1RSYSLOGD(8)               Linux System Administration              RSYSLOGD(8)


6       rsyslogd - reliable and extended syslogd


9       rsyslogd  [  -d ] [ -D ] [ -f config file ] [ -i pid file ] [ -n ] [ -N
10       level ] [ -o fullconf ] [ -C ] [ -v ]


13       Rsyslogd is a system utility providing  support  for  message  logging.
14       Support  of  both internet and unix domain sockets enables this utility
15       to support both local and remote logging.
17       Note that this version of rsyslog ships with extensive documentation in
18       HTML  format.   This is provided in the ./doc subdirectory and probably
19       in a separate package if you installed rsyslog via a packaging  system.
20       To  use rsyslog's advanced features, you need to look at the HTML docu‐
21       mentation, because the man pages only covers basic  aspects  of  opera‐
22       tion.  For details and configuration examples, see the rsyslog.conf (5)
23       man page and the online documentation at https://www.rsyslog.com/doc/
25       Rsyslogd(8) is derived from the sysklogd package which in turn  is  de‐
26       rived from the stock BSD sources.
28       Rsyslogd provides a kind of logging that many modern programs use.  Ev‐
29       ery logged message contains at least a time and a hostname field,  nor‐
30       mally  a  program  name  field, too, but that depends on how trusty the
31       logging program is. The rsyslog package  supports  free  definition  of
32       output  formats  via templates. It also supports precise timestamps and
33       writing directly to databases. If the database option  is  used,  tools
34       like phpLogCon can be used to view the log data.
36       While the rsyslogd sources have been heavily modified a couple of notes
37       are in order.  First of all there has been a systematic attempt to  en‐
38       sure  that  rsyslogd  follows  its  default,  standard BSD behavior. Of
39       course, some configuration file changes are necessary in order to  sup‐
40       port  the  template  system.  However, rsyslogd should be able to use a
41       standard syslog.conf and act like the  original  syslogd.  However,  an
42       original  syslogd  will not work correctly with a rsyslog-enhanced con‐
43       figuration file. At best, it will generate funny  looking  file  names.
44       The  second  important concept to note is that this version of rsyslogd
45       interacts transparently with the version of syslog found in  the  stan‐
46       dard  libraries.   If  a binary linked to the standard shared libraries
47       fails to function correctly we would like an example of  the  anomalous
48       behavior.
50       The  main  configuration file /etc/rsyslog.conf or an alternative file,
51       given with the -f option, is read at startup.   Any  lines  that  begin
52       with  the  hash  mark (``#'') and empty lines are ignored.  If an error
53       occurs during parsing the error element is  ignored.  It  is  tried  to
54       parse the rest of the line.


58       -D     Runs  the  Bison config parser in debug mode. This may help when
59              hard to find syntax errors are reported. Please  note  that  the
60              output  generated is deeply technical and orignally targeted to‐
61              wards developers.
63       -d     Turns on debug mode. See the DEBUGGING section for more informa‐
64              tion.
66       -f config file
67              Specify  an alternative configuration file instead of /etc/rsys‐
68              log.conf, which is the default.
70       -i pid file
71              Specify an alternative pid file  instead  of  the  default  one.
72              This  option  must  be  used  if  multiple instances of rsyslogd
73              should run on a single machine. To disable writing a  pid  file,
74              use the reserved name "NONE" (all upper case!), so "-iNONE".
76       -n     Avoid  auto-backgrounding.   This  is  needed  especially if the
77              rsyslogd is started and controlled by init(8).
79       -N  level
80              Do a config check. Do NOT run in regular mode, just  check  con‐
81              figuration  file  correctness.  This option is meant to verify a
82              config file. To do so, run rsyslogd interactively in foreground,
83              specifying  -f  <config-file>  and -N level.  The level argument
84              modifies behaviour. Currently, 0 is the same as  not  specifying
85              the  -N  option at all (so this makes limited sense) and 1 actu‐
86              ally activates the code. Later, higher  levels  will  mean  more
87              verbosity (this is a forward-compatibility option).
89       -o  fullconf
90              Generates  a consolidated config file fullconf that contains all
91              of rsyslog's configuration in a single file. Include  files  are
92              exploded  into  that  file in exactly the way rsyslog sees them.
93              This option is useful for troubleshooting, especially  if  prob‐
94              lems  with  the  order of action processing is suspected. It may
95              also be used to check for "unexepectedly" included  config  con‐
96              tent.
98       -C     This prevents rsyslogd from changing to the root directory. This
99              is almost never a good idea in production use. This  option  was
100              introduced in support of the internal testbed.
102       -v     Print version and exit.


105       Rsyslogd  reacts  to a set of signals.  You may easily send a signal to
106       rsyslogd using the following:
108              kill -SIGNAL $(cat /var/run/rsyslogd.pid)
110       Note that -SIGNAL must be replaced with the actual signal you are  try‐
111       ing to send, e.g. with HUP. So it then becomes:
113              kill -HUP $(cat /var/run/rsyslogd.pid)
115       HUP    This lets rsyslogd perform close all open files.
117       TERM ,  INT ,  QUIT
118              Rsyslogd will die.
120       USR1   Switch  debugging on/off.  This option can only be used if rsys‐
121              logd is started with the -d debug option.
123       CHLD   Wait for children if some were born, because  of  wall'ing  mes‐
124              sages.


127       There  is the potential for the rsyslogd daemon to be used as a conduit
128       for a denial of service attack.  A rogue program(mer) could very easily
129       flood  the  rsyslogd  daemon  with syslog messages resulting in the log
130       files consuming all the remaining space on the filesystem.   Activating
131       logging  over the inet domain sockets will of course expose a system to
132       risks outside of programs or individuals on the local machine.
134       There are a number of methods of protecting a machine:
136       1.     Implement kernel firewalling to limit which  hosts  or  networks
137              have access to the 514/UDP socket.
139       2.     Logging  can  be  directed to an isolated or non-root filesystem
140              which, if filled, will not impair the machine.
142       3.     The ext2 filesystem can be used which can be configured to limit
143              a  certain  percentage  of  a  filesystem to usage by root only.
144              NOTE that this will require rsyslogd to be  run  as  a  non-root
145              process.   ALSO NOTE that this will prevent usage of remote log‐
146              ging on the default port since rsyslogd will be unable  to  bind
147              to the 514/UDP socket.
149       4.     Disabling  inet  domain sockets will limit risk to the local ma‐
150              chine.
152   Message replay and spoofing
153       If remote logging is enabled, messages can easily be  spoofed  and  re‐
154       played.   As  the  messages  are transmitted in clear-text, an attacker
155       might use the information  obtained  from  the  packets  for  malicious
156       things.  Also,  an  attacker  might replay recorded messages or spoof a
157       sender's IP address, which could lead to a wrong perception  of  system
158       activity.  These  can  be prevented by using GSS-API authentication and
159       encryption. Be sure to think about syslog network security  before  en‐
160       abling it.


163       When  debugging is turned on using the -d option, rsyslogd produces de‐
164       bugging information according to the RSYSLOG_DEBUG environment variable
165       and  the  signals  received. When run in foreground, the information is
166       written to stdout. An additional output file can be specified using the
167       RSYSLOG_DEBUGLOG environment variable.


170       /etc/rsyslog.conf
171              Configuration  file for rsyslogd.  See rsyslog.conf(5) for exact
172              information.
173       /dev/log
174              The Unix domain socket to from where local syslog  messages  are
175              read.
176       /var/run/rsyslogd.pid
177              The file containing the process id of rsyslogd.
178       prefix/lib/rsyslog
179              Default  directory for rsyslogd modules. The prefix is specified
180              during compilation (e.g. /usr/local).


183              Controls runtime debug support. It  contains  an  option  string
184              with the following options possible (all are case insensitive):
186              Debug  Turns  on  debugging  and  prevents forking. This is pro‐
187                     cessed earlier in the startup than command  line  options
188                     (i.e.  -d)  and as such enables earlier debugging output.
189                     Mutually exclusive with DebugOnDemand.
190              DebugOnDemand
191                     Enables debugging but turns off debug output. The  output
192                     can  be  toggled  by  sending SIGUSR1. Mutually exclusive
193                     with Debug.
194              LogFuncFlow
195                     Print out the logical flow of functions (entering and ex‐
196                     iting them)
197              FileTrace
198                     Specifies  which  files  to trace LogFuncFlow. If not set
199                     (the default), a LogFuncFlow trace is  provided  for  all
200                     files.  Set  to limit it to the files specified.FileTrace
201                     may be specified multiple times, one file each (e.g.  ex‐
202                     port   RSYSLOG_DEBUG="LogFuncFlow   FileTrace=vm.c  File‐
203                     Trace=expr.c"
204              PrintFuncDB
205                     Print the content of the debug function database whenever
206                     debug information is printed (e.g. abort case)!
207              PrintAllDebugInfoOnExit
208                     Print  all  debug information immediately before rsyslogd
209                     exits (currently not implemented!)
210              PrintMutexAction
211                     Print mutex action as  it  happens.  Useful  for  finding
212                     deadlocks and such.
213              NoLogTimeStamp
214                     Do  not  prefix log lines with a timestamp (default is to
215                     do that).
216              NoStdOut
217                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
218                     is  not  set, this means no messages will be displayed at
219                     all.
220              Help   Display a very short list of commands - hopefully a  life
221                     saver if you can't access the documentation...
224              If  set,  writes (almost) all debug message to the specified log
225              file in addition to stdout.
227              Provides the default directory in which loadable modules reside.


230       Please review the file BUGS for up-to-date information  on  known  bugs
231       and annoyances.

Further Information

234       Please  visit  https://www.rsyslog.com/doc/ for additional information,
235       tutorials and a support forum.


238       rsyslog.conf(5),   logger(1),   syslog(2),   syslog(3),    services(5),
239       savelog(8)


242       rsyslogd is derived from sysklogd sources, which in turn was taken from
243       the BSD sources. Special thanks  to  Greg  Wettstein  (greg@wind.enjel‐
244       lic.com) and Martin Schulze (joey@linux.de) for the fine sysklogd pack‐
245       age.
247       Rainer Gerhards
248       Adiscon GmbH
249       Grossrinderfeld, Germany
250       rgerhards@adiscon.com
254Version 8.1905.0                  28 May 2014                      RSYSLOGD(8)