{ "mode": "man", "parameter": "Rsyslogd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/Rsyslogd/8/json", "generated": "2026-06-15T12:42:29Z", "synopsis": "rsyslogd [ -d ] [ -D ] [ -f config file ] [ -i pid file ] [ -n ] [ -N level ] [ -o fullconf ]\n[ -C ] [ -v ]", "sections": { "NAME": { "content": "rsyslogd - reliable and extended syslogd\n", "subsections": [] }, "SYNOPSIS": { "content": "rsyslogd [ -d ] [ -D ] [ -f config file ] [ -i pid file ] [ -n ] [ -N level ] [ -o fullconf ]\n[ -C ] [ -v ]\n", "subsections": [] }, "DESCRIPTION": { "content": "Rsyslogd is a system utility providing support for message logging. Support of both internet\nand unix domain sockets enables this utility to support both local and remote logging.\n\nNote that this version of rsyslog ships with extensive documentation in HTML format. This is\nprovided in the ./doc subdirectory and probably in a separate package if you installed rsys‐\nlog via a packaging system. To use rsyslog's advanced features, you need to look at the HTML\ndocumentation, because the man pages only covers basic aspects of operation. For details and", "subsections": [ { "name": "configuration examples, see the rsyslog.conf (5) man page and the online documentation at", "content": "" }, { "name": "https://www.rsyslog.com/doc/", "content": "Rsyslogd(8) is derived from the sysklogd package which in turn is derived from the stock BSD\nsources.\n\nRsyslogd provides a kind of logging that many modern programs use. Every logged message con‐\ntains at least a time and a hostname field, normally a program name field, too, but that de‐\npends on how trusty the logging program is. The rsyslog package supports free definition of\noutput formats via templates. It also supports precise timestamps and writing directly to\ndatabases. If the database option is used, tools like phpLogCon can be used to view the log\ndata.\n\nWhile the rsyslogd sources have been heavily modified a couple of notes are in order. First\nof all there has been a systematic attempt to ensure that rsyslogd follows its default, stan‐\ndard BSD behavior. Of course, some configuration file changes are necessary in order to sup‐\nport the template system. However, rsyslogd should be able to use a standard syslog.conf and\nact like the original syslogd. However, an original syslogd will not work correctly with a\nrsyslog-enhanced configuration file. At best, it will generate funny looking file names. The\nsecond important concept to note is that this version of rsyslogd interacts transparently\nwith the version of syslog found in the standard libraries. If a binary linked to the stan‐\ndard shared libraries fails to function correctly we would like an example of the anomalous\nbehavior.\n\nThe main configuration file /etc/rsyslog.conf or an alternative file, given with the -f op‐\ntion, is read at startup. Any lines that begin with the hash mark (``#'') and empty lines\nare ignored. If an error occurs during parsing the error element is ignored. It is tried to\nparse the rest of the line.\n\n" } ] }, "OPTIONS": { "content": "", "subsections": [ { "name": "-D", "content": "rors are reported. Please note that the output generated is deeply technical and orig‐\nnally targeted towards developers.\n", "flag": "-D" }, { "name": "-d", "content": "", "flag": "-d" }, { "name": "-f", "content": "Specify an alternative configuration file instead of /etc/rsyslog.conf, which is the\ndefault.\n", "flag": "-f" }, { "name": "-i", "content": "Specify an alternative pid file instead of the default one. This option must be used\nif multiple instances of rsyslogd should run on a single machine. To disable writing a\npid file, use the reserved name \"NONE\" (all upper case!), so \"-iNONE\".\n", "flag": "-i" }, { "name": "-n", "content": "controlled by init(8).\n", "flag": "-n" }, { "name": "-N level", "content": "Do a config check. Do NOT run in regular mode, just check configuration file correct‐\nness. This option is meant to verify a config file. To do so, run rsyslogd interac‐\ntively in foreground, specifying -f and -N level. The level argument\nmodifies behaviour. Currently, 0 is the same as not specifying the -N option at all\n(so this makes limited sense) and 1 actually activates the code. Later, higher levels\nwill mean more verbosity (this is a forward-compatibility option).\n", "flag": "-N" }, { "name": "-o fullconf", "content": "Generates a consolidated config file fullconf that contains all of rsyslog's configu‐\nration in a single file. Include files are exploded into that file in exactly the way\nrsyslog sees them. This option is useful for troubleshooting, especially if problems\nwith the order of action processing is suspected. It may also be used to check for\n\"unexepectedly\" included config content.\n", "flag": "-o" }, { "name": "-C", "content": "good idea in production use. This option was introduced in support of the internal\ntestbed.\n", "flag": "-C" }, { "name": "-v", "content": "", "flag": "-v" } ] }, "SIGNALS": { "content": "Rsyslogd reacts to a set of signals. You may easily send a signal to rsyslogd using the fol‐\nlowing:\n\nkill -SIGNAL $(cat /var/run/rsyslogd.pid)\n\nNote that -SIGNAL must be replaced with the actual signal you are trying to send, e.g. with\nHUP. So it then becomes:\n\nkill -HUP $(cat /var/run/rsyslogd.pid)\n\nHUP This lets rsyslogd perform close all open files.\n", "subsections": [ { "name": "TERM , INT , QUIT", "content": "Rsyslogd will die.\n\nUSR1 Switch debugging on/off. This option can only be used if rsyslogd is started with the\n-d debug option.\n\nCHLD Wait for childs if some were born, because of wall'ing messages.\n" } ] }, "SECURITY THREATS": { "content": "There is the potential for the rsyslogd daemon to be used as a conduit for a denial of ser‐\nvice attack. A rogue program(mer) could very easily flood the rsyslogd daemon with syslog\nmessages resulting in the log files consuming all the remaining space on the filesystem. Ac‐\ntivating logging over the inet domain sockets will of course expose a system to risks outside\nof programs or individuals on the local machine.\n\nThere are a number of methods of protecting a machine:\n\n1. Implement kernel firewalling to limit which hosts or networks have access to the\n514/UDP socket.\n\n2. Logging can be directed to an isolated or non-root filesystem which, if filled, will\nnot impair the machine.\n\n3. The ext2 filesystem can be used which can be configured to limit a certain percentage\nof a filesystem to usage by root only. NOTE that this will require rsyslogd to be run\nas a non-root process. ALSO NOTE that this will prevent usage of remote logging on\nthe default port since rsyslogd will be unable to bind to the 514/UDP socket.\n\n4. Disabling inet domain sockets will limit risk to the local machine.\n", "subsections": [ { "name": "Message replay and spoofing", "content": "If remote logging is enabled, messages can easily be spoofed and replayed. As the messages\nare transmitted in clear-text, an attacker might use the information obtained from the pack‐\nets for malicious things. Also, an attacker might replay recorded messages or spoof a\nsender's IP address, which could lead to a wrong perception of system activity. These can be\nprevented by using GSS-API authentication and encryption. Be sure to think about syslog net‐\nwork security before enabling it.\n" } ] }, "DEBUGGING": { "content": "When debugging is turned on using the -d option, rsyslogd produces debugging information ac‐\ncording to the RSYSLOGDEBUG environment variable and the signals received. When run in fore‐\nground, the information is written to stdout. An additional output file can be specified us‐\ning the RSYSLOGDEBUGLOG environment variable.\n", "subsections": [] }, "FILES": { "content": "/etc/rsyslog.conf\nConfiguration file for rsyslogd. See rsyslog.conf(5) for exact information.\n/dev/log\nThe Unix domain socket to from where local syslog messages are read.\n/var/run/rsyslogd.pid\nThe file containing the process id of rsyslogd.\nprefix/lib/rsyslog\nDefault directory for rsyslogd modules. The prefix is specified during compilation\n(e.g. /usr/local).", "subsections": [] }, "ENVIRONMENT": { "content": "RSYSLOGDEBUG\nControls runtime debug support. It contains an option string with the following op‐\ntions possible (all are case insensitive):\n\nDebug Turns on debugging and prevents forking. This is processed earlier in the\nstartup than command line options (i.e. -d) and as such enables earlier debug‐\nging output. Mutually exclusive with DebugOnDemand.\nDebugOnDemand\nEnables debugging but turns off debug output. The output can be toggled by\nsending SIGUSR1. Mutually exclusive with Debug.\nLogFuncFlow\nPrint out the logical flow of functions (entering and exiting them)\nFileTrace\nSpecifies which files to trace LogFuncFlow. If not set (the default), a Log‐\nFuncFlow trace is provided for all files. Set to limit it to the files speci‐\nfied.FileTrace may be specified multiple times, one file each (e.g. export\nRSYSLOGDEBUG=\"LogFuncFlow FileTrace=vm.c FileTrace=expr.c\"\nPrintFuncDB\nPrint the content of the debug function database whenever debug information is\nprinted (e.g. abort case)!\nPrintAllDebugInfoOnExit\nPrint all debug information immediately before rsyslogd exits (currently not\nimplemented!)\nPrintMutexAction\nPrint mutex action as it happens. Useful for finding deadlocks and such.\nNoLogTimeStamp\nDo not prefix log lines with a timestamp (default is to do that).\nNoStdOut\nDo not emit debug messages to stdout. If RSYSLOGDEBUGLOG is not set, this\nmeans no messages will be displayed at all.\nHelp Display a very short list of commands - hopefully a life saver if you can't ac‐\ncess the documentation...\n\nRSYSLOGDEBUGLOG\nIf set, writes (almost) all debug message to the specified log file in addition to\nstdout.\nRSYSLOGMODDIR\nProvides the default directory in which loadable modules reside.\n", "subsections": [] }, "BUGS": { "content": "Please review the file BUGS for up-to-date information on known bugs and annoyances.\n", "subsections": [ { "name": "Further Information", "content": "Please visit https://www.rsyslog.com/doc/ for additional information, tutorials and a support\nforum.\n" } ] }, "SEE ALSO": { "content": "rsyslog.conf(5), logger(1), syslog(2), syslog(3), services(5), savelog(8)\n", "subsections": [] }, "COLLABORATORS": { "content": "rsyslogd is derived from sysklogd sources, which in turn was taken from the BSD sources. Spe‐\ncial thanks to Greg Wettstein (greg@wind.enjellic.com) and Martin Schulze (joey@linux.de) for\nthe fine sysklogd package.\n\nRainer Gerhards\nAdiscon GmbH\nGrossrinderfeld, Germany\nrgerhards@adiscon.com\n\n\n\nVersion 8.1905.0 28 May 2014 RSYSLOGD(8)", "subsections": [] } }, "summary": "rsyslogd - reliable and extended syslogd", "flags": [ { "flag": "-D", "long": null, "arg": null, "description": "rors are reported. Please note that the output generated is deeply technical and orig‐ nally targeted towards developers." }, { "flag": "-d", "long": null, "arg": null, "description": "" }, { "flag": "-f", "long": null, "arg": null, "description": "Specify an alternative configuration file instead of /etc/rsyslog.conf, which is the default." }, { "flag": "-i", "long": null, "arg": null, "description": "Specify an alternative pid file instead of the default one. This option must be used if multiple instances of rsyslogd should run on a single machine. To disable writing a pid file, use the reserved name \"NONE\" (all upper case!), so \"-iNONE\"." }, { "flag": "-n", "long": null, "arg": null, "description": "controlled by init(8)." }, { "flag": "-N", "long": null, "arg": null, "description": "Do a config check. Do NOT run in regular mode, just check configuration file correct‐ ness. This option is meant to verify a config file. To do so, run rsyslogd interac‐ tively in foreground, specifying -f and -N level. The level argument modifies behaviour. Currently, 0 is the same as not specifying the -N option at all (so this makes limited sense) and 1 actually activates the code. Later, higher levels will mean more verbosity (this is a forward-compatibility option)." }, { "flag": "-o", "long": null, "arg": null, "description": "Generates a consolidated config file fullconf that contains all of rsyslog's configu‐ ration in a single file. Include files are exploded into that file in exactly the way rsyslog sees them. This option is useful for troubleshooting, especially if problems with the order of action processing is suspected. It may also be used to check for \"unexepectedly\" included config content." }, { "flag": "-C", "long": null, "arg": null, "description": "good idea in production use. This option was introduced in support of the internal testbed." }, { "flag": "-v", "long": null, "arg": null, "description": "" } ], "examples": [], "see_also": [ { "name": "rsyslog.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/rsyslog.conf/5/json" }, { "name": "logger", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/logger/1/json" }, { "name": "syslog", "section": "2", "url": "https://www.chedong.com/phpMan.php/man/syslog/2/json" }, { "name": "syslog", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/syslog/3/json" }, { "name": "services", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/services/5/json" }, { "name": "savelog", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/savelog/8/json" } ] }