{ "content": [ { "type": "text", "text": "# rsyslog.conf (man)\n\n## NAME\n\nrsyslog.conf - rsyslogd(8) configuration file\n\n## DESCRIPTION\n\nThe rsyslog.conf file is the main configuration file for the rsyslogd(8) which logs system\nmessages on *nix systems. This file specifies rules for logging. For special features see\nthe rsyslogd(8) manpage. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf\nfile. So if you migrate from sysklogd you can rename it and it should work.\n\n## Sections\n\n- **NAME**\n- **DESCRIPTION**\n- **MODULES**\n- **BASIC STRUCTURE**\n- **SELECTORS**\n- **ACTIONS** (17 subsections)\n- **FILTER CONDITIONS** (3 subsections)\n- **TEMPLATES** (5 subsections)\n- **OUTPUT CHANNELS**\n- **PROPERTY REPLACER** (14 subsections)\n- **QUEUED OPERATIONS**\n- **FILES**\n- **SEE ALSO**\n- **AUTHORS**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "rsyslog.conf", "section": "", "mode": "man", "summary": "rsyslog.conf - rsyslogd(8) configuration file", "synopsis": null, "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [], "see_also": [ { "name": "rsyslogd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/rsyslogd/8/json" }, { "name": "logger", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/logger/1/json" }, { "name": "syslog", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/syslog/3/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 12, "subsections": [] }, { "name": "MODULES", "lines": 74, "subsections": [] }, { "name": "BASIC STRUCTURE", "lines": 30, "subsections": [] }, { "name": "SELECTORS", "lines": 43, "subsections": [] }, { "name": "ACTIONS", "lines": 5, "subsections": [ { "name": "Regular file", "lines": 3 }, { "name": "Example:", "lines": 7 }, { "name": "Example:", "lines": 9 }, { "name": "Named pipes", "lines": 6 }, { "name": "Terminal and console", "lines": 3 }, { "name": "Remote machine", "lines": 9 }, { "name": "Example:", "lines": 10 }, { "name": "Example:", "lines": 7 }, { "name": "If you would like to prevent message loss, use RELP:", "lines": 11 }, { "name": "List of users", "lines": 6 }, { "name": "Everyone logged on", "lines": 4 }, { "name": "Database table", "lines": 8 }, { "name": "Discard", "lines": 8 }, { "name": "Example:", "lines": 4 }, { "name": "Output channel", "lines": 6 }, { "name": "Shell execute", "lines": 4 }, { "name": "Example:", "lines": 6 } ] }, { "name": "FILTER CONDITIONS", "lines": 6, "subsections": [ { "name": "Selectors", "lines": 7 }, { "name": "Property-Based Filters", "lines": 28 }, { "name": "Expression-Based Filters", "lines": 4 } ] }, { "name": "TEMPLATES", "lines": 26, "subsections": [ { "name": "Please note that templates can also by used to generate selector lines with dynamic file", "lines": 9 }, { "name": "Template options", "lines": 25 }, { "name": "jection.", "lines": 11 }, { "name": "Template examples", "lines": 25 }, { "name": "A template that can be used for writing to a database (please note the SQL template option)", "lines": 9 } ] }, { "name": "OUTPUT CHANNELS", "lines": 22, "subsections": [] }, { "name": "PROPERTY REPLACER", "lines": 6, "subsections": [ { "name": "Accessing Properties", "lines": 9 }, { "name": "Available Properties", "lines": 12 }, { "name": "syslogtag", "lines": 2 }, { "name": "programname", "lines": 5 }, { "name": "PRI-text", "lines": 5 }, { "name": "syslogfacility", "lines": 2 }, { "name": "syslogfacility-text", "lines": 2 }, { "name": "syslogseverity", "lines": 2 }, { "name": "syslogseverity-text", "lines": 2 }, { "name": "timegenerated", "lines": 2 }, { "name": "timereported", "lines": 29 }, { "name": "$MINUTE", "lines": 7 }, { "name": "Character Positions", "lines": 35 }, { "name": "Property Options", "lines": 33 } ] }, { "name": "QUEUED OPERATIONS", "lines": 9, "subsections": [] }, { "name": "FILES", "lines": 3, "subsections": [] }, { "name": "SEE ALSO", "lines": 11, "subsections": [] }, { "name": "AUTHORS", "lines": 6, "subsections": [] } ], "sections": { "NAME": { "content": "rsyslog.conf - rsyslogd(8) configuration file\n", "subsections": [] }, "DESCRIPTION": { "content": "The rsyslog.conf file is the main configuration file for the rsyslogd(8) which logs system\nmessages on *nix systems. This file specifies rules for logging. For special features see\nthe rsyslogd(8) manpage. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf\nfile. So if you migrate from sysklogd you can rename it and it should work.\n\nNote that this version of rsyslog ships with extensive documentation in HTML format. This is\nprovided in the ./doc subdirectory and probably in a separate package if you installed rsys‐\nlog via a packaging system. To use rsyslog's advanced features, you need to look at the HTML\ndocumentation, because the man pages only cover basic aspects of operation.\n\n\n", "subsections": [] }, "MODULES": { "content": "Rsyslog has a modular design. Consequently, there is a growing number of modules. See the\nHTML documentation for their full description.\n\n\nomsnmp SNMP trap output module\n\nomgssapi\nOutput module for GSS-enabled syslog\n\nommysql\nOutput module for MySQL\n\nomrelp Output module for the reliable RELP protocol (prevents message loss). For details,\nsee below at imrelp and the HTML documentation. It can be used like this:\n\n*.* :omrelp:server:port\n\n*.* :omrelp:192.168.0.1:2514 # actual sample\n\nompgsql\nOutput module for PostgreSQL\n\nomlibdbi\nGeneric database output module (Firebird/Interbase, MS SQL, Sybase, SQLite, Ingres,\nOracle, mSQL)\n\nimfile Input module for text files\n\nimudp Input plugin for UDP syslog. Replaces the deprecated -r option. Can be used like this:\n\n$ModLoad imudp\n\n$UDPServerRun 514\n\nimtcp Input plugin for plain TCP syslog. Replaces the deprecated -t option. Can be used like\nthis:\n\n$ModLoad imtcp\n\n$InputTCPServerRun 514\n\n\nimrelp Input plugin for the RELP protocol. RELP can be used instead of UDP or plain TCP sys‐\nlog to provide reliable delivery of syslog messages. Please note that plain TCP syslog\ndoes NOT provide truly reliable delivery, with it messages may be lost when there is a\nconnection problem or the server shuts down. RELP prevents message loss in those\ncases. It can be used like this:\n\n$ModLoad imrelp\n\n$InputRELPServerRun 2514\n\nimgssapi\nInput plugin for plain TCP and GSS-enable syslog\n\nimmark Support for mark messages\n\nimklog Kernel logging. To include kernel log messages, you need to do\n\n$ModLoad imklog\n\nPlease note that the klogd daemon is no longer necessary and consequently no longer\nprovided by the rsyslog package.\n\nimuxsock\nUnix sockets, including the system log socket. You need to specify\n\n$ModLoad imuxsock\n\nin order to receive log messages from local system processes. This config directive\nshould only left out if you know exactly what you are doing.\n\n\n", "subsections": [] }, "BASIC STRUCTURE": { "content": "Lines starting with a hash mark ('#') and empty lines are ignored. Rsyslog.conf should con‐\ntain following sections (sorted by recommended order in file):\n\n\nGlobal directives\nGlobal directives set some global properties of whole rsyslog daemon, for example size\nof main message queue ($MainMessageQueueSize), loading external modules ($ModLoad) and\nso on. All global directives need to be specified on a line by their own and must\nstart with a dollar-sign. The complete list of global directives can be found in HTML\ndocumentation in doc directory or online on web pages.\n\n\nTemplates\nTemplates allow you to specify format of the logged message. They are also used for\ndynamic file name generation. They have to be defined before they are used in rules.\nFor more info about templates see TEMPLATES section of this manpage.\n\n\nOutput channels\nOutput channels provide an umbrella for any type of output that the user might want.\nThey have to be defined before they are used in rules. For more info about output\nchannels see OUTPUT CHANNELS section of this manpage.\n\n\nRules (selector + action)\nEvery rule line consists of two fields, a selector field and an action field. These\ntwo fields are separated by one or more spaces or tabs. The selector field specifies a\npattern of facilities and priorities belonging to the specified action.\n\n", "subsections": [] }, "SELECTORS": { "content": "The selector field itself again consists of two parts, a facility and a priority, separated\nby a period ('.'). Both parts are case insensitive and can also be specified as decimal num‐\nbers, but don't do that, you have been warned. Both facilities and priorities are described\nin syslog(3). The names mentioned below correspond to the similar LOG-values in /usr/in‐\nclude/syslog.h.\n\nThe facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail,\nmark, news, security (same as auth), syslog, user, uucp and local0 through local7. The key‐\nword security should not be used anymore and mark is only for internal use and therefore\nshould not be used in applications. Anyway, you may want to specify and redirect these mes‐\nsages here. The facility specifies the subsystem that produced the message, i.e. all mail\nprograms log with the mail facility (LOGMAIL) if they log using syslog.\n\nThe priority is one of the following keywords, in ascending order: debug, info, notice, warn‐\ning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as\nemerg). The keywords error, warn and panic are deprecated and should not be used anymore. The\npriority defines the severity of the message.\n\nThe behavior of the original BSD syslogd is that all messages of the specified priority and\nhigher are logged according to the given action. Rsyslogd behaves the same, but has some ex‐\ntensions.\n\nIn addition to the above mentioned names the rsyslogd(8) understands the following exten‐\nsions: An asterisk ('*') stands for all facilities or all priorities, depending on where it\nis used (before or after the period). The keyword none stands for no priority of the given\nfacility.\n\nYou can specify multiple facilities with the same priority pattern in one statement using the\ncomma (',') operator. You may specify as much facilities as you want. Remember that only the\nfacility part from such a statement is taken, a priority part would be skipped.\n\nMultiple selectors may be specified for a single action using the semicolon (';') separator.\nRemember that each selector in the selector field is capable to overwrite the preceding ones.\nUsing this behavior you can exclude some priorities from the pattern.\n\nRsyslogd has a syntax extension to the original BSD source, that makes its use more intu‐\nitively. You may precede every priority with an equals sign ('=') to specify only this single\npriority and not any of the above. You may also (both is valid, too) precede the priority\nwith an exclamation mark ('!') to ignore all that priorities, either exact this one or this\nand any higher priority. If you use both extensions then the exclamation mark must occur be‐\nfore the equals sign, just use it intuitively.\n\n", "subsections": [] }, "ACTIONS": { "content": "The action field of a rule describes what to do with the message. In general, message content\nis written to a kind of \"logfile\". But also other actions might be done, like writing to a\ndatabase table or forwarding to another host.\n\n", "subsections": [ { "name": "Regular file", "content": "Typically messages are logged to real files. The file has to be specified with full pathname,\nbeginning with a slash ('/').\n" }, { "name": "Example:", "content": "*.* /var/log/traditionalfile.log;RSYSLOGTraditionalFileFormat # log to a\nfile in the traditional format\n\nNote: if you would like to use high-precision timestamps in your log files, just remove the\n\";RSYSLOGTraditionalFormat\". That will select the default template, which, if not changed,\nuses RFC 3339 timestamps.\n" }, { "name": "Example:", "content": "*.* /var/log/file.log # log to a file with RFC3339 timestamps\n\nBy default, files are not synced after each write. To enable syncing of log files globally,\nuse either the \"$ActionFileEnableSync\" directive or the \"sync\" parameter to omfile. Enabling\nthis option degrades performance and it is advised not to enable syncing unless you know what\nyou are doing. To selectively disable syncing for certain files, you may prefix the file\npath with a minus sign (\"-\").\n\n" }, { "name": "Named pipes", "content": "This version of rsyslogd(8) has support for logging output to named pipes (fifos). A fifo or\nnamed pipe can be used as a destination for log messages by prepending a pipe symbol ('|') to\nthe name of the file. This is handy for debugging. Note that the fifo must be created with\nthe mkfifo(1) command before rsyslogd(8) is started.\n\n" }, { "name": "Terminal and console", "content": "If the file you specified is a tty, special tty-handling is done, same with /dev/console.\n\n" }, { "name": "Remote machine", "content": "There are three ways to forward message: the traditional UDP transport, which is extremely\nlossy but standard, the plain TCP based transport which loses messages only during certain\nsituations but is widely available and the RELP transport which does not lose messages but is\ncurrently available only as part of rsyslogd 3.15.0 and above.\n\nTo forward messages to another host via UDP, prepend the hostname with the at sign (\"@\"). To\nforward it via plain tcp, prepend two at signs (\"@@\"). To forward via RELP, prepend the\nstring \":omrelp:\" in front of the hostname.\n" }, { "name": "Example:", "content": "*.* @192.168.0.1\n\nIn the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destina‐\ntion port defaults to 514. Due to the nature of UDP, you will probably lose some messages in\ntransit. If you expect high traffic volume, you can expect to lose a quite noticeable number\nof messages (the higher the traffic, the more likely and severe is message loss).\n\nSockets for forwarded messages can be bound to a specific device using the \"device\" option\nfor the omfwd module.\n" }, { "name": "Example:", "content": "action(type=\"omfwd\" Target=\"192.168.0.1\" Device=\"eth0\" Port=514 Protocol=\"udp\")\n\nIn the example above, messages are forwarded via UDP to the machine 192.168.0.1 at port 514\nover the device eth0. TCP can be used by setting Protocol to \"tcp\" in the above example.\n\nFor Linux with VRF support, the device option is used to specify the VRF to send messages.\n" }, { "name": "If you would like to prevent message loss, use RELP:", "content": "*.* :omrelp:192.168.0.1:2514\n\nNote that a port number was given as there is no standard port for relp.\n\nKeep in mind that you need to load the correct input and output plugins (see \"Modules\"\nabove).\n\nPlease note that rsyslogd offers a variety of options in regarding to remote forwarding. For\nfull details, please see the HTML documentation.\n\n" }, { "name": "List of users", "content": "Usually critical messages are also directed to ``root'' on that machine. You can specify a\nlist of users that shall get the message by simply writing \":omusrmsg:\" followed by the login\nname. You may specify more than one user by separating them with commas (','). If they're\nlogged in they get the message (for example: \":omusrmsg:root,user1,user2\").\n\n" }, { "name": "Everyone logged on", "content": "Emergency messages often go to all users currently online to notify them that something\nstrange is happening with the system. To specify this wall(1)-feature use an \":omusrmsg:*\".\n\n" }, { "name": "Database table", "content": "This allows logging of the message to a database table. By default, a MonitorWare-compatible\nschema is required for this to work. You can create that schema with the createDB.SQL file\nthat came with the rsyslog package. You can also use any other schema of your liking - you\njust need to define a proper template and assign this template to the action.\n\nSee the HTML documentation for further details on database logging.\n\n" }, { "name": "Discard", "content": "If the discard action is carried out, the received message is immediately discarded. Discard\ncan be highly effective if you want to filter out some annoying messages that otherwise would\nfill your log files. To do that, place the discard actions early in your log files. This of‐\nten plays well with property-based filters, giving you great freedom in specifying what you\ndo not want.\n\nDiscard is just the single 'stop' command with no further parameters.\n" }, { "name": "Example:", "content": "*.* stop # discards everything.\n\n\n" }, { "name": "Output channel", "content": "Binds an output channel definition (see there for details) to this action. Output channel ac‐\ntions must start with a $-sign, e.g. if you would like to bind your output channel definition\n\"mychannel\" to the action, use \"$mychannel\". Output channels support template definitions\nlike all all other actions.\n\n" }, { "name": "Shell execute", "content": "This executes a program in a subshell. The program is passed the template-generated message\nas the only command line parameter. Rsyslog waits until the program terminates and only then\ncontinues to run.\n" }, { "name": "Example:", "content": "^program-to-execute;template\n\nThe program-to-execute can be any valid executable. It receives the template string as a sin‐\ngle parameter (argv[1]).\n\n" } ] }, "FILTER CONDITIONS": { "content": "Rsyslog offers three different types \"filter conditions\":\n* \"traditional\" severity and facility based selectors\n* property-based filters\n* expression-based filters\n\n", "subsections": [ { "name": "Selectors", "content": "Selectors are the traditional way of filtering syslog messages. They have been kept in rsys‐\nlog with their original syntax, because it is well-known, highly effective and also needed\nfor compatibility with stock syslogd configuration files. If you just need to filter based on\npriority and facility, you should do this with selector lines. They are not second-class cit‐\nizens in rsyslog and offer the best performance for this job.\n\n" }, { "name": "Property-Based Filters", "content": "Property-based filters are unique to rsyslogd. They allow to filter on any property, like\nHOSTNAME, syslogtag and msg.\n\nA property-based filter must start with a colon in column 0. This tells rsyslogd that it is\nthe new filter type. The colon must be followed by the property name, a comma, the name of\nthe compare operation to carry out, another comma and then the value to compare against. This\nvalue must be quoted. There can be spaces and tabs between the commas. Property names and\ncompare operations are case-sensitive, so \"msg\" works, while \"MSG\" is an invalid property\nname. In brief, the syntax is as follows:\n\n:property, [!]compare-operation, \"value\"\n\nThe following compare-operations are currently supported:\n\ncontains\nChecks if the string provided in value is contained in the property\n\nisequal\nCompares the \"value\" string provided and the property contents. These two val‐\nues must be exactly equal to match.\n\nstartswith\nChecks if the value is found exactly at the beginning of the property value\n\nregex\nCompares the property against the provided regular expression.\n\n" }, { "name": "Expression-Based Filters", "content": "See the HTML documentation for this feature.\n\n\n" } ] }, "TEMPLATES": { "content": "Every output in rsyslog uses templates - this holds true for files, user messages and so on.\nTemplates compatible with the stock syslogd formats are hardcoded into rsyslogd. If no tem‐\nplate is specified, we use one of these hardcoded templates. Search for \"template\" in sys‐\nlogd.c and you will find the hardcoded ones.\n\nA template consists of a template directive, a name, the actual template text and optional\noptions. A sample is:\n\n$template MyTemplateName,\"\\7Text %property% some more text\\n\",\n\nThe \"$template\" is the template directive. It tells rsyslog that this line contains a tem‐\nplate. The backslash is an escape character. For example, \\7 rings the bell (this is an ASCII\nvalue), \\n is a new line. The set in rsyslog is a bit restricted currently.\n\nAll text in the template is used literally, except for things within percent signs. These are\nproperties and allow you access to the contents of the syslog message. Properties are ac‐\ncessed via the property replacer and it can for example pick a substring or do date-specific\nformatting. More on this is the PROPERTY REPLACER section of this manpage.\n\nTo escape:\n% = \\%\n\\ = \\\\ --> '\\' is used to escape (as in C)\n$template TraditionalFormat,\"%timegenerated% %HOSTNAME% %syslogtag%%msg%\\n\"\n\nProperties can be accessed by the property replacer (see there for details).\n", "subsections": [ { "name": "Please note that templates can also by used to generate selector lines with dynamic file", "content": "names. For example, if you would like to split syslog messages from different hosts to dif‐\nferent files (one per host), you can define the following template:\n\n$template DynFile,\"/var/log/system-%HOSTNAME%.log\"\n\nThis template can then be used when defining an output selector line. It will result in some‐\nthing like \"/var/log/system-localhost.log\"\n\n" }, { "name": "Template options", "content": "The part is optional. It carries options influencing the template as whole. See\ndetails below. Be sure NOT to mistake template options with property options - the later ones\nare processed by the property replacer and apply to a SINGLE property, only (and not the\nwhole template).\n\nTemplate options are case-insensitive. Currently defined are:\n\n\nsql format the string suitable for a SQL statement in MySQL format. This will re‐\nplace single quotes (\"'\") and the backslash character by their backslash-es‐\ncaped counterpart (\"´\" and \"\\\") inside each field. Please note that in MySQL\nconfiguration, the NOBACKSLASHESCAPES mode must be turned off for this format\nto work (this is the default).\n\n\nstdsql format the string suitable for a SQL statement that is to be sent to a stan‐\ndards-compliant sql server. This will replace single quotes (\"'\") by two single\nquotes (\"''\") inside each field. You must use stdsql together with MySQL if in\nMySQL configuration the NOBACKSLASHESCAPES is turned on.\n\nEither the sql or stdsql option MUST be specified when a template is used for writing to a\ndatabase, otherwise injection might occur. Please note that due to the unfortunate fact that\nseveral vendors have violated the sql standard and introduced their own escape methods, it is\nimpossible to have a single option doing all the work. So you yourself must make sure you\nare using the right format. If you choose the wrong one, you are still vulnerable to sql in‐‐" }, { "name": "jection.", "content": "Please note that the database writer *checks* that the sql option is present in the template.\nIf it is not present, the write database action is disabled. This is to guard you against\naccidental forgetting it and then becoming vulnerable to SQL injection. The sql option can\nalso be useful with files - especially if you want to import them into a database on another\nmachine for performance reasons. However, do NOT use it if you do not have a real need for it\n- among others, it takes some toll on the processing time. Not much, but on a really busy\nsystem you might notice it ;)\n\nThe default template for the write to database action has the sql option set.\n\n" }, { "name": "Template examples", "content": "Please note that the samples are split across multiple lines. A template MUST NOT actually be\nsplit across multiple lines.\n\nA template that resembles traditional syslogd file output:\n\n$template TraditionalFormat,\"%timegenerated% %HOSTNAME%\n%syslogtag%%msg:::drop-last-lf%\\n\"\n\nA template that tells you a little more about the message:\n\n$template precise,\"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,\n%syslogtag%,%msg%\\n\"\n\nA template for RFC 3164 format:\n\n$template RFC3164fmt,\"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%\"\n\nA template for the format traditionally used for user messages:\n\n$template usermsg,\" XXXX%syslogtag%%msg%\\n\\r\"\n\nAnd a template with the traditional wall-message format:\n\n$template wallmsg,\"\\r\\n\\7Message from syslogd@%HOSTNAME% at %timegenerated%\"\n" }, { "name": "A template that can be used for writing to a database (please note the SQL template option)", "content": "$template MySQLInsert,\"insert iut, message, receivedat values ('%iut%', '%msg:::UPPER‐\nCASE%', '%timegenerated:::date-mysql%') into systemevents\\r\\n\", SQL\n\nNOTE 1: This template is embedded into core application under name StdDBFmt , so you\ndon't need to define it.\n\nNOTE 2: You have to have MySQL module installed to use this template.\n\n" } ] }, "OUTPUT CHANNELS": { "content": "Output Channels are a new concept first introduced in rsyslog 0.9.0. As of this writing, it\nis most likely that they will be replaced by something different in the future. So if you\nuse them, be prepared to change you configuration file syntax when you upgrade to a later re‐\nlease.\n\nOutput channels are defined via an $outchannel directive. It's syntax is as follows:\n\n$outchannel name,file-name,max-size,action-on-max-size\n\nname is the name of the output channel (not the file), file-name is the file name to be writ‐\nten to, max-size the maximum allowed size and action-on-max-size a command to be issued when\nthe max size is reached. This command always has exactly one parameter. The binary is that\npart of action-on-max-size before the first space, its parameter is everything behind that\nspace.\n\nKeep in mind that $outchannel just defines a channel with \"name\". It does not activate it.\nTo do so, you must use a selector line (see below). That selector line includes the channel\nname plus \":omfile:$\" in front of it. A sample might be:\n\n*.* :omfile:$mychannel\n\n", "subsections": [] }, "PROPERTY REPLACER": { "content": "The property replacer is a core component in rsyslogd's output system. A syslog message has a\nnumber of well-defined properties (see below). Each of this properties can be accessed and\nmanipulated by the property replacer. With it, it is easy to use only part of a property\nvalue or manipulate the value, e.g. by converting all characters to lower case.\n\n", "subsections": [ { "name": "Accessing Properties", "content": "Syslog message properties are used inside templates. They are accessed by putting them be‐\ntween percent signs. Properties can be modified by the property replacer. The full syntax is\nas follows:\n\n%propname:fromChar:toChar:options%\n\npropname is the name of the property to access. It is case-sensitive.\n\n" }, { "name": "Available Properties", "content": "msg the MSG part of the message (aka \"the message\" ;))\n\nrawmsg the message exactly as it was received from the socket. Should be useful for debug‐\nging.\n\nHOSTNAME\nhostname from the message\n\nFROMHOST\nhostname of the system the message was received from (in a relay chain, this is the\nsystem immediately in front of us and not necessarily the original sender)\n" }, { "name": "syslogtag", "content": "TAG from the message\n" }, { "name": "programname", "content": "the \"static\" part of the tag, as defined by BSD syslogd. For example, when TAG is\n\"named[12345]\", programname is \"named\".\n\nPRI PRI part of the message - undecoded (single value)\n" }, { "name": "PRI-text", "content": "the PRI part of the message in a textual form (e.g. \"syslog.info\")\n\nIUT the monitorware InfoUnitType - used when talking to a MonitorWare backend (also for\nphpLogCon)\n" }, { "name": "syslogfacility", "content": "the facility from the message - in numerical form\n" }, { "name": "syslogfacility-text", "content": "the facility from the message - in text form\n" }, { "name": "syslogseverity", "content": "severity from the message - in numerical form\n" }, { "name": "syslogseverity-text", "content": "severity from the message - in text form\n" }, { "name": "timegenerated", "content": "timestamp when the message was RECEIVED. Always in high resolution\n" }, { "name": "timereported", "content": "timestamp from the message. Resolution depends on what was provided in the message (in\nmost cases, only seconds)\n\nTIMESTAMP\nalias for timereported\n\nPROTOCOL-VERSION\nThe contents of the PROTOCOL-VERSION field from IETF draft draft-ietf-syslog-protocol\n\nSTRUCTURED-DATA\nThe contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocol\n\nAPP-NAME\nThe contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol\n\nPROCID The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol\n\nMSGID The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol\n\n$NOW The current date stamp in the format YYYY-MM-DD\n\n$YEAR The current year (4-digit)\n\n$MONTH The current month (2-digit)\n\n$DAY The current day of the month (2-digit)\n\n$HOUR The current hour in military (24 hour) time (2-digit)\n" }, { "name": "$MINUTE", "content": "The current minute (2-digit)\n\n\nProperties starting with a $-sign are so-called system properties. These do NOT stem from the\nmessage but are rather internally-generated.\n\n" }, { "name": "Character Positions", "content": "FromChar and toChar are used to build substrings. They specify the offset within the string\nthat should be copied. Offset counting starts at 1, so if you need to obtain the first 2\ncharacters of the message text, you can use this syntax: \"%msg:1:2%\". If you do not wish to\nspecify from and to, but you want to specify options, you still need to include the colons.\nFor example, if you would like to convert the full message text to lower case, use\n\"%msg:::lowercase%\". If you would like to extract from a position until the end of the\nstring, you can place a dollar-sign (\"$\") in toChar (e.g. %msg:10:$%, which will extract from\nposition 10 to the end of the string).\n\nThere is also support for regular expressions. To use them, you need to place a \"R\" into\nFromChar. This tells rsyslog that a regular expression instead of position-based extraction\nis desired. The actual regular expression must then be provided in toChar. The regular ex‐\npression must be followed by the string \"--end\". It denotes the end of the regular expression\nand will not become part of it. If you are using regular expressions, the property replacer\nwill return the part of the property text that matches the regular expression. An example for\na property replacer sequence with a regular expression is: \"%msg:R:.*Sev:. \\(.*\\) \\[.*--end%\"\n\nAlso, extraction can be done based on so-called \"fields\". To do so, place a \"F\" into From‐\nChar. A field in its current definition is anything that is delimited by a delimiter charac‐\nter. The delimiter by default is TAB (US-ASCII value 9). However, if can be changed to any\nother US-ASCII character by specifying a comma and the decimal US-ASCII value of the delim‐\niter immediately after the \"F\". For example, to use comma (\",\") as a delimiter, use this\nfield specifier: \"F,44\". If your syslog data is delimited, this is a quicker way to extract\nthan via regular expressions (actually, a *much* quicker way). Field counting starts at 1.\nField zero is accepted, but will always lead to a \"field not found\" error. The same happens\nif a field number higher than the number of fields in the property is requested. The field\nnumber must be placed in the \"ToChar\" parameter. An example where the 3rd field (delimited by\nTAB) from the msg property is extracted is as follows: \"%msg:F:3%\". The same example with\nsemicolon as delimiter is \"%msg:F,59:3%\".\n\nPlease note that the special characters \"F\" and \"R\" are case-sensitive. Only upper case\nworks, lower case will return an error. There are no white spaces permitted inside the se‐\nquence (that will lead to error messages and will NOT provide the intended result).\n\n" }, { "name": "Property Options", "content": "Property options are case-insensitive. Currently, the following options are defined:\n\nuppercase\nconvert property to lowercase only\n\nlowercase\nconvert property text to uppercase only\n\ndrop-last-lf\nThe last LF in the message (if any), is dropped. Especially useful for PIX.\n\ndate-mysql\nformat as mysql date\n\ndate-rfc3164\nformat as RFC 3164 date\n\ndate-rfc3339\nformat as RFC 3339 date\n\nescape-cc\nreplace control characters (ASCII value 127 and values less then 32) with an escape\nsequence. The sequence is \"#\" where charval is the 3-digit decimal value of\nthe control character. For example, a tabulator would be replaced by \"#009\".\n\nspace-cc\nreplace control characters by spaces\n\ndrop-cc\ndrop control characters - the resulting string will neither contain control charac‐\nters, escape sequences nor any other replacement character like space.\n\n" } ] }, "QUEUED OPERATIONS": { "content": "Rsyslogd supports queued operations to handle offline outputs (like remote syslogd's or data‐\nbase servers being down). When running in queued mode, rsyslogd buffers messages to memory\nand optionally to disk (on an as-needed basis). Queues survive rsyslogd restarts.\n\nIt is highly suggested to use remote forwarding and database writing in queued mode, only.\n\nTo learn more about queued operations, see the HTML documentation.\n\n", "subsections": [] }, "FILES": { "content": "/etc/rsyslog.conf\nConfiguration file for rsyslogd\n", "subsections": [] }, "SEE ALSO": { "content": "rsyslogd(8), logger(1), syslog(3)\n\nThe complete documentation can be found in the doc folder of the rsyslog distribution or on‐\nline at\n\nhttps://www.rsyslog.com/doc/\n\nPlease note that the man page reflects only a subset of the configuration options. Be sure to\nread the HTML documentation for all features and details. This is especially vital if you\nplan to set up a more-then-extremely-simple system.\n", "subsections": [] }, "AUTHORS": { "content": "rsyslogd is taken from sysklogd sources, which have been heavily modified by Rainer Gerhards\n(rgerhards@adiscon.com) and others.\n\n\n\nVersion 7.2.0 22 October 2012 RSYSLOG.CONF(5)", "subsections": [] } } } }