summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRainer Gerhards <rgerhards@adiscon.com>2008-02-15 12:47:28 +0000
committerRainer Gerhards <rgerhards@adiscon.com>2008-02-15 12:47:28 +0000
commitc950966d44baeb6510594550ead4bb37f1630bcc (patch)
tree1975142aeed1ed050c93a9a4f4e23ebe05f409be
parentb2548ac5646b65a77ea160429c7e41a335777caf (diff)
downloadrsyslog-c950966d44baeb6510594550ead4bb37f1630bcc.tar.gz
rsyslog-c950966d44baeb6510594550ead4bb37f1630bcc.tar.xz
rsyslog-c950966d44baeb6510594550ead4bb37f1630bcc.zip
- implemented $ActionLibdbiDriverDirectory config directive
- some cleanup - doc improvements
-rw-r--r--action.c1
-rw-r--r--doc/Makefile.am1
-rw-r--r--doc/features.html101
-rw-r--r--doc/omlibdbi.html126
-rw-r--r--doc/rsyslog_conf.html256
-rw-r--r--doc/rsyslog_ng_comparison.html49
-rw-r--r--plugins/omlibdbi/omlibdbi.c60
-rw-r--r--rsyslog.h1
-rw-r--r--syslogd.c2
-rw-r--r--wtp.c2
10 files changed, 374 insertions, 225 deletions
diff --git a/action.c b/action.c
index 1f724a59..d9ac6133 100644
--- a/action.c
+++ b/action.c
@@ -521,7 +521,6 @@ actionWriteToAction(action_t *pAction)
* So let's enqueue our message for execution. -- rgerhards, 2007-07-24
*/
iRet = queueEnqObj(pAction->pQueue, (void*) MsgAddRef(pAction->f_pMsg));
-RUNLOG_VAR("%d", iRet);
if(iRet == RS_RET_OK)
pAction->f_prevcount = 0; /* message processed, so we start a new cycle */
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 3bc63dbe..0ef3208b 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -26,6 +26,7 @@ html_files = \
contributors.html \
dev_queue.html \
omsnmp.html \
+ omlibdbi.html \
imfile.html \
queues.html \
queueWorkerLogic.dia \
diff --git a/doc/features.html b/doc/features.html
index 65b5c6c0..a61d5b7e 100644
--- a/doc/features.html
+++ b/doc/features.html
@@ -1,7 +1,6 @@
-<html>
-<head>
-<title>rsyslog features</title>
-</head>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head>
+<title>rsyslog features</title></head>
<body>
<h1>RSyslog - Features</h1>
<p><b>This page lists both current features as well as those being considered
@@ -13,46 +12,55 @@ is going on, you can also subscribe to the <a href="http://lists.adiscon.net/mai
<h2>Current Features</h2>
<ul>
- <li>native support for <a href="rsyslog_mysql.html">writing to MySQL databases</a><li>
- native support for writing to Postgres databases<li>support for (plain) tcp
- based syslog - much better reliability<li>support for sending and receiving
- compressed syslog messages<li>support for on-demand on-disk spooling of
+ <li>native support for <a href="rsyslog_mysql.html">writing to MySQL databases</a></li><li>
+ native support for writing to Postgres databases</li><li>direct support for Firebird/Interbase,
+OpenTDS (MS SQL, Sybase), SQLLite, Ingres, Oracle, and mSQL via libdbi,
+a database abstraction layer (almost as good as native)</li><li>support for (plain) tcp
+ based syslog - much better reliability</li><li>support for sending and receiving
+ compressed syslog messages</li><li>support for on-demand on-disk spooling of
messages that can not be processed fast enough (a great feature for
<a href="rsyslog_high_database_rate.html">writing massive amounts of syslog
- messages to a database</a>)<li>ability to configure backup syslog/database
+ messages to a database</a>)</li><li>ability to monitor text files and convert their contents into syslog messages (one per line)</li><li>ability to configure backup syslog/database
servers - if the primary fails, control is switched to a prioritized list of
- backups<li>support for receiving messages via reliable <a href="http://www.monitorware.com/Common/en/glossary/rfc3195.php"> RFC 3195</a> delivery<li>ability to generate file names and directories (log targets)
- dynamically, based on many different properties<li>control of log output format,
- including ability to present channel and priority as visible log data<li>good timestamp format control; at a minimum, ISO 8601/RFC 3339
- second-resolution UTC zone<li>ability to reformat message contents and work with substrings<li>support for
- log files larger than 2gb<li>support for file size limitation and automatic
- rollover command execution<li>support for running multiple rsyslogd
- instances on a single machine<li>support for <a href="rsyslog_stunnel.html">
- ssl-protected syslog</a> (via stunnel)<li>ability to filter on any part of
- the message, not just facility and severity<li>ability to use regular
- expressions in filters<li>support for discarding
- messages based on filters<li>ability to execute shell scripts on received
- messages<li>control of whether the local hostname or the hostname of the
- origin of the data is shown as the hostname in the output<li>ability to
+ backups</li><li>support for receiving messages via
+ reliable <a href="http://www.monitorware.com/Common/en/glossary/rfc3195.php">
+ RFC 3195</a> delivery</li><li>ability to generate file names and directories (log targets)
+ dynamically, based on many different properties</li><li>control of log output format,
+ including ability to present channel and priority as visible log data</li><li>good timestamp format control; at a minimum, ISO 8601/RFC 3339
+ second-resolution UTC zone</li><li>ability to reformat message contents and work with substrings</li><li>support for
+ log files larger than 2gb</li><li>support for file size limitation and automatic
+ rollover command execution</li><li>support for running multiple rsyslogd
+ instances on a single machine</li><li>support for <a href="rsyslog_stunnel.html">
+ ssl-protected syslog</a> (via stunnel)</li><li>ability to filter on any part of
+ the message, not just facility and severity</li><li>ability to use regular
+ expressions in filters</li><li>support for discarding
+ messages based on filters</li><li>ability to execute shell scripts on received
+ messages</li><li>control of whether the local hostname or the hostname of the
+ origin of the data is shown as the hostname in the output</li><li>ability to
preserve the original hostname in NAT environments and relay chains
- <li>ability to limit the allowed network senders<li>powerful BSD-style hostname and program name blocks for easy multi-host support<li> massively multi-threaded with dynamic work thread pools that start up and shut
+ </li><li>ability to limit the allowed network senders</li><li>powerful BSD-style
+ hostname and program name blocks for easy multi-host support</li><li>
+ massively
+ multi-threaded with dynamic work thread pools that start up and shut
themselves down on an as-needed basis (great for high log volume on
- multicore machines)<li>very experimental and volatile support for <a href="syslog-protocol.html">syslog-protocol</a> compliant messages (it is volatile because standardization is currently underway and this is a proof-of-concept implementation to aid this effort)<li>
+ multicore machines)</li><li>very
+ experimental and volatile support for <a href="syslog-protocol.html">syslog-protocol</a> compliant messages (it is volatile because standardization is currently
+ underway and this is a proof-of-concept implementation to aid this effort)</li><li>
experimental support for syslog-transport-tls based framing on syslog/tcp
- connections<li>
+ connections</li><li>
the sysklogd's klogd functionality is implemented as the <i>imklog</i> input
plug-in. So rsyslog is a full replacement for the sysklogd
- package<li>
- support for IPv6<li>
- ability to control repeated line reduction (&quot;last message repeated n times&quot;)
- on a per selector-line basis<li>
+ package</li><li>
+ support for IPv6</li><li>
+ ability to control repeated line reduction ("last message repeated n times")
+ on a per selector-line basis</li><li>
supports sub-configuration files, which can be automatically read from
- directories. Includes are specified in the main configuration file<li>
- supports multiple actions per selector/filter condition<li>
- MySQL and Postgres SQL functionality as a dynamically loadable plug-in<li>
- modular design for inputs and outputs - easily extensible via custom plugins<li>
- an easy-to-write to plugin interface<li>
- ability to send SNMP trap messages</ul>
+ directories. Includes are specified in the main configuration file</li><li>
+ supports multiple actions per selector/filter condition</li><li>
+ MySQL and Postgres SQL functionality as a dynamically loadable plug-in</li><li>
+ modular design for inputs and outputs - easily extensible via custom plugins</li><li>
+ an easy-to-write to plugin interface</li><li>
+ ability to send SNMP trap messages</li></ul>
<p>&nbsp;</p>
<h2>Upcoming Features</h2>
<p>The list below is something like a repository of ideas we'd like to
@@ -61,32 +69,27 @@ inclusion. We maintain a
<a href="http://bugzilla.adiscon.com/rsyslog-feature.html">feature
request tracker at our bugzilla</a>. This tracker has things typically within
reach of implementation. Users are encouraged to submit feature requests there
-(or via our forums). If we like them but they look quite long-lived (aka &quot;not
-soon to be implemented&quot;), they will possibly be migrated to this list here and
+(or via our forums). If we like them but they look quite long-lived (aka "not
+soon to be implemented"), they will possibly be migrated to this list here and
at some time moved back to the sourceforge tracker.</p>
<ul>
<li>implement native email-functionality in
- selector (probably best done as a plug-in)<li>port it to more *nix variants
+ selector (probably best done as a plug-in)</li><li>port it to more *nix variants
(eg AIX and HP UX) - this needs volunteers with access to those machines and
knowledge
- <li>support for native SSL enryption of plain tcp syslog sessions. This will
- most probably happen based on syslog-transport-tls.<li>even more enhanced multi-threading,
- with a message queue for each action (when implementing this, search
- for CHECKMULTIQUEUE comments in the source - they already contain hints of
- what to look at). Some detail information on this can already be found in
- <a href="http://rgerhards.blogspot.com/2007/08/syslog-worker-pools-future-hardware-and.html">
- Rainer's blog</a>.<li>pcre filtering - maybe (depending on feedback)&nbsp; - simple regex already
+ </li><li>support for native SSL enryption of plain tcp syslog sessions. This will
+ most probably happen based on syslog-transport-tls.</li><li>pcre filtering - maybe (depending on feedback)&nbsp; - simple regex already
partly added. So far, this seems sufficient so that there is no urgent need
- to do pcre<li>support for <a href="http://www.monitorware.com/Common/en/glossary/rfc3195.php">RFC 3195</a> as a sender - this is currently unlikely to happen, because there is no real
+ to do pcre</li><li>support for
+ <a href="http://www.monitorware.com/Common/en/glossary/rfc3195.php">RFC 3195</a> as a sender - this is currently unlikely to happen, because there is no real
demand for it. Any work on RFC 3195 has been suspend until we see some real
interest in it.&nbsp; It is probably much better to use TCP-based syslog,
which is interoperable with a large number of applications. You may also
read my blog post on the future of liblogging, which contains interesting
information about the
<a href="http://rgerhards.blogspot.com/2007/09/where-is-liblogging-heading-to.html">
- future of RFC 3195 in rsyslog</a>.</ul>
+ future of RFC 3195 in rsyslog</a>.</li></ul>
<p>To see when each feature was added, see the
<a href="http://www.rsyslog.com/Topic4.phtml">rsyslog change log</a> (online
only).</p>
-</body>
-</html>
+</body></html> \ No newline at end of file
diff --git a/doc/omlibdbi.html b/doc/omlibdbi.html
new file mode 100644
index 00000000..c66dc06b
--- /dev/null
+++ b/doc/omlibdbi.html
@@ -0,0 +1,126 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head>
+<meta http-equiv="Content-Language" content="en"><title>Generic Database Output Module (omlibdbi)</title>
+
+</head>
+<body>
+<h1>Generic Database Output Module (omlibdbi)</h1>
+<p><b>Module Name:&nbsp;&nbsp;&nbsp; omlibdbi</b></p>
+<p><b>Author: </b>Rainer Gerhards
+&lt;rgerhards@adiscon.com&gt;</p>
+<p><b>Description</b>:</p>
+<p>This modules supports a large number of database systems via <a href="http://libdbi.sourceforge.net/">libdbi</a>.
+Libdbi abstracts the database layer and provides drivers for many
+systems. Drivers are available via the <a href="http://libdbi-drivers.sourceforge.net/">libdbi-drivers</a>
+project. As of this writing, the following drivers are available:</p>
+<ul>
+<li><a href="http://www.firebird.sourceforge.net/">Firebird/Interbase</a></li>
+<li><a href="http://www.freetds.org/">FreeTDS</a>
+(provides access to <a href="http://www.microsoft.com/sql">MS
+SQL Server</a> and <a href="http://www.sybase.com/products/informationmanagement/adaptiveserverenterprise">Sybase</a>)</li>
+<li><a href="http://www.mysql.com/">MySQL</a>
+(also
+supported via the native ommysql plugin in rsyslog)</li>
+<li><a href="http://www.postgresql.org/">PostgreSQL</a>(also
+supported via the native
+ommysql plugin in rsyslog)</li>
+<li><a href="http://www.sqlite.org/">SQLite/SQLite3</a></li>
+</ul>
+<p>The following drivers are in various stages of completion:</p>
+<ul>
+<li><a href="http://ingres.com/">Ingres</a></li>
+<li><a href="http://www.hughes.com.au/">mSQL</a></li>
+<li><a href="http://www.oracle.com/">Oracle</a></li>
+</ul>
+<p>These drivers seem to be quite usable, at
+least from an rsyslog point of view.</p>
+<p>Libdbi provides a slim layer between rsyslog and the actual
+database engine. We have not yet done any performance testing (e.g.
+omlibdbi vs. ommysql) but honestly believe that the performance impact
+should be irrelevant, if at all measurable. Part of that assumption is
+that rsyslog just does the "insert" and most of the time is spent
+either in the database engine or rsyslog itself. It's hard to think of
+any considerable time spent in the libdbi abstraction layer.</p>
+<p><span style="font-weight: bold;">Setup</span></p>
+<p>In order for this plugin to work, you need to have libdbi, the
+libdbi driver for your database backend and the client software for
+your database backend installed. There are libdbi packages for many
+distributions. Please note that rsyslogd requires a quite recent
+version (0.8.3) of libdbi. It may work with older versions, but these
+need some special ./configure options to support being called from a
+dlopen()ed plugin (as omlibdbi is). So in short, you probably save you
+a lot of headache if you make sure you have at least libdbi version
+0.8.3 on your system.
+</p>
+<p><b>Configuration Directives</b>:</p>
+<ul>
+<li><span style="font-weight: bold;">$ActionLibdbiDriverDirectory /path/to/dbd/drivers</span><br>This
+is a global setting. It points libdbi to its driver directory. Usually,
+you do not need to set it. If you installed libdbi-driver's at a
+non-standard location, you may need to specify the directory here. If
+you are unsure, do <span style="font-weight: bold;">not</span> use this configuration directive. Usually, everything works just fine.<strong></strong></li><li><strong>$ActionLibdbiDriver drivername</strong><br>
+Name of the dbidriver to use, see libdbi-drivers documentation. As a
+quick excerpt, at least those were available at the time of this
+writiting "mysql" (suggest to use ommysql instead), "firebird" (Firbird
+and InterBase), "ingres", "msql", "Oracle", "sqlite", "sqlite3",
+"freetds" (for Microsoft SQL and Sybase) and "pgsql" (suggest to use
+ompgsql instead).</li>
+<li><span style="font-weight: bold;">$ActionLibdbiHost
+hostname</span><br>
+The host to connect to.</li>
+<li><span style="font-weight: bold;">$ActionLibdbiUserName
+user</span><br>
+The user used to connect to the database.</li>
+<li><span style="font-weight: bold;">$ActionlibdbiPassword</span><br>
+That user's password.</li>
+<li><span style="font-weight: bold;">$ActionlibdbiDBName
+db</span><br>
+The database that shall be written to.</li>
+<li><span style="font-weight: bold;">selector
+line: :omlibdbi:<span style="font-style: italic;">;template</span></span><br>
+executes the recently configured omlibdbi action. The ;template part is
+optional. If no template is provided, a default template is used (which
+is currently optimized for MySQL - sorry, folks...)</li>
+</ul>
+<b>Caveats/Known Bugs:</b>
+<p>You must make sure that any templates used for omlibdbi
+properly escape strings. This is usually done by supplying the SQL (or
+STDSQL) option to the template. Omlibdbi rejects templates without this
+option for security reasons. However, omlibdbi does not detect if you
+used the right option for your backend. Future versions of rsyslog
+(with full&nbsp;expression&nbsp; support) will provide advanced
+ways of handling this situation. So far, you must be careful. The
+default template provided by rsyslog is suitable for MySQL, but not
+necessarily for your database backend. Be careful!</p>
+<p>If you receive the rsyslog error message "libdbi or libdbi
+drivers not present on this system" you may either not have libdbi and
+its drivers installed or (very probably) the version is earlier than
+0.8.3. In this case, you need to make sure you have at least 0.8.3 and
+the libdbi driver for your database backend present on your system.</p><p>I
+do not have most of the database supported by omlibdbi in my lab. So it
+received limited cross-platform tests. If you run into troubles, be
+sure the let us know at <a href="http://www.rsyslog.com">http://www.rsyslog.com</a>.</p>
+<p><b>Sample:</b></p>
+<p>The following sample writes all syslog messages to the
+database "syslog_db" on mysqlsever.example.com. The server is MySQL and
+being accessed under the account of "user" with password "pwd" (if you
+have empty passwords, just remove the $ActionLibdbiPassword line).<br>
+</p>
+<textarea rows="15" cols="60">$ModLoad omlibdbi.so
+$ActionLibdbiDriver mysql
+$ActionLibdbiHost mysqlserver.example.com
+$ActionLibdbiUserName user
+$ActionLibdbiPassword pwd
+$ActionLibdbiDBName syslog_db
+*.* :omlibdbi:
+</textarea>
+<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
+[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a>
+project.<br>
+Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer
+Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>.
+Released under the GNU GPL version 3 or higher.</font></p>
+</body></html> \ No newline at end of file
diff --git a/doc/rsyslog_conf.html b/doc/rsyslog_conf.html
index 8ad06416..08ccb517 100644
--- a/doc/rsyslog_conf.html
+++ b/doc/rsyslog_conf.html
@@ -1,7 +1,6 @@
-<html>
-<head>
-<title>rsyslog.conf file</title>
-</head>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head>
+<title>rsyslog.conf file</title></head>
<body>
<h1>rsyslog.conf configuration file</h1>
<p><b>This document is currently being enhanced. Please pardon its current
@@ -25,10 +24,10 @@ to rsyslogd.</p>
modules. Here is the entry point to their documentation and what they do (list
is currently not complete)</p>
<ul>
- <li><a href="omsnmp.html">omsnmp</a> - SNMP trap output module</li>
+ <li><a href="omsnmp.html">omsnmp</a> - SNMP trap output module</li><li>omgss - output module for GSS-enabled syslog</li>
<li>ommysql - output module for MySQL</li>
<li>ompgsql - output module for PostgreSQL</li>
- <li>imfile - [in development] input module for text files</li>
+ <li><a href="omlibdbi.html">omlibdbi</a> - generic database output module (Firebird/Interbase, MS SQL, Sybase, SQLLite, Ingres, Oracle, mSQL)</li><li><a href="imfile.html">imfile</a> -&nbsp; input module for text files</li><li>imudp - udp syslog message input</li><li>imtcp - input plugin for plain tcp and GSS-enable syslog</li><li>immark - support for mark messages</li>
<li>imklog - kernel logging</li>
</ul>
<p>Please note that each module provides configuration directives, which are NOT
@@ -67,7 +66,7 @@ it is usually well-chosen and applicable in most cases.</p>
<li>$ActionQueueWorkerTimeoutThreadShutdown &lt;number&gt; [number is timeout in ms (1000ms is 1sec!), default 60000 (1 minute)]</li>
<li>$ActionQueueType [FixedArray/LinkedList/<b>Direct</b>/Disk]</li>
<li>$ActionQueueSaveOnShutdown&nbsp; [on/<b>off</b>]
- <li>$ActionQueueWorkerThreads &lt;number&gt;, num worker threads, default 1,
+ </li><li>$ActionQueueWorkerThreads &lt;number&gt;, num worker threads, default 1,
recommended 1</li>
<li>$ActionQueueWorkerThreadMinumumMessages &lt;number&gt;, default 100</li>
<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li>
@@ -111,13 +110,15 @@ it is usually well-chosen and applicable in most cases.</p>
<li><a href="rsconf1_mainmsgqueuesize.html">$MainMsgQueueSize</a></li>
<li>$MainMsgQueueLowWaterMark &lt;number&gt; [default 2000]</li>
<li>$MainMsgQueueMaxFileSize &lt;size_nbr&gt;, default 1m</li>
- <li>$MainMsgQueueTimeoutActionCompletion &lt;number&gt; [number is timeout in ms (1000ms is 1sec!), default 1000, 0 means immediate!]</li>
+ <li>$MainMsgQueueTimeoutActionCompletion
+&lt;number&gt; [number is timeout in ms (1000ms is 1sec!), default
+1000, 0 means immediate!]</li>
<li>$MainMsgQueueTimeoutEnqueue &lt;number&gt; [number is timeout in ms (1000ms is 1sec!), default 2000, 0 means indefinite]</li>
<li>$MainMsgQueueTimeoutShutdown &lt;number&gt; [number is timeout in ms (1000ms is 1sec!), default 0 (indefinite)]</li>
<li>$MainMsgQueueWorkerTimeoutThreadShutdown &lt;number&gt; [number is timeout in ms (1000ms is 1sec!), default 60000 (1 minute)]</li>
<li>$MainMsgQueueType [<b>FixedArray</b>/LinkedList/Direct/Disk]</li>
<li>$MainMsgQueueSaveOnShutdown&nbsp; [on/<b>off</b>]
- <li>$MainMsgQueueWorkerThreads &lt;number&gt;, num worker threads, default 1,
+ </li><li>$MainMsgQueueWorkerThreads &lt;number&gt;, num worker threads, default 1,
recommended 1</li>
<li>$MainMsgQueueWorkerThreadMinumumMessages &lt;number&gt;, default 100</li>
<li><a href="rsconf1_markmessageperiod.html">$MarkMessagePeriod</a> (immark)</li>
@@ -131,7 +132,7 @@ it is usually well-chosen and applicable in most cases.</p>
<li>$UDPServerAddress &lt;IP&gt; (imudp) -- local IP address (or name) the UDP
listens should bind to</li>
<li>$UDPServerRun &lt;port&gt; (imudp) -- former -r&lt;port&gt; option, default 514,
- start UDP server on this port, &quot;*&quot; means all addresses</li>
+ start UDP server on this port, "*" means all addresses</li>
<li><a href="rsconf1_umask.html">$UMASK</a></li>
</ul>
<p><b>Where &lt;size_nbr&gt; is specified above,</b> modifiers can be used after the
@@ -140,45 +141,47 @@ t(era), p(eta) and e(xa). Lower case letters refer to the traditional binary
defintion (e.g. 1m equals 1,048,576) whereas upper case letters refer to their
new 1000-based definition (e.g 1M equals 1,000,000).</p>
<p>Numbers may include '.' and ',' for readability. So you can for example
-specify either &quot;1000&quot; or &quot;1,000&quot; with the same result. Please note that rsyslogd
-simply ignores the punctuation. Form it's point of view, &quot;1,,0.0.,.,0&quot; also has
+specify either "1000" or "1,000" with the same result. Please note that rsyslogd
+simply ignores the punctuation. Form it's point of view, "1,,0.0.,.,0" also has
the value 1000. </p>
<h2>Basic Structure</h2>
<p>Rsyslog supports standard sysklogd's configuration file format and extends
-it. So in general, you can take a &quot;normal&quot; syslog.conf and use it together with
+it. So in general, you can take a "normal" syslog.conf and use it together with
rsyslogd. It will understand everything. However, to use most of rsyslogd's
-unique features, you need to add extended configuration directives.<p>Rsyslogd
+unique features, you need to add extended configuration directives.</p><p>Rsyslogd
supports the classical, selector-based rule lines. They are still at the heart
of it and all actions are initiated via rule lines. A rule lines is any line not
starting with a $ or the comment sign (#). Lines starting with $ carry
-rsyslog-specific directives.<p>Every rule line consists of two fields, a selector field and an action field.
+rsyslog-specific directives.</p><p>Every rule line consists of two fields, a selector field and an action field.
These two fields are separated by one or more spaces or tabs. The selector field
specifies a pattern of facilities and priorities belonging to the specified
action.<br>
<br>
-Lines starting with a hash mark (&quot;#'') and empty lines are ignored.
+Lines starting with a hash mark ("#'') and empty lines are ignored.
-<h2>Templates</h2>
-<p>Templates are a key feature of rsyslog. They allow to specify any format a user
-might want. They are also used for dynamic file name generation. Every output in rsyslog uses templates - this holds true for files,
-user messages and so on. The database writer expects its template to be a proper
-SQL statement - so this is highly customizable too. You might ask how does all
-of this work when no templates at all are specified. Good question ;) The answer
-is simple, though. Templates compatible with the stock syslogd formats are
-hardcoded into rsyslogd. So if no template is specified, we use one of these
-hardcoded templates. Search for &quot;template_&quot; in syslogd.c and you will find the
+</p><h2>Templates</h2>
+<p>Templates are a key feature of rsyslog. They allow to specify any
+format a user might want. They are also used for dynamic file name
+generation. Every output in rsyslog uses templates - this holds true
+for files, user messages and so on. The database writer expects its
+template to be a proper SQL statement - so this is highly customizable
+too. You might ask how does all of this work when no templates at all
+are specified. Good question ;) The answer is simple, though. Templates
+compatible with the stock syslogd formats are hardcoded into rsyslogd.
+So if no template is specified, we use one of these hardcoded
+templates. Search for "template_" in syslogd.c and you will find the
hardcoded ones.</p>
<p>A template consists of a template directive, a name, the actual template text
and optional options. A sample is:</p>
-<blockquote><code>$template MyTemplateName,&quot;\7Text %property% some more text\n&quot;,&lt;options&gt;</code></blockquote>
-<p>The &quot;$template&quot; is the template directive. It tells rsyslog that this line
-contains a template. &quot;MyTemplateName&quot; is the template name. All
+<blockquote><code>$template MyTemplateName,"\7Text %property% some more text\n",&lt;options&gt;</code></blockquote>
+<p>The "$template" is the template directive. It tells rsyslog that this line
+contains a template. "MyTemplateName" is the template name. All
other config lines refer to this name. The text within quotes is the actual
template text. The backslash is an escape character, much as it is in C. It does
-all these &quot;cool&quot; things. For example, \7 rings the bell (this is an ASCII
+all these "cool" things. For example, \7 rings the bell (this is an ASCII
value), \n is a new line. C programmers and perl coders have the advantage of
knowing this, but the set in rsyslog is a bit restricted currently.
-<p>
+</p><p>
All text in the template is used literally, except for things within percent
signs. These are properties and allow you access to the contents of the syslog
message. Properties are accessed via the property replacer (nice name, huh) and
@@ -193,13 +196,13 @@ SINGLE property, only (and not the whole template).<br>
<br>
Template options are case-insensitive. Currently defined are: </p>
<p><b>sql</b> - format the string suitable for a SQL statement in MySQL format. This will
-replace single quotes (&quot;'&quot;) and the backslash character by their
-backslash-escaped counterpart (&quot;\'&quot; and &quot;\\&quot;) inside each field. Please note
+replace single quotes ("'") and the backslash character by their
+backslash-escaped counterpart ("\'" and "\\") inside each field. Please note
that in MySQL configuration, the <code class="literal">NO_BACKSLASH_ESCAPES</code>
mode must be turned off for this format to work (this is the default).</p>
<p><b>stdsql</b> - format the string suitable for a SQL statement that is to be
sent to a standards-compliant sql server. This will
-replace single quotes (&quot;'&quot;) by two single quotes (&quot;''&quot;) inside each field.
+replace single quotes ("'") by two single quotes ("''") inside each field.
You must use stdsql together with MySQL if in MySQL configuration the
<code class="literal">NO_BACKSLASH_ESCAPES</code> is turned on.</p>
<p>Either the <b>sql</b> or <b>stdsql</b>&nbsp;
@@ -228,7 +231,7 @@ vulnerable to SQL injection. <br>
To escape:<br>
% = \%<br>
\ = \\ --&gt; '\' is used to escape (as in C)<br>
-$template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%\n&quot;<br>
+$template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"<br>
<br>
Properties can be accessed by the <a href="property_replacer.html">property replacer</a>
(see there for details).</p>
@@ -236,9 +239,9 @@ Properties can be accessed by the <a href="property_replacer.html">property repl
selector lines with dynamic file names.</b> For example, if you would like to
split syslog messages from different hosts to different files (one per host),
you can define the following template:</p>
-<blockquote><code>$template DynFile,&quot;/var/log/system-%HOSTNAME%.log&quot;</code></blockquote>
+<blockquote><code>$template DynFile,"/var/log/system-%HOSTNAME%.log"</code></blockquote>
<p>This template can then be used when defining an output selector line. It will
-result in something like &quot;/var/log/system-localhost.log&quot;</p>
+result in something like "/var/log/system-localhost.log"</p>
<h2>Output Channels</h2>
<p>Output Channels are a new concept first introduced in rsyslog 0.9.0. <b>As of this
writing, it is most likely that they will be replaced by something different in
@@ -248,7 +251,7 @@ to a later release.<br>
<br>
The idea behind output channel definitions is that it shall provide an umbrella
for any type of output that the user might want. In essence,<br>
-this is the &quot;file&quot; part of selector lines (and this is why we are not sure
+this is the "file" part of selector lines (and this is why we are not sure
output channel syntax will stay after the next review). There is a<br>
difference, though: selector channels both have filter conditions (currently
facility and severity) as well as the output destination. Output channels define
@@ -277,7 +280,7 @@ the current release, setting it 1k lower than you expected is helpful. The
max-size must always be specified in bytes - there are no special symbols (like
1k, 1m,...) at this point of development.<br>
<br>
-Keep in mind that $outchannel just defines a channel with &quot;name&quot;. It does not
+Keep in mind that $outchannel just defines a channel with "name". It does not
activate it. To do so, you must use a selector line (see below). That selector
line includes the channel name plus an $ sign in front of it. A sample might be:<br>
<br>
@@ -297,34 +300,34 @@ been fixed to support files larger 2gb, but obviously only on file systems and
operating system versions that do so. So it can still make sense to enforce a
2gb file size limit.</p>
<h2>Filter Conditions</h2>
-<p>Rsyslog offers two different types &quot;filter conditions&quot;:</p>
+<p>Rsyslog offers two different types "filter conditions":</p>
<ul>
- <li>&quot;traditional&quot; severity and facility based selectors</li>
+ <li>"traditional" severity and facility based selectors</li>
<li>property-based filters</li>
</ul>
<h3>Blocks</h3>
<p>Rsyslogd supports BSD-style blocks inside rsyslog.conf. Each block of lines
is separated from the previous block by a program or hostname specification. A
block will only log messages corresponding to the most recent program and
-hostname specifications given. Thus, a block which selects ‘ppp’ as the program,
-directly followed by a block that selects messages from the hostname ‘dialhost’,
+hostname specifications given. Thus, a block which selects &#8216;ppp&#8217; as the program,
+directly followed by a block that selects messages from the hostname &#8216;dialhost&#8217;,
then the second block will only log messages from the ppp program on dialhost.
</p>
-<p>A program specification is a line beginning with ‘!prog’ and the following
+<p>A program specification is a line beginning with &#8216;!prog&#8217; and the following
blocks will be associated with calls to syslog from that specific program. A
-program specification for ‘foo’ will also match any message logged by the kernel
-with the prefix ‘foo: ’. Alternatively, a program specification ‘-foo’ causes the
+program specification for &#8216;foo&#8217; will also match any message logged by the kernel
+with the prefix &#8216;foo: &#8217;. Alternatively, a program specification &#8216;-foo&#8217; causes the
following blocks to be applied to messages from any program but the one specified.
-A hostname specification of the form ‘+hostname’ and
+A hostname specification of the form &#8216;+hostname&#8217; and
the following blocks will be applied to messages received from the specified
-hostname. Alternatively, a hostname specification ‘-hostname’ causes the
+hostname. Alternatively, a hostname specification &#8216;-hostname&#8217; causes the
following blocks to be applied to messages from any host but the one specified.
-If the hostname is given as ‘@’, the local hostname will be used. (NOT YET
+If the hostname is given as &#8216;@&#8217;, the local hostname will be used. (NOT YET
IMPLEMENTED) A program or hostname specification may be reset by giving the
-program or hostname as ‘*’.</p>
-<p>Please note that the &quot;#!prog&quot;, &quot;#+hostname&quot; and &quot;#-hostname&quot; syntax available
+program or hostname as &#8216;*&#8217;.</p>
+<p>Please note that the "#!prog", "#+hostname" and "#-hostname" syntax available
in BSD syslogd is not supported by rsyslogd. By default, no hostname or program
is set.</p>
<h3>Selectors</h3>
@@ -383,19 +386,19 @@ rsyslogd that it is the new filter type. The colon must be followed by the
property name, a comma, the name of the compare operation to carry out, another
comma and then the value to compare against. This value must be quoted. There
can be spaces and tabs between the commas. Property names and compare operations
-are case-sensitive, so &quot;msg&quot; works, while &quot;MSG&quot; is an invalid property name. In
+are case-sensitive, so "msg" works, while "MSG" is an invalid property name. In
brief, the syntax is as follows:</p>
-<p><code><b>:property, [!]compare-operation, &quot;value&quot;</b></code></p>
+<p><code><b>:property, [!]compare-operation, "value"</b></code></p>
<p>The following <b>compare-operations</b> are currently supported:</p>
-<table border="1" width="100%" id="table1">
- <tr>
+<table id="table1" border="1" width="100%">
+ <tbody><tr>
<td>contains</td>
<td>Checks if the string provided in value is contained in the property.
There must be an exact match, wildcards are not supported.</td>
</tr>
<tr>
<td>isequal</td>
- <td>Compares the &quot;value&quot; string provided and the property contents.
+ <td>Compares the "value" string provided and the property contents.
These two values must be exactly equal to match. The difference to
contains is that contains searches for the value anywhere inside the
property value, whereas all characters must be identical for isequal. As
@@ -405,64 +408,64 @@ brief, the syntax is as follows:</p>
<tr>
<td>startswith</td>
<td>Checks if the value is found exactly at the beginning of the
- property value. For example, if you search for &quot;val&quot; with<p><code><b>:msg,
- startswith, &quot;val&quot;</b></code></p>
- <p>it will be a match if msg contains &quot;values are in this message&quot; but
- it won't match if the msg contains &quot;There are values in this message&quot;
- (in the later case, contains would match). Please note that &quot;startswith&quot;
+ property value. For example, if you search for "val" with<p><code><b>:msg,
+ startswith, "val"</b></code></p>
+ <p>it will be a match if msg contains "values are in this message" but
+ it won't match if the msg contains "There are values in this message"
+ (in the later case, contains would match). Please note that "startswith"
is by far faster than regular expressions. So even once they are
- implemented, it can make very much sense (performance-wise) to use &quot;startswith&quot;.</td>
+ implemented, it can make very much sense (performance-wise) to use "startswith".</p></td>
</tr>
<tr>
<td>regex</td>
<td>Compares the property against the provided regular expression.</td>
</tr>
-</table>
+</tbody></table>
<p>You can use the bang-character (!) immediately in front of a
compare-operation, the outcome of this operation is negated. For example, if msg
-contains &quot;This is an informative message&quot;, the following sample would not match:</p>
-<p><code><b>:msg, contains, &quot;error&quot;</b></code></p>
+contains "This is an informative message", the following sample would not match:</p>
+<p><code><b>:msg, contains, "error"</b></code></p>
<p>but this one matches:</p>
-<p><code><b>:msg, !contains, &quot;error&quot;</b></code></p>
+<p><code><b>:msg, !contains, "error"</b></code></p>
<p>Using negation can be useful if you would like to do some generic processing
but exclude some specific events. You can use the discard action in conjunction
with that. A sample would be:</p>
<p><code><b>*.* /var/log/allmsgs-including-informational.log<br>
-:msg, contains, &quot;informational&quot;&nbsp; <font color="#FF0000" size="4">~</font>
+:msg, contains, "informational"&nbsp; <font color="#ff0000" size="4">~</font>
<br>*.* /var/log/allmsgs-but-informational.log</b></code></p>
<p>Do not overlook the red tilde in line 2! In this sample, all messages are
written to the file allmsgs-including-informational.log. Then, all messages
-containing the string &quot;informational&quot; are discarded. That means the config file
-lines below the &quot;discard line&quot; (number 2 in our sample) will not be applied to
+containing the string "informational" are discarded. That means the config file
+lines below the "discard line" (number 2 in our sample) will not be applied to
this message. Then, all remaining lines will also be written to the file
allmsgs-but-informational.log.</p>
<p><b>Value</b> is a quoted string. It supports some escape sequences:</p>
-<p>\&quot; - the quote character (e.g. &quot;String with \&quot;Quotes\&quot;&quot;)<br>
-\\ - the backslash character (e.g. &quot;C:\\tmp&quot;)</p>
+<p>\" - the quote character (e.g. "String with \"Quotes\"")<br>
+\\ - the backslash character (e.g. "C:\\tmp")</p>
<p>Escape sequences always start with a backslash. Additional escape sequences
might be added in the future. Backslash characters <b>must</b> be escaped. Any
other sequence then those outlined above is invalid and may lead to
unpredictable results.</p>
-<p>Probably, &quot;msg&quot; is the most prominent use case of property based filters. It
+<p>Probably, "msg" is the most prominent use case of property based filters. It
is the actual message text. If you would like to filter based on some message
content (e.g. the presence of a specific code), this can be done easily by:</p>
-<p><code><b>:msg, contains, &quot;ID-4711&quot;</b></code></p>
-<p>This filter will match when the message contains the string &quot;ID-4711&quot;. Please
-note that the comparison is case-sensitive, so it would not match if &quot;id-4711&quot;
+<p><code><b>:msg, contains, "ID-4711"</b></code></p>
+<p>This filter will match when the message contains the string "ID-4711". Please
+note that the comparison is case-sensitive, so it would not match if "id-4711"
would be contained in the message.</p>
<p>Getting property-based filters right can sometimes be challenging. In order
to help you do it with as minimal effort as possible, rsyslogd spits out debug
information for all property-based filters during their evaluation. To enable
-this, run rsyslogd in foreground and specify the &quot;-d&quot; option.</p>
+this, run rsyslogd in foreground and specify the "-d" option.</p>
<p>Boolean operations inside property based filters (like 'message contains
-&quot;ID17&quot; or message contains &quot;ID18&quot;') are currently not supported
-(except for &quot;not&quot; as outlined above). Please note
+"ID17" or message contains "ID18"') are currently not supported
+(except for "not" as outlined above). Please note
that while it is possible to query facility and severity via property-based filters,
it is far more advisable to use classic selectors (see above) for those
cases.</p>
<h2>ACTIONS</h2>
<p>The action field of a rule describes what to do with the message. In general,
-message content is written to a kind of &quot;logfile&quot;. But also other actions might
+message content is written to a kind of "logfile". But also other actions might
be done, like writing to a database table or forwarding to another host.<br>
<br>
Templates can be used with all actions. If used, the specified template is used
@@ -492,7 +495,7 @@ directive compared to the otherwise-equal config directives below:</p>
<p>&nbsp;</p>
<h3>Regular File</h3>
<p>Typically messages are logged to real files. The file has to be specified with
-full pathname, beginning with a slash &quot;/''.<br>
+full pathname, beginning with a slash "/''.<br>
<br>
You may prefix each entry with the minus ``-'' sign to omit syncing the file
after every logging. Note that you might lose information if the system crashes
@@ -501,7 +504,7 @@ performance, especially if you run programs that use
logging in a very verbose manner.</p>
<p>If your system is connected to a reliable UPS and you receive lots of log
data (e.g. firewall logs), it might be a very good idea to turn of
-syncing by specifying the &quot;-&quot; in front of the file name. </p>
+syncing by specifying the "-" in front of the file name. </p>
<p><b>The filename can be either static </b>(always the same) or <b>dynamic</b>
(different based on message received). The later is useful if you would
automatically split messages into different files based on some message
@@ -510,8 +513,8 @@ into different files based on the host that sent them. With dynamic file names,
everything is automatic and you do not need any filters. </p>
<p>It works via the template system. First, you define a template for the file
name. An example can be seen above in the description of template. We will use
-the &quot;DynFile&quot; template defined there. Dynamic filenames are indicated by
-specifying a questions mark &quot;?&quot; instead of a slash, followed by the template
+the "DynFile" template defined there. Dynamic filenames are indicated by
+specifying a questions mark "?" instead of a slash, followed by the template
name. Thus, the selector line for our dynamic file name would look as follows:</p>
<blockquote>
<code>*.* ?DynFile</code>
@@ -551,24 +554,24 @@ all other machines will log remotely to that. This tears down<br>
administration needs.<br>
<br>
<b>Please note that this version of rsyslogd by default does NOT forward messages
-it has received from the network to another host. Specify the &quot;-h&quot; option to enable this.</b></p>
-<p>To forward messages to another host, prepend the hostname with the at sign (&quot;@&quot;).&nbsp;
+it has received from the network to another host. Specify the "-h" option to enable this.</b></p>
+<p>To forward messages to another host, prepend the hostname with the at sign ("@").&nbsp;
A single at sign means that messages will be forwarded via UDP protocol (the
-standard for syslog). If you prepend two at signs (&quot;@@&quot;), the messages will be
+standard for syslog). If you prepend two at signs ("@@"), the messages will be
transmitted via TCP. Please note that plain TCP based syslog is not officially
standardized, but most major syslogds support it (e.g. syslog-ng or WinSyslog).
The forwarding action indicator (at-sign) can be followed by one or more options.
If they are given, they must be immediately (without a space) following the
final at sign and be enclosed in parenthesis. The individual options must be
separated by commas. The following options are right now defined:</p>
-<table border="1" width="100%" id="table2">
- <tr>
+<table id="table2" border="1" width="100%">
+ <tbody><tr>
<td>
- <p align="center"><b>z&lt;number&gt;</b></td>
+ <p align="center"><b>z&lt;number&gt;</b></p></td>
<td>Enable zlib-compression for the message. The &lt;number&gt; is the
compression level. It can be 1 (lowest gain, lowest CPU overhead) to 9 (maximum
compression, highest CPU overhead). The level can also be 0, which means
- &quot;no compression&quot;. If given, the &quot;z&quot; option is ignored. So this does not
+ "no compression". If given, the "z" option is ignored. So this does not
make an awful lot of sense. There is hardly a difference between level 1
and 9 for typical syslog messages. You can expect a compression gain
between 0% and 30% for typical messages. Very chatty messages may
@@ -582,15 +585,15 @@ separated by commas. The following options are right now defined:</p>
receiver CPU cycles for decompression. It also prevents small message to
actually become larger in compressed form.<p><b>Please note that when a
TCP transport is used, compression will also turn on
- syslog-transport-tls framing. See the &quot;o&quot; option for important
+ syslog-transport-tls framing. See the "o" option for important
information on the implications.</b></p>
<p>Compressed messages are automatically detected and decompressed by
the receiver. There is nothing that needs to be configured on the
- receiver side.</td>
+ receiver side.</p></td>
</tr>
<tr>
<td>
- <p align="center"><b>o</b></td>
+ <p align="center"><b>o</b></p></td>
<td><b>This option is experimental. Use at your own risk and only if you
know why you need it! If in doubt, do NOT turn it on.</b><p>This option
is only valid for plain TCP based transports. It selects a different
@@ -611,9 +614,9 @@ separated by commas. The following options are right now defined:</p>
<p>The most important implication is that compressed syslog messages via
TCP must be considered with care. Unfortunately, it is technically
impossible to transfer compressed records over traditional syslog plain
- tcp transports, so you are left with two evil choices...</td>
+ tcp transports, so you are left with two evil choices...</p></td>
</tr>
-</table>
+</tbody></table>
<p><br>
The hostname may be followed by a colon and the destination port.</p>
<p>The following is an example selector line with forwarding:</p>
@@ -628,33 +631,33 @@ compressed.</p>
format, which is the default forwarding template in rsyslog. As such, you will
experience duplicate hostnames if rsyslog is the sender and sysklogd is the
receiver. The fix is simple: you need to use a different template. Use that one:</p>
-<p class="MsoPlainText">$template sysklogd,&quot;&lt;%PRI%&gt;%TIMESTAMP%
-%syslogtag%%msg%\&quot;&quot;<br>
+<p class="MsoPlainText">$template sysklogd,"&lt;%PRI%&gt;%TIMESTAMP%
+%syslogtag%%msg%\""<br>
*.* @192.168.0.1;sysklogd</p>
<h3>List of Users</h3>
<p>Usually critical messages are also directed to ``root'' on that machine. You can
specify a list of users that shall get the message by simply writing the login.
-You may specify more than one user by separating them with commas (&quot;,''). If
+You may specify more than one user by separating them with commas (",''). If
they're logged in they get the message. Don't think a mail would be sent, that
might be too late.</p>
<h3>Everyone logged on</h3>
<p>Emergency messages often go to all users currently online to notify them that
something strange is happening with the system. To specify this wall(1)-feature
-use an asterisk (&quot;*'').</p>
+use an asterisk ("*'').</p>
<h3>Call Plugin</h3>
<p>This is a generic way to call an output plugin. The plugin must support this
functionality. Actual parameters depend on the module, so see the module's doc
on what to supply. The general syntax is as follows:</p>
<p>:modname:params;template</p>
<p>Currently, the ommysql database output module supports this syntax (in
-addtion to the &quot;&gt;&quot; syntax it traditionally supported). For ommysql, the module
-name is &quot;ommysql&quot; and the params are the traditional ones. The ;template part is
+addtion to the "&gt;" syntax it traditionally supported). For ommysql, the module
+name is "ommysql" and the params are the traditional ones. The ;template part is
not module specific, it is generic rsyslog functionality available to all
modules.</p>
<p>As an example, the ommysql module may be called as follows:</p>
<p>:ommysql:dbhost,dbname,dbuser,dbpassword;dbtemplate</p>
-<p>For details, please see the &quot;Database Table&quot; section of this documentation.</p>
-<p>Note: as of this writing, the &quot;:modname:&quot; part is hardcoded into the module.
+<p>For details, please see the "Database Table" section of this documentation.</p>
+<p>Note: as of this writing, the ":modname:" part is hardcoded into the module.
So the name to use is not necessarily the name the module's plugin file is
called.</p>
<h3>Database Table</h3>
@@ -666,7 +669,7 @@ came with the rsyslog package. You can also<br>
use any other schema of your liking - you just need to define a proper template
and assign this template to the action.<br>
<br>
-The database writer is called by specifying a greater-then sign (&quot;&gt;&quot;) in front
+The database writer is called by specifying a greater-then sign ("&gt;") in front
of the database connect information. Immediately after that<br>
sign the database host name must be given, a comma, the database name, another
comma, the database user, a comma and then the user's password. If a specific
@@ -684,7 +687,7 @@ doing at the the beginning of the config file).</p>
<p>If the discard action is carried out, the received message is immediately
discarded. No further processing of it occurs. Discard has primarily been added
to filter out messages before carrying on any further processing. For obvious
-reasons, the results of &quot;discard&quot; are depending on where in the configuration
+reasons, the results of "discard" are depending on where in the configuration
file it is being used. Please note that once a message has been discarded there
is no way to retrieve it in later configuration file lines.</p>
<p>Discard can be highly effective if you want to filter out some annoying
@@ -700,7 +703,7 @@ all...).</p>
<h3>Output Channel</h3>
<p>Binds an output channel definition (see there for details) to this action.
Output channel actions must start with a $-sign, e.g. if you would like to bind
-your output channel definition &quot;mychannel&quot; to the action, use &quot;$mychannel&quot;.
+your output channel definition "mychannel" to the action, use "$mychannel".
Output channels support template definitions like all all other actions.</p>
<h3>Shell Execute</h3>
<p>This executes a program in a subshell. The program is passed the
@@ -721,21 +724,21 @@ terminates. Thus, a program error in it (e.g. an infinite loop) can actually
disable rsyslog. Even without that, during the programs run-time no messages are
processed by rsyslog. As the IP stacks buffers are quickly overflowed, this
bears an increased risk of message loss. You must be aware of these implications.
-Even though they are severe, there are several cases where the &quot;shell execute&quot;
+Even though they are severe, there are several cases where the "shell execute"
action is very useful. This is the reason why we have included it in its current
form. To mitigate its risks, always a) test your program thoroughly, b) make
sure its runtime is as short as possible (if it requires a longer run-time, you
might want to spawn your own sub-shell asynchronously), c) apply proper
firewalling so that only known senders can send syslog messages to rsyslog.
Point c) is especially important: if rsyslog is accepting message from any hosts,
-chances are much higher that an attacker might try to exploit the &quot;shell execute&quot;
+chances are much higher that an attacker might try to exploit the "shell execute"
action.</p>
<h2>TEMPLATE NAME</h2>
<p>Every ACTION can be followed by a template name. If so, that template is used
for message formatting. If no name is given, a hard-coded default template is
used for the action. There can only be one template name for each given action.
The default template is specific to each action. For a description of what a
-template is and what you can do with it, see &quot;TEMPLATES&quot; at the top of this
+template is and what you can do with it, see "TEMPLATES" at the top of this
document.</p>
<h2>EXAMPLES</h2>
<p>Below are example for templates and selector lines. I hope they are
@@ -745,27 +748,27 @@ self-explanatory. If not, please see www.monitorware.com/rsyslog/ for advise.</p
NOT actually be split across multiple lines.<br>
<br>
A template that resembles traditional syslogd file output:<br>
-$template TraditionalFormat,&quot;%timegenerated% %HOSTNAME%<br>
-%syslogtag%%msg:::drop-last-lf%\n&quot;<br>
+$template TraditionalFormat,"%timegenerated% %HOSTNAME%<br>
+%syslogtag%%msg:::drop-last-lf%\n"<br>
<br>
A template that tells you a little more about the message:<br>
-$template precise,&quot;%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,<br>
-%syslogtag%,%msg%\n&quot;<br>
+$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,<br>
+%syslogtag%,%msg%\n"<br>
<br>
A template for RFC 3164 format:<br>
-$template RFC3164fmt,&quot;&lt;%PRI%&gt;%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%&quot;<br>
+$template RFC3164fmt,"&lt;%PRI%&gt;%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"<br>
<br>
A template for the format traditonally used for user messages:<br>
-$template usermsg,&quot; XXXX%syslogtag%%msg%\n\r&quot;<br>
+$template usermsg," XXXX%syslogtag%%msg%\n\r"<br>
<br>
And a template with the traditonal wall-message format:<br>
-$template wallmsg,&quot;\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%<br>
+$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%<br>
<br>
A template that can be used for the database write (please note the SQL<br>
template option)<br>
-$template MySQLInsert,&quot;insert iut, message, receivedat values<br>
+$template MySQLInsert,"insert iut, message, receivedat values<br>
('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')<br>
-into systemevents\r\n&quot;, SQL<br>
+into systemevents\r\n", SQL<br>
<br>
The following template emulates <a href="http://www.winsyslog.com/en/">WinSyslog</a>
format (it's an <a href="http://www.adiscon.com/en/">Adiscon</a> format, you do
@@ -774,10 +777,10 @@ different parts out of the date stamps. What happens is that the date stamp is
split into the actual date and time and the these two are combined with just a
comma in between them.<br>
<br>
-$template WinSyslogFmt,&quot;%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,<br>
+$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,<br>
%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,<br>
%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,<br>
-%syslogtag%%msg%\n&quot;</p>
+%syslogtag%%msg%\n"</p>
<h3>SELECTOR LINES</h3>
<p># Store critical stuff in critical<br>
#<br>
@@ -913,13 +916,13 @@ sons. If you would like to do that, it's quite easy:<br>
<br>
*.* &gt;dbhost,dbname,dbuser,dbpassword;dbtemplate<br>
<br>
-This rule writes all message to the database &quot;dbname&quot; hosted on &quot;dbhost&quot;. The
-login is done with user &quot;dbuser&quot; and password &quot;dbpassword&quot;. The actual table
+This rule writes all message to the database "dbname" hosted on "dbhost". The
+login is done with user "dbuser" and password "dbpassword". The actual table
that is updated is specified within the template (which contains the insert
-statement). The template is called &quot;dbtemplate&quot; in this case.</p>
-<p>:msg,contains,&quot;error&quot; @errorServer</p>
-<p>This rule forwards all messages that contain the word &quot;error&quot; in the msg part
-to the server &quot;errorServer&quot;. Forwarding is via UDP. Please note the colon in
+statement). The template is called "dbtemplate" in this case.</p>
+<p>:msg,contains,"error" @errorServer</p>
+<p>This rule forwards all messages that contain the word "error" in the msg part
+to the server "errorServer". Forwarding is via UDP. Please note the colon in
fron</p>
<h2>CONFIGURATION FILE SYNTAX DIFFERENCES</h2>
<p>Rsyslogd uses a slightly different syntax for its configuration file than the
@@ -935,5 +938,4 @@ When compared to syslogd from sysklogd package, rsyslogd offers additional
defining such features is available
in rsyslogd, only.<br>
&nbsp;</p>
-</body>
-</html>
+</body></html> \ No newline at end of file
diff --git a/doc/rsyslog_ng_comparison.html b/doc/rsyslog_ng_comparison.html
index b5ba79df..5662befb 100644
--- a/doc/rsyslog_ng_comparison.html
+++ b/doc/rsyslog_ng_comparison.html
@@ -1,13 +1,10 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
-<meta http-equiv="Content-Language" content="de"><title>rsyslog vs. syslog-ng - a comparison</title>
-
-</head>
-
+<meta content="de" http-equiv="Content-Language"><title>rsyslog vs. syslog-ng - a comparison</title></head>
<body>
<h1>rsyslog vs. syslog-ng</h1>
<p><small><i>Written by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a>
-(2008-01-29)</i></small></p>
+(2008-02-15)</i></small></p>
<p>We have often been asked abut a comparison sheet between
rsyslog and syslog-ng. Unfortunately, I do not know much about
syslog-ng, I did not even use it once. Also, there seems to be no
@@ -28,18 +25,6 @@ comparison sheet, so please don't be shy ;)</p>
<td valign="top"><b>syslog-ng</b></td>
</tr>
<tr>
-<td valign="top">native support for <a href="http://www.rsyslog.com/doc-rsyslog_mysql.html">writing
-to MySQL databases</a></td>
-<td valign="top">yes</td>
-<td valign="top">paid edition only</td>
-</tr>
-<tr>
-<td valign="top">native support for writing to
-Postgres databases</td>
-<td valign="top">yes</td>
-<td valign="top">paid edition only</td>
-</tr>
-<tr>
<td valign="top">support for (plain) tcp based syslog</td>
<td valign="top">yes</td>
<td valign="top">yes</td>
@@ -250,16 +235,8 @@ php-syslog-ng</a></td>
<td valign="top">yes</td>
<td valign="top">yes</td>
</tr>
-<tr>
-<td valign="top">native support for Oracle databases</td>
-<td valign="top">no</td>
-<td valign="top">paid edition only</td>
-</tr>
-<tr>
-<td valign="top">native support for SQLite databases</td>
-<td valign="top">no</td>
-<td valign="top">paid edition only</td>
-</tr>
+
+
<tr>
<td valign="top">rate-limiting output actions</td>
<td valign="top">yes</td>
@@ -328,7 +305,23 @@ off...)</td>
<td valign="top">no</td>
<td valign="top">yes</td>
</tr>
-</tbody>
+<tr>
+<td valign="top"><span style="font-weight: bold;">Supported Database Outputs</span></td>
+<td valign="top"></td>
+<td valign="top"></td>
+</tr>
+
+<tr>
+<td valign="top">MySQL</td>
+<td valign="top"><a href="rsyslog_mysql.html">yes</a> (ommysql,&nbsp;<a href="omlibdbi.html">omlibdbi</a>)</td>
+<td valign="top">paid edition only</td>
+</tr>
+<tr>
+<td valign="top">PostgreSQL</td>
+<td valign="top">yes (ompgsql,&nbsp;<a href="omlibdbi.html">omlibdbi</a>)</td>
+<td valign="top">paid edition only</td>
+</tr>
+<tr><td valign="top">Oracle</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">paid edition only</td></tr><tr><td valign="top">SQLite</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">paid edition only</td></tr><tr><td valign="top">Microsoft SQL (Open TDS)</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">no (?)</td></tr><tr><td valign="top">Sybase (Open TDS)</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">no (?)</td></tr><tr><td valign="top">Firebird/Interbase</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">no (?)</td></tr><tr><td valign="top">Ingres</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">no (?)</td></tr><tr><td valign="top">mSQL</td><td valign="top">yes (<a href="omlibdbi.html">omlibdbi</a>)</td><td valign="top">no (?)</td></tr></tbody>
</table>
<p>Based on a discussion I had, I also wrote about the <b>political
argument why it is good to have another strong syslogd besides syslog-ng</b>.
diff --git a/plugins/omlibdbi/omlibdbi.c b/plugins/omlibdbi/omlibdbi.c
index 81c047bd..99e4d4f6 100644
--- a/plugins/omlibdbi/omlibdbi.c
+++ b/plugins/omlibdbi/omlibdbi.c
@@ -53,19 +53,21 @@ MODULE_TYPE_OUTPUT
/* internal structures
*/
DEF_OMOD_STATIC_DATA
+static int bDbiInitialized = 0; /* dbi_initialize() can only be called one - this keeps track of it */
typedef struct _instanceData {
- dbi_conn conn; /* handle to MySQL */
+ dbi_conn conn; /* handle to database */
uchar *drvrName; /* driver to use */
uchar *host; /* host to connect to */
uchar *usrName; /* user name for connect */
uchar *pwd; /* password for connect */
uchar *dbName; /* database to use */
- unsigned uLastDBErrno; /* last errno returned by MySQL or 0 if all is well */
+ unsigned uLastDBErrno; /* last errno returned by libdbi or 0 if all is well */
} instanceData;
/* config settings */
+static uchar *dbiDrvrDir = NULL;/* global: where do the dbi drivers reside? */
static uchar *drvrName = NULL; /* driver to use */
static uchar *host = NULL; /* host to connect to */
static uchar *usrName = NULL; /* user name for connect */
@@ -115,7 +117,7 @@ ENDdbgPrintInstInfo
/* log a database error with descriptive message.
- * We check if we have a valid MySQL handle. If not, we simply
+ * We check if we have a valid database handle. If not, we simply
* report an error, but can not be specific. RGerhards, 2007-01-30
*/
static void
@@ -136,7 +138,7 @@ reportDBError(instanceData *pData, int bSilent)
uDBErrno = dbi_conn_error(pData->conn, &pszDbiErr);
snprintf(errMsg, sizeof(errMsg)/sizeof(char), "db error (%d): %s\n", uDBErrno, pszDbiErr);
if(bSilent || uDBErrno == pData->uLastDBErrno)
- dbgprintf("mysql, DBError(silent): %s\n", errMsg);
+ dbgprintf("libdbi, DBError(silent): %s\n", errMsg);
else {
pData->uLastDBErrno = uDBErrno;
logerror(errMsg);
@@ -157,11 +159,17 @@ static rsRetVal initConn(instanceData *pData, int bSilent)
ASSERT(pData != NULL);
ASSERT(pData->conn == NULL);
- // TODO: add config setting for driver directory
- iDrvrsLoaded = dbi_initialize(NULL);
- if(iDrvrsLoaded == 0) {
- logerror("libdbi error: libdbi or libdbi drivers not present on this system - suspending.");
- ABORT_FINALIZE(RS_RET_SUSPENDED);
+ if(bDbiInitialized == 0) {
+ /* we need to init libdbi first */
+ iDrvrsLoaded = dbi_initialize((char*) dbiDrvrDir);
+ if(iDrvrsLoaded == 0) {
+ logerror("libdbi error: libdbi or libdbi drivers not present on this system - suspending.");
+ ABORT_FINALIZE(RS_RET_SUSPENDED);
+ } else if(iDrvrsLoaded < 0) {
+ logerror("libdbi error: libdbi could not be initialized - suspending.");
+ ABORT_FINALIZE(RS_RET_SUSPENDED);
+ }
+ bDbiInitialized = 1; /* we are done for the rest of our existence... */
}
pData->conn = dbi_conn_new((char*)pData->drvrName);
@@ -188,7 +196,7 @@ finalize_it:
/* The following function writes the current log entry
- * to an established MySQL session.
+ * to an established database connection.
*/
rsRetVal writeDB(uchar *psz, instanceData *pData)
{
@@ -255,15 +263,25 @@ CODE_STD_STRING_REQUESTparseSelectorAct(1)
CHKiRet(createInstance(&pData));
/* no create the instance based on what we currently have */
+ if(drvrName == NULL) {
+ logerror("omlibdbi: no db driver name given - action can not be created");
+ ABORT_FINALIZE(RS_RET_NO_DRIVERNAME);
+ }
+
if((pData->drvrName = (uchar*) strdup((char*)drvrName)) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
- if((pData->host = (uchar*) strdup((char*)host)) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
- if((pData->usrName = (uchar*) strdup((char*)usrName)) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
- if((pData->dbName = (uchar*) strdup((char*)dbName)) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
- if(pData->pwd != NULL)
- if((pData->pwd = (uchar*) strdup((char*)"")) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
+ /* NULL values are supported because drivers have different needs.
+ * They will err out on connect. -- rgerhards, 2008-02-15
+ */
+ if(host != NULL)
+ if((pData->host = (uchar*) strdup((char*)host)) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
+ if(usrName != NULL)
+ if((pData->usrName = (uchar*) strdup((char*)usrName)) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
+ if(dbName != NULL)
+ if((pData->dbName = (uchar*) strdup((char*)dbName)) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
+ if(pwd != NULL)
+ if((pData->pwd = (uchar*) strdup((char*)"")) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
CHKiRet(cflineParseTemplateName(&p, *ppOMSR, 0, OMSR_RQD_TPL_OPT_SQL, (uchar*) " StdDBFmt"));
-RUNLOG;
CODE_STD_FINALIZERparseSelectorAct
ENDparseSelectorAct
@@ -271,6 +289,10 @@ ENDparseSelectorAct
BEGINmodExit
CODESTARTmodExit
+ /* if we initialized libdbi, we now need to cleanup */
+ if(bDbiInitialized) {
+ dbi_shutdown();
+ }
ENDmodExit
@@ -286,6 +308,11 @@ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __a
{
DEFiRet;
+ if(dbiDrvrDir != NULL) {
+ free(dbiDrvrDir);
+ dbiDrvrDir = NULL;
+ }
+
if(drvrName != NULL) {
free(drvrName);
drvrName = NULL;
@@ -319,6 +346,7 @@ BEGINmodInit()
CODESTARTmodInit
*ipIFVersProvided = 1; /* so far, we only support the initial definition */
CODEmodInit_QueryRegCFSLineHdlr
+ CHKiRet(omsdRegCFSLineHdlr( (uchar *)"actionlibdbidriverdirectory", 0, eCmdHdlrGetWord, NULL, &dbiDrvrDir, STD_LOADABLE_MODULE_ID));
CHKiRet(omsdRegCFSLineHdlr( (uchar *)"actionlibdbidriver", 0, eCmdHdlrGetWord, NULL, &drvrName, STD_LOADABLE_MODULE_ID));
CHKiRet(omsdRegCFSLineHdlr( (uchar *)"actionlibdbihost", 0, eCmdHdlrGetWord, NULL, &host, STD_LOADABLE_MODULE_ID));
CHKiRet(omsdRegCFSLineHdlr( (uchar *)"actionlibdbiusername", 0, eCmdHdlrGetWord, NULL, &usrName, STD_LOADABLE_MODULE_ID));
diff --git a/rsyslog.h b/rsyslog.h
index cdea4091..53c1579d 100644
--- a/rsyslog.h
+++ b/rsyslog.h
@@ -122,6 +122,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth
RS_RET_CONFIG_ERROR = -2046, /**< there is a problem with the user-provided config settigs */
RS_RET_OUT_OF_DESRIPTORS = -2047, /**< a descriptor table's space has been exhausted */
RS_RET_NO_DRIVERS = -2048, /**< a required drivers missing */
+ RS_RET_NO_DRIVERNAME = -2049, /**< driver name missing where one was required */
RS_RET_OK_DELETE_LISTENTRY = 1, /**< operation successful, but callee requested the deletion of an entry (special state) */
RS_RET_TERMINATE_NOW = 2, /**< operation successful, function is requested to terminate (mostly used with threads) */
RS_RET_NO_RUN = 3, /**< operation successful, but function does not like to be executed */
diff --git a/syslogd.c b/syslogd.c
index e8776d65..71378f6e 100644
--- a/syslogd.c
+++ b/syslogd.c
@@ -3753,7 +3753,6 @@ rsRetVal addAction(action_t **ppAction, modInfo_t *pMod, void *pModData, omodStr
* does not request any templates. This sounds unlikely, but an actual example is
* the discard action, which does not require a string. -- rgerhards, 2007-07-30
*/
-RUNLOG_VAR("%d", pAction->iNumTpls);
if(pAction->iNumTpls > 0) {
/* we first need to create the template pointer array */
if((pAction->ppTpl = calloc(pAction->iNumTpls, sizeof(struct template *))) == NULL) {
@@ -3767,7 +3766,6 @@ RUNLOG_VAR("%d", pAction->iNumTpls);
* template (Hint: templates MUST be defined before they are
* used!)
*/
-RUNLOG_VAR("%s", pTplName);
if((pAction->ppTpl[i] = tplFind((char*)pTplName, strlen((char*)pTplName))) == NULL) {
snprintf(errMsg, sizeof(errMsg) / sizeof(char),
" Could not find template '%s' - action disabled\n",
diff --git a/wtp.c b/wtp.c
index 65d2ce71..fa43066e 100644
--- a/wtp.c
+++ b/wtp.c
@@ -376,7 +376,6 @@ wtpWrkrExecCancelCleanup(void *arg)
BEGINfunc
ISOBJ_TYPE_assert(pThis, wtp);
pThis->iCurNumWrkThrd--;
-RUNLOG_VAR("%d", pThis->iCurNumWrkThrd);
wtpSignalWrkrTermination(pThis);
dbgprintf("%s: thread CANCELED with %d workers running.\n", wtpGetDbgHdr(pThis), pThis->iCurNumWrkThrd);
@@ -431,7 +430,6 @@ wtpWorker(void *arg) /* the arg is actually a wti object, even though we are in
pthread_cleanup_pop(0);
pThis->iCurNumWrkThrd--;
-RUNLOG_VAR("%d", pThis->iCurNumWrkThrd);
wtpSignalWrkrTermination(pThis);
dbgprintf("%s: Worker thread %lx, terminated, num workers now %d\n",