NAME

6       rsyslogd - reliable and extended syslogd
7

SYNOPSIS

9       rsyslogd  [  -d ] [ -D ] [ -f config file ] [ -i pid file ] [ -n ] [ -N
10       level ] [ -C ] [ -v ]
11

DESCRIPTION

13       Rsyslogd is a system utility providing  support  for  message  logging.
14       Support  of  both internet and unix domain sockets enables this utility
15       to support both local and remote logging.
16
17       Note that this version of rsyslog ships with extensive documentation in
18       HTML  format.   This is provided in the ./doc subdirectory and probably
19       in a separate package if you installed rsyslog via a packaging  system.
20       To  use rsyslog's advanced features, you need to look at the HTML docu‐
21       mentation, because the man pages only covers basic  aspects  of  opera‐
22       tion.  For details and configuration examples, see the rsyslog.conf (5)
23       man page and the online documentation at https://www.rsyslog.com/doc/
24
25       Rsyslogd(8) is derived from the  sysklogd  package  which  in  turn  is
26       derived from the stock BSD sources.
27
28       Rsyslogd  provides  a  kind  of  logging that many modern programs use.
29       Every logged message contains at least a time  and  a  hostname  field,
30       normally  a program name field, too, but that depends on how trusty the
31       logging program is. The rsyslog package  supports  free  definition  of
32       output  formats  via templates. It also supports precise timestamps and
33       writing directly to databases. If the database option  is  used,  tools
34       like phpLogCon can be used to view the log data.
35
36       While the rsyslogd sources have been heavily modified a couple of notes
37       are in order.  First of all there has  been  a  systematic  attempt  to
38       ensure  that  rsyslogd  follows  its default, standard BSD behavior. Of
39       course, some configuration file changes are necessary in order to  sup‐
40       port  the  template  system.  However, rsyslogd should be able to use a
41       standard syslog.conf and act like the  original  syslogd.  However,  an
42       original  syslogd  will not work correctly with a rsyslog-enhanced con‐
43       figuration file. At best, it will generate funny  looking  file  names.
44       The  second  important concept to note is that this version of rsyslogd
45       interacts transparently with the version of syslog found in  the  stan‐
46       dard  libraries.   If  a binary linked to the standard shared libraries
47       fails to function correctly we would like an example of  the  anomalous
48       behavior.
49
50       The  main  configuration file /etc/rsyslog.conf or an alternative file,
51       given with the -f option, is read at startup.   Any  lines  that  begin
52       with  the  hash  mark (``#'') and empty lines are ignored.  If an error
53       occurs during parsing the error element is  ignored.  It  is  tried  to
54       parse the rest of the line.
55
56

OPTIONS

58       -D     Runs  the  Bison config parser in debug mode. This may help when
59              hard to find syntax errors are reported. Please  note  that  the
60              output  generated  is  deeply  technical  and orignally targeted
61              towards developers.
62
63       -d     Turns on debug mode. See the DEBUGGING section for more informa‐
64              tion.
65
66       -f config file
67              Specify  an alternative configuration file instead of /etc/rsys‐
68              log.conf, which is the default.
69
70       -i pid file
71              Specify an alternative pid file  instead  of  the  default  one.
72              This  option  must  be  used  if  multiple instances of rsyslogd
73              should run on a single machine. To disable writing a  pid  file,
74              use the reserved name "NONE" (all upper case!), so "-iNONE".
75
76       -n     Avoid  auto-backgrounding.   This  is  needed  especially if the
77              rsyslogd is started and controlled by init(8).
78
79       -N  level
80              Do a config check. Do NOT run in regular mode, just  check  con‐
81              figuration  file  correctness.  This option is meant to verify a
82              config file. To do so, run rsyslogd interactively in foreground,
83              specifying  -f  <config-file>  and -N level.  The level argument
84              modifies behaviour. Currently, 0 is the same as  not  specifying
85              the  -N  option at all (so this makes limited sense) and 1 actu‐
86              ally activates the code. Later, higher  levels  will  mean  more
87              verbosity (this is a forward-compatibility option).
88
89       -C     This prevents rsyslogd from changing to the root directory. This
90              is almost never a good idea in production use. This  option  was
91              introduced in support of the internal testbed.
92
93       -v     Print version and exit.
94

SIGNALS

96       Rsyslogd  reacts  to a set of signals.  You may easily send a signal to
97       rsyslogd using the following:
98
99              kill -SIGNAL $(cat /var/run/rsyslogd.pid)
100
101       Note that -SIGNAL must be replaced with the actual signal you are  try‐
102       ing to send, e.g. with HUP. So it then becomes:
103
104              kill -HUP $(cat /var/run/rsyslogd.pid)
105
106       HUP    This lets rsyslogd perform close all open files.
107
108       TERM ,  INT ,  QUIT
109              Rsyslogd will die.
110
111       USR1   Switch  debugging on/off.  This option can only be used if rsys‐
112              logd is started with the -d debug option.
113
114       CHLD   Wait for childs if some were born, because of wall'ing messages.
115

SECURITY THREATS

117       There is the potential for the rsyslogd daemon to be used as a  conduit
118       for a denial of service attack.  A rogue program(mer) could very easily
119       flood the rsyslogd daemon with syslog messages  resulting  in  the  log
120       files  consuming all the remaining space on the filesystem.  Activating
121       logging over the inet domain sockets will of course expose a system  to
122       risks outside of programs or individuals on the local machine.
123
124       There are a number of methods of protecting a machine:
125
126       1.     Implement  kernel  firewalling  to limit which hosts or networks
127              have access to the 514/UDP socket.
128
129       2.     Logging can be directed to an isolated  or  non-root  filesystem
130              which, if filled, will not impair the machine.
131
132       3.     The ext2 filesystem can be used which can be configured to limit
133              a certain percentage of a filesystem  to  usage  by  root  only.
134              NOTE  that  this  will  require rsyslogd to be run as a non-root
135              process.  ALSO NOTE that this will prevent usage of remote  log‐
136              ging  on  the default port since rsyslogd will be unable to bind
137              to the 514/UDP socket.
138
139       4.     Disabling inet domain sockets  will  limit  risk  to  the  local
140              machine.
141
142   Message replay and spoofing
143       If  remote  logging  is  enabled,  messages  can  easily be spoofed and
144       replayed.  As the messages are transmitted in clear-text,  an  attacker
145       might  use  the  information  obtained  from  the packets for malicious
146       things. Also, an attacker might replay recorded  messages  or  spoof  a
147       sender's  IP  address, which could lead to a wrong perception of system
148       activity. These can be prevented by using  GSS-API  authentication  and
149       encryption.  Be  sure  to  think  about  syslog network security before
150       enabling it.
151

DEBUGGING

153       When debugging is turned on using  the  -d  option,  rsyslogd  produces
154       debugging  information according to the RSYSLOG_DEBUG environment vari‐
155       able and the signals received. When run in foreground, the  information
156       is  written to stdout. An additional output file can be specified using
157       the RSYSLOG_DEBUGLOG environment variable.
158

FILES

160       /etc/rsyslog.conf
161              Configuration file for rsyslogd.  See rsyslog.conf(5) for  exact
162              information.
163       /dev/log
164              The  Unix  domain socket to from where local syslog messages are
165              read.
166       /var/run/rsyslogd.pid
167              The file containing the process id of rsyslogd.
168       prefix/lib/rsyslog
169              Default directory for rsyslogd modules. The prefix is  specified
170              during compilation (e.g. /usr/local).

ENVIRONMENT

172       RSYSLOG_DEBUG
173              Controls  runtime  debug  support.  It contains an option string
174              with the following options possible (all are case insensitive):
175
176              Debug  Turns on debugging and prevents  forking.  This  is  pro‐
177                     cessed  earlier  in the startup than command line options
178                     (i.e. -d) and as such enables earlier  debugging  output.
179                     Mutually exclusive with DebugOnDemand.
180              DebugOnDemand
181                     Enables  debugging but turns off debug output. The output
182                     can be toggled by  sending  SIGUSR1.  Mutually  exclusive
183                     with Debug.
184              LogFuncFlow
185                     Print  out  the  logical  flow of functions (entering and
186                     exiting them)
187              FileTrace
188                     Specifies which files to trace LogFuncFlow.  If  not  set
189                     (the  default),  a  LogFuncFlow trace is provided for all
190                     files. Set to limit it to the  files  specified.FileTrace
191                     may  be  specified  multiple  times,  one file each (e.g.
192                     export  RSYSLOG_DEBUG="LogFuncFlow  FileTrace=vm.c  File‐
193                     Trace=expr.c"
194              PrintFuncDB
195                     Print the content of the debug function database whenever
196                     debug information is printed (e.g. abort case)!
197              PrintAllDebugInfoOnExit
198                     Print all debug information immediately  before  rsyslogd
199                     exits (currently not implemented!)
200              PrintMutexAction
201                     Print  mutex  action  as  it  happens. Useful for finding
202                     deadlocks and such.
203              NoLogTimeStamp
204                     Do not prefix log lines with a timestamp (default  is  to
205                     do that).
206              NoStdOut
207                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
208                     is not set, this means no messages will be  displayed  at
209                     all.
210              Help   Display  a very short list of commands - hopefully a life
211                     saver if you can't access the documentation...
212
213       RSYSLOG_DEBUGLOG
214              If set, writes (almost) all debug message to the  specified  log
215              file in addition to stdout.
216       RSYSLOG_MODDIR
217              Provides the default directory in which loadable modules reside.
218

BUGS

220       Please  review  the  file BUGS for up-to-date information on known bugs
221       and annoyances.
222

Further Information

224       Please visit https://www.rsyslog.com/doc/ for  additional  information,
225       tutorials and a support forum.
226

SEE ALSO

228       rsyslog.conf(5),    logger(1),   syslog(2),   syslog(3),   services(5),
229       savelog(8)
230

COLLABORATORS

232       rsyslogd is derived from sysklogd sources, which in turn was taken from
233       the  BSD  sources.  Special  thanks to Greg Wettstein (greg@wind.enjel‐
234       lic.com) and Martin Schulze (joey@linux.de) for the fine sysklogd pack‐
235       age.
236
237       Rainer Gerhards
238       Adiscon GmbH
239       Grossrinderfeld, Germany
240       rgerhards@adiscon.com
241
242
243
244Version 8.6.0                     02 Dec 2014                      RSYSLOGD(8)
Impressum