summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorRainer Gerhards <rgerhards@adiscon.com>2008-11-18 11:40:23 +0100
committerRainer Gerhards <rgerhards@adiscon.com>2008-11-18 11:40:23 +0100
commita5417f16044d7d56dbceeea09e25ba3e8c47cc01 (patch)
treede086d9f0baa496f3743b39e4c49b05edab1a303 /doc
parentba201a941435bc5fec2c333155e1a8e16c4a9c05 (diff)
parent704a1145d64532df36624a3c9850b0c86f38f76f (diff)
downloadrsyslog-a5417f16044d7d56dbceeea09e25ba3e8c47cc01.tar.gz
rsyslog-a5417f16044d7d56dbceeea09e25ba3e8c47cc01.tar.xz
rsyslog-a5417f16044d7d56dbceeea09e25ba3e8c47cc01.zip
Merge branch 'nextmaster'
Diffstat (limited to 'doc')
-rw-r--r--doc/Makefile.am8
-rw-r--r--doc/expression.html3
-rw-r--r--doc/features.html13
-rw-r--r--doc/im3195.html2
-rw-r--r--doc/imfile.html2
-rw-r--r--doc/imgssapi.html2
-rw-r--r--doc/imklog.html2
-rw-r--r--doc/imrelp.html2
-rw-r--r--doc/imtcp.html2
-rw-r--r--doc/imuxsock.html2
-rw-r--r--doc/log_rotation_fix_size.html10
-rw-r--r--doc/manual.html3
-rw-r--r--doc/netstream.html4
-rw-r--r--doc/omlibdbi.html2
-rw-r--r--doc/ommail.html3
-rw-r--r--doc/ommysql.html2
-rw-r--r--doc/omrelp.html4
-rw-r--r--doc/omsnmp.html1
-rw-r--r--doc/professional_support.html26
-rw-r--r--doc/property_replacer.html20
-rw-r--r--doc/queues.html16
-rw-r--r--doc/rsconf1_actionexeconlywhenpreviousissuspended.html2
-rw-r--r--doc/rsconf1_actionresumeinterval.html4
-rw-r--r--doc/rsconf1_allowedsender.html2
-rw-r--r--doc/rsconf1_controlcharacterescapeprefix.html2
-rw-r--r--doc/rsconf1_debugprintcfsyslinehandlerlist.html4
-rw-r--r--doc/rsconf1_debugprintmodulelist.html3
-rw-r--r--doc/rsconf1_debugprinttemplatelist.html4
-rw-r--r--doc/rsconf1_dircreatemode.html4
-rw-r--r--doc/rsconf1_dirgroup.html4
-rw-r--r--doc/rsconf1_dirowner.html4
-rw-r--r--doc/rsconf1_dropmsgswithmaliciousdnsptrrecords.html4
-rw-r--r--doc/rsconf1_droptrailinglfonreception.html2
-rw-r--r--doc/rsconf1_dynafilecachesize.html4
-rw-r--r--doc/rsconf1_escapecontrolcharactersonreceive.html2
-rw-r--r--doc/rsconf1_failonchownfailure.html4
-rw-r--r--doc/rsconf1_filecreatemode.html2
-rw-r--r--doc/rsconf1_filegroup.html4
-rw-r--r--doc/rsconf1_fileowner.html4
-rw-r--r--doc/rsconf1_gssforwardservicename.html2
-rw-r--r--doc/rsconf1_gsslistenservicename.html2
-rw-r--r--doc/rsconf1_gssmode.html2
-rw-r--r--doc/rsconf1_includeconfig.html4
-rw-r--r--doc/rsconf1_mainmsgqueuesize.html2
-rw-r--r--doc/rsconf1_markmessageperiod.html4
-rw-r--r--doc/rsconf1_moddir.html4
-rw-r--r--doc/rsconf1_modload.html2
-rw-r--r--doc/rsconf1_repeatedmsgreduction.html4
-rw-r--r--doc/rsconf1_resetconfigvariables.html4
-rw-r--r--doc/rsconf1_umask.html4
-rw-r--r--doc/rsyslog_conf.html1225
-rw-r--r--doc/rsyslog_conf_actions.html336
-rw-r--r--doc/rsyslog_conf_examples.html209
-rw-r--r--doc/rsyslog_conf_filter.html280
-rw-r--r--doc/rsyslog_conf_global.html227
-rw-r--r--doc/rsyslog_conf_modules.html53
-rw-r--r--doc/rsyslog_conf_nomatch.html48
-rw-r--r--doc/rsyslog_conf_output.html81
-rw-r--r--doc/rsyslog_conf_templates.html150
-rw-r--r--doc/rsyslog_high_database_rate.html9
-rw-r--r--doc/rsyslog_mysql.html11
-rw-r--r--doc/rsyslog_ng_comparison.html10
-rw-r--r--doc/rsyslog_stunnel.html11
-rw-r--r--doc/rsyslog_tls.html10
-rw-r--r--doc/syslog_protocol.html9
65 files changed, 1653 insertions, 1238 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 22d368e0..5c2f5313 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -98,6 +98,14 @@ html_files = \
omrelp.html \
status.html \
troubleshoot.html \
+ rsyslog_conf_actions.html \
+ rsyslog_conf_examples.html \
+ rsyslog_conf_filter.html \
+ rsyslog_conf_global.html \
+ rsyslog_conf_modules.html \
+ rsyslog_conf_output.html \
+ rsyslog_conf_templates.html \
+ rsyslog_conf_nomatch.html \
src/classes.dia
EXTRA_DIST = $(html_files)
diff --git a/doc/expression.html b/doc/expression.html
index e7eb7842..9e37cb7a 100644
--- a/doc/expression.html
+++ b/doc/expression.html
@@ -2,6 +2,7 @@
<html><head>
<meta http-equiv="Content-Language" content="en"><title>Expressions</title></head>
<body>
+<a href="rsyslog_conf_filter.html">back</a>
<h1>Expressions</h1>
<p>Rsyslog supports expressions at a growing number of places. So
far, they are supported for filtering messages.</p><p>Expression support is provided by RainerScript. For now, please see the formal expression definition in <a href="rainerscript.html">RainerScript ABNF</a>. It is the "expr" node.</p><p>C-like comments (/* some comment */) are supported <span style="font-weight: bold;">inside</span> the expression, but not yet in the rest of the configuration file.</p><p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
@@ -13,4 +14,4 @@ Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer
Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
-</body></html> \ No newline at end of file
+</body></html>
diff --git a/doc/features.html b/doc/features.html
index d221eb77..89796a41 100644
--- a/doc/features.html
+++ b/doc/features.html
@@ -1,8 +1,8 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>rsyslog features</title>
-
</head>
<body>
+<a href="rsyslog_conf.html">back</a>
<h1>RSyslog - Features</h1>
<p><b>This page lists both current features as well as
those being considered for future versions of rsyslog.</b> If you
@@ -134,4 +134,15 @@ future of RFC 3195 in rsyslog</a>.</li>
<p>To see when each feature was added, see the
<a href="http://www.rsyslog.com/Topic4.phtml">rsyslog
change log</a> (online only).</p>
+
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+
</body></html>
+
diff --git a/doc/im3195.html b/doc/im3195.html
index d6f2f2ed..aad9f3d1 100644
--- a/doc/im3195.html
+++ b/doc/im3195.html
@@ -4,6 +4,8 @@
</head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
+
<h1>RFC3195 Input Module</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; im3195</b></p>
<p><b>Author: </b>Rainer Gerhards
diff --git a/doc/imfile.html b/doc/imfile.html
index 5bdbce5c..af0413dd 100644
--- a/doc/imfile.html
+++ b/doc/imfile.html
@@ -2,6 +2,8 @@
<html><head>
<meta http-equiv="Content-Language" content="en"><title>Text File Input Monitor</title></head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
+
<h1>Text File Input Module</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; imfile</b></p>
<p><b>Author: </b>Rainer Gerhards
diff --git a/doc/imgssapi.html b/doc/imgssapi.html
index d644303e..ec183fe7 100644
--- a/doc/imgssapi.html
+++ b/doc/imgssapi.html
@@ -4,6 +4,8 @@
</head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
+
<h1>GSSAPI Syslog Input Module</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; imgssapi</b></p>
<p><b>Author: </b>varmojfekoj</p>
diff --git a/doc/imklog.html b/doc/imklog.html
index b5b21e84..9166bae6 100644
--- a/doc/imklog.html
+++ b/doc/imklog.html
@@ -4,6 +4,8 @@
</head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
+
<h1>Kernel Log Input Module</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; imklog</b></p>
<p><b>Author: </b>Rainer Gerhards
diff --git a/doc/imrelp.html b/doc/imrelp.html
index bfdaad84..53826ac2 100644
--- a/doc/imrelp.html
+++ b/doc/imrelp.html
@@ -4,6 +4,8 @@
</head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
+
<h1>RELP Input Module</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; imrelp</b></p>
<p><b>Author: Rainer Gerhards</b></p>
diff --git a/doc/imtcp.html b/doc/imtcp.html
index ecc72748..583cd531 100644
--- a/doc/imtcp.html
+++ b/doc/imtcp.html
@@ -2,6 +2,8 @@
<html><head>
<meta http-equiv="Content-Language" content="en"><title>TCP Syslog Input Module</title></head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
+
<h1>TCP Syslog Input Module</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; imtcp</b></p>
<p><b>Author: </b>Rainer Gerhards
diff --git a/doc/imuxsock.html b/doc/imuxsock.html
index 77491992..472470a0 100644
--- a/doc/imuxsock.html
+++ b/doc/imuxsock.html
@@ -4,6 +4,8 @@
<title>Unix Socket Input</title>
</head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
+
<h1>Unix Socket Input</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; imuxsock</b></p>
<p><b>Author: </b>Rainer Gerhards
diff --git a/doc/log_rotation_fix_size.html b/doc/log_rotation_fix_size.html
index 0b9a3b2e..190b24cb 100644
--- a/doc/log_rotation_fix_size.html
+++ b/doc/log_rotation_fix_size.html
@@ -3,6 +3,8 @@
<meta name="KEYWORDS" content="log rotation, howto, guide, fixed-size log">
</head>
<body>
+<a href="rsyslog_conf_output.html">back</a>
+
<h1>Log rotation with rsyslog</h1>
<P><small><i>Written by
Michael Meckelein</i></small></P>
@@ -54,6 +56,14 @@ file and fill it up with new logs. So the latest logs are always in log_roatatio
<p>With this approach two files for logging are used, each with a maximum size of 50 MB. So
we can say we have successfully configured a log rotation which satisfies our requirement.
We keep the logs at a fixed-size level of100 MB.</p>
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
</body>
</html>
diff --git a/doc/manual.html b/doc/manual.html
index 884c43c0..1d09d460 100644
--- a/doc/manual.html
+++ b/doc/manual.html
@@ -16,7 +16,7 @@ relay chains while at the same time being very easy to setup for the
novice user. And as we know what enterprise users really need, there is
also <a href="professional_support.html">professional
rsyslog support</a> available directly from the source!</p>
-<p><b>This documentation is for version 3.21.6 (devel branch) of rsyslog.</b>
+<p><b>This documentation is for version 4.1.0 (devel branch) of rsyslog.</b>
Visit the <i> <a href="http://www.rsyslog.com/doc-status.html">rsyslog status page</a></i></b> to obtain current
version information and project status.
</p><p><b>If you like rsyslog, you might
@@ -33,6 +33,7 @@ the links below for the</b><br></p><ul>
<li><a href="troubleshoot.html">troubleshooting rsyslog problems</a></li>
<li><a href="rsyslog_conf.html">configuration file syntax (rsyslog.conf)</a></li>
+<li><a href="/tool-regex">a regular expression checker/generator tool for rsyslog</a></li>
<li> <a href="property_replacer.html">property replacer, an important core component</a></li>
<li>a commented <a href="sample.conf.html">sample rsyslog.conf</a></li>
<li><a href="bugs.html">rsyslog bug list</a></li>
diff --git a/doc/netstream.html b/doc/netstream.html
index e7d54c12..cbfa12ae 100644
--- a/doc/netstream.html
+++ b/doc/netstream.html
@@ -3,6 +3,8 @@
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h1>Network Stream Drivers</h1><p>Network stream drivers are a layer
between various parts of rsyslogd (e.g. the imtcp module) and the
transport layer. They provide sequenced delivery, authentication and
@@ -18,4 +20,4 @@ Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer
Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
-</body></html> \ No newline at end of file
+</body></html>
diff --git a/doc/omlibdbi.html b/doc/omlibdbi.html
index 8ff74371..ec1d01b6 100644
--- a/doc/omlibdbi.html
+++ b/doc/omlibdbi.html
@@ -4,6 +4,8 @@
</head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
+
<h1>Generic Database Output Module (omlibdbi)</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; omlibdbi</b></p>
<p><b>Author: </b>Rainer Gerhards
diff --git a/doc/ommail.html b/doc/ommail.html
index c18cf3f8..0841dc9f 100644
--- a/doc/ommail.html
+++ b/doc/ommail.html
@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>mail output module - sending syslog messages via mail</title>
-
+<a href="features.html">back</a>
</head>
<body>
<h1>Mail Output Module (ommail)</h1>
@@ -142,4 +142,5 @@ Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer
Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
+
</body></html>
diff --git a/doc/ommysql.html b/doc/ommysql.html
index 79d913eb..7a3f5930 100644
--- a/doc/ommysql.html
+++ b/doc/ommysql.html
@@ -5,6 +5,8 @@
</head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
+
<h1>MySQL Database Output Module</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; ommysql</b></p>
<p><b>Author: </b>Michael Meckelein (Initial Author) / Rainer Gerhards
diff --git a/doc/omrelp.html b/doc/omrelp.html
index 0952cc71..82a62afc 100644
--- a/doc/omrelp.html
+++ b/doc/omrelp.html
@@ -4,6 +4,8 @@
</head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
+
<h1>RELP Output Module (omlibdbi)</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; omrelp</b></p>
<p><b>Author: </b>Rainer Gerhards
@@ -51,4 +53,4 @@ Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer
Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
-</body></html> \ No newline at end of file
+</body></html>
diff --git a/doc/omsnmp.html b/doc/omsnmp.html
index 31aaef24..b38a594f 100644
--- a/doc/omsnmp.html
+++ b/doc/omsnmp.html
@@ -4,6 +4,7 @@
<title>SNMP Output Module</title></head>
<body>
+<a href="rsyslog_conf_modules.html">back</a>
<h1>SNMP Output Module</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; omsnmp</b></p>
diff --git a/doc/professional_support.html b/doc/professional_support.html
index 2cb6c1e1..7724ede8 100644
--- a/doc/professional_support.html
+++ b/doc/professional_support.html
@@ -49,6 +49,30 @@ configuration file, but will place easy to read comments in the places
where you need to put them in. The agreement is governed under German
law. You may also purchase this service if you would like to have your
own configuration file reviewed, e.g. for auditing purposes.</p>
+<h3>Local Installation Support</h3>
+<p>If you intend to install rsyslog on your system but would like
+to do so with minimal effort and according to your specification, you
+can ask us to perform the installation for you. You get a perfect
+installation, exactly like you needed, but without a need to
+touch the system. This is a perfect choice for the busy administrator!
+<p>In order to perform this work, we just need ssh access to your
+system and the proper permissions.
+<p>We charge a low one-time fee for this service. For details, please
+contact <a href="mailto:info@adiscon.com">info@adiscon.com</a>.
+<h3>Local Installation Maintenance</h3>
+<p>If you used our services to set up the system, why not keep it
+running perfectly with maintenance support? Under this contract, we
+assure you run a recent build that does not interfere with your
+environment and we even carry out change requests you may have. So this
+is a hassle-free, everything cared about solution.
+<p>Again, all we need to have is ssh access and the proper permissions
+to your machine. Of course, work will only be carried out when you
+expect us to do so. You are always in control of what happens. This
+is a perfect outsourcing solution for those who would like to run
+a great logging system but can not afford the time to keep it
+in perfect shape!
+<p>We charge a low monthly fee for this service. For details, please
+contact <a href="mailto:info@adiscon.com">info@adiscon.com</a>.
<h3>Custom Development</h3>
<p>Do you need an exotic feature that otherwise would not be implemented?
Do you need something really quick, quicker than it is available via
@@ -85,4 +109,4 @@ Copyright&nbsp;© 2008 by <a href="http://www.gerhards.net/rainer">Rainer
Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
-</body></html> \ No newline at end of file
+</body></html>
diff --git a/doc/property_replacer.html b/doc/property_replacer.html
index f666fb76..9ea41aed 100644
--- a/doc/property_replacer.html
+++ b/doc/property_replacer.html
@@ -1,6 +1,7 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>The Rsyslogd Property Replacer</title></head>
<body>
+<a href="rsyslog_conf_templates.html">back</a>
<h1>The Property Replacer</h1>
<p><b>The property replacer is a core component in
rsyslogd's output system.</b> A syslog message has a number of
@@ -228,7 +229,7 @@ sequence with a regular expression is: "%msg:R:.*Sev:. \(.*\)
\[.*--end%"</p>
<p>It is possible to specify some parametes after the "R". These are
comma-separated. They are:
-<p>R,&lt;regexp-type&gt;,&lt;submatch&gt;,&lt;nomatch&gt;,&lt;match-number&gt;
+<p>R,&lt;regexp-type&gt;,&lt;submatch&gt;,&lt;<a href="rsyslog_conf_nomatch.html">nomatch</a>&gt;,&lt;match-number&gt;
<p>regexp-type is either "BRE" for Posix basic regular expressions or
"ERE" for extended ones. The string must be given in upper case. The
default is "BRE" to be consistent with earlier versions of rsyslog that
@@ -240,12 +241,8 @@ that the first match is number 0, the second 1 and so on. Up to 10 matches
(up to number 9) are supported. Please note that it would be more
natural to have the match-number in front of submatch, but this would break
backward-compatibility. So the match-number must be specified after "nomatch".
-<p>nomatch is either "DFLT", "BLANK" or "FIELD" (all upper case!). It tells
-what to use if no match is found. With "DFLT", the strig "**NO MATCH**" is
-used. This was the only supported value up to rsyslog 3.19.5. With "BLANK"
-a blank text is used (""). Finally, "FIELD" uses the full property text
-instead of the expression. Some folks have requested that, so it seems
-to be useful.
+<p><a href="rsyslog_conf_nomatch.html">nomatch</a> specifies what should
+be used in case no match is found.
<p>The following is a sample of an ERE expression that takes the first
submatch from the message string and replaces the expression with
the full field if no match is found:
@@ -398,4 +395,13 @@ to record severity and facility of a message)</li>
<li><a href="rsyslog_conf.html">Configuration file
syntax</a>, this is where you actually use the property replacer.</li>
</ul>
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+
</body></html>
diff --git a/doc/queues.html b/doc/queues.html
index a2074d36..727bc26a 100644
--- a/doc/queues.html
+++ b/doc/queues.html
@@ -3,6 +3,7 @@
<meta http-equiv="Content-Language" content="de">
<title>Understanding rsyslog queues</title></head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
<h1>Understanding rsyslog Queues</h1>
<p>Rsyslog uses queues whenever two activities need to be loosely coupled. With a
@@ -219,11 +220,12 @@ parall. Thus, the upper limit ca be set via "<i>$&lt;object&gt;QueueWorkerThread
If it, for example, is set to four, no more than four workers will ever be
started, no matter how many elements are enqueued. </p>
<p>Worker threads that have been started are kept running until an inactivity
-timeout happens. The timeout can be set via "<i>$&lt;object&gt;QueueWorkerTimeoutShutdown</i>"
+timeout happens. The timeout can be set via "<i>$&lt;object&gt;QueueWorkerTimeoutThreadShutdown</i>"
and is specified in milliseconds. If you do not like to keep the workers
running, simply set it to 0, which means immediate timeout and thus immediate
shutdown. But consider that creating threads involves some overhead, and this is
-why we keep them running.</p>
+why we keep them running. If you would like to never shutdown any worker
+threads, specify -1 for this parameter.</p>
<h2>Discarding Messages</h2>
<p>If the queue reaches the so called "discard watermark" (a number of queued
elements), less important messages can automatically be discarded. This is in an
@@ -356,5 +358,13 @@ environment for the next action).</p>
parameters, because not all are applicable. For example, in current output
module design, actions do not support multi-threading. Consequently, the number
of worker threads is fixed to one for action queues and can not be changed.</p>
+[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
-</body></html> \ No newline at end of file
+</body></html>
diff --git a/doc/rsconf1_actionexeconlywhenpreviousissuspended.html b/doc/rsconf1_actionexeconlywhenpreviousissuspended.html
index d5cf8b14..1626b4ca 100644
--- a/doc/rsconf1_actionexeconlywhenpreviousissuspended.html
+++ b/doc/rsconf1_actionexeconlywhenpreviousissuspended.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$ActionExecOnlyWhenPreviousIsSuspended</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> off</p>
diff --git a/doc/rsconf1_actionresumeinterval.html b/doc/rsconf1_actionresumeinterval.html
index a854a212..c0365470 100644
--- a/doc/rsconf1_actionresumeinterval.html
+++ b/doc/rsconf1_actionresumeinterval.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$ActionResumeInterval</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> 30</p>
@@ -27,4 +29,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_allowedsender.html b/doc/rsconf1_allowedsender.html
index 4a980b89..ac39e268 100644
--- a/doc/rsconf1_allowedsender.html
+++ b/doc/rsconf1_allowedsender.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$AllowedSender</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> all allowed</p>
diff --git a/doc/rsconf1_controlcharacterescapeprefix.html b/doc/rsconf1_controlcharacterescapeprefix.html
index 6dab1e2e..45cd9230 100644
--- a/doc/rsconf1_controlcharacterescapeprefix.html
+++ b/doc/rsconf1_controlcharacterescapeprefix.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$ControlCharacterEscapePrefix</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> \</p>
diff --git a/doc/rsconf1_debugprintcfsyslinehandlerlist.html b/doc/rsconf1_debugprintcfsyslinehandlerlist.html
index 1aad7552..e158de43 100644
--- a/doc/rsconf1_debugprintcfsyslinehandlerlist.html
+++ b/doc/rsconf1_debugprintcfsyslinehandlerlist.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$DebugPrintCFSyslineHandlerList</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> on</p>
@@ -19,4 +21,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_debugprintmodulelist.html b/doc/rsconf1_debugprintmodulelist.html
index 4d8e9bff..f25663fb 100644
--- a/doc/rsconf1_debugprintmodulelist.html
+++ b/doc/rsconf1_debugprintmodulelist.html
@@ -3,6 +3,7 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
<h2>$DebugPrintModuleList</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> on</p>
@@ -19,4 +20,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_debugprinttemplatelist.html b/doc/rsconf1_debugprinttemplatelist.html
index 243530e1..b5f1f28f 100644
--- a/doc/rsconf1_debugprinttemplatelist.html
+++ b/doc/rsconf1_debugprinttemplatelist.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$DebugPrintTemplateList</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> on</p>
@@ -19,4 +21,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_dircreatemode.html b/doc/rsconf1_dircreatemode.html
index 66a35e18..9a9c61eb 100644
--- a/doc/rsconf1_dircreatemode.html
+++ b/doc/rsconf1_dircreatemode.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$DirCreateMode</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> 0644</p>
@@ -19,4 +21,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_dirgroup.html b/doc/rsconf1_dirgroup.html
index 868e5ecd..de070126 100644
--- a/doc/rsconf1_dirgroup.html
+++ b/doc/rsconf1_dirgroup.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$DirGroup</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> </p>
@@ -19,4 +21,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_dirowner.html b/doc/rsconf1_dirowner.html
index e85a5122..da8e252d 100644
--- a/doc/rsconf1_dirowner.html
+++ b/doc/rsconf1_dirowner.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$DirOwner</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> </p>
@@ -19,4 +21,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_dropmsgswithmaliciousdnsptrrecords.html b/doc/rsconf1_dropmsgswithmaliciousdnsptrrecords.html
index e0a53ae6..95027a70 100644
--- a/doc/rsconf1_dropmsgswithmaliciousdnsptrrecords.html
+++ b/doc/rsconf1_dropmsgswithmaliciousdnsptrrecords.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$DropMsgsWithMaliciousDnsPTRRecords</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> off</p>
@@ -19,4 +21,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_droptrailinglfonreception.html b/doc/rsconf1_droptrailinglfonreception.html
index 1e3aa8af..fb59b871 100644
--- a/doc/rsconf1_droptrailinglfonreception.html
+++ b/doc/rsconf1_droptrailinglfonreception.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$DropTrailingLFOnReception</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> on</p>
diff --git a/doc/rsconf1_dynafilecachesize.html b/doc/rsconf1_dynafilecachesize.html
index 3813f981..cacbf6e5 100644
--- a/doc/rsconf1_dynafilecachesize.html
+++ b/doc/rsconf1_dynafilecachesize.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$DynaFileCacheSize</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> 10</p>
@@ -20,4 +22,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_escapecontrolcharactersonreceive.html b/doc/rsconf1_escapecontrolcharactersonreceive.html
index 26917736..178f9a6f 100644
--- a/doc/rsconf1_escapecontrolcharactersonreceive.html
+++ b/doc/rsconf1_escapecontrolcharactersonreceive.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$EscapeControlCharactersOnReceive</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> on</p>
diff --git a/doc/rsconf1_failonchownfailure.html b/doc/rsconf1_failonchownfailure.html
index 0e646e36..d8bbab82 100644
--- a/doc/rsconf1_failonchownfailure.html
+++ b/doc/rsconf1_failonchownfailure.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$FailOnChownFailure</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> on</p>
@@ -19,4 +21,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_filecreatemode.html b/doc/rsconf1_filecreatemode.html
index c8440864..10b0317b 100644
--- a/doc/rsconf1_filecreatemode.html
+++ b/doc/rsconf1_filecreatemode.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$FileCreateMode</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> 0644</p>
diff --git a/doc/rsconf1_filegroup.html b/doc/rsconf1_filegroup.html
index b9acaab7..dd5b8ad5 100644
--- a/doc/rsconf1_filegroup.html
+++ b/doc/rsconf1_filegroup.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$FileGroup</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> </p>
@@ -19,4 +21,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_fileowner.html b/doc/rsconf1_fileowner.html
index 7a9cbbc7..935cfffd 100644
--- a/doc/rsconf1_fileowner.html
+++ b/doc/rsconf1_fileowner.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$FileOwner</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> </p>
@@ -19,4 +21,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_gssforwardservicename.html b/doc/rsconf1_gssforwardservicename.html
index 9d39dc2a..45d9ba98 100644
--- a/doc/rsconf1_gssforwardservicename.html
+++ b/doc/rsconf1_gssforwardservicename.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$GssForwardServiceName</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> host</p>
diff --git a/doc/rsconf1_gsslistenservicename.html b/doc/rsconf1_gsslistenservicename.html
index cd03dc58..5fdf3edc 100644
--- a/doc/rsconf1_gsslistenservicename.html
+++ b/doc/rsconf1_gsslistenservicename.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$GssListenServiceName</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> host</p>
diff --git a/doc/rsconf1_gssmode.html b/doc/rsconf1_gssmode.html
index 71c50696..2b1d5656 100644
--- a/doc/rsconf1_gssmode.html
+++ b/doc/rsconf1_gssmode.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$GssMode</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> encryption</p>
diff --git a/doc/rsconf1_includeconfig.html b/doc/rsconf1_includeconfig.html
index 24462f77..132cee6f 100644
--- a/doc/rsconf1_includeconfig.html
+++ b/doc/rsconf1_includeconfig.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$IncludeConfig</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> </p>
@@ -43,4 +45,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_mainmsgqueuesize.html b/doc/rsconf1_mainmsgqueuesize.html
index acf88e94..ffed1c09 100644
--- a/doc/rsconf1_mainmsgqueuesize.html
+++ b/doc/rsconf1_mainmsgqueuesize.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$MainMsgQueueSize</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> 10000</p>
diff --git a/doc/rsconf1_markmessageperiod.html b/doc/rsconf1_markmessageperiod.html
index 9b6590cd..2c833339 100644
--- a/doc/rsconf1_markmessageperiod.html
+++ b/doc/rsconf1_markmessageperiod.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$MarkMessagePeriod</h2>
<p><b>Type:</b> specific to immark input module</p>
<p><b>Default:</b> 1800 (20 minutes)</p>
@@ -27,4 +29,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_moddir.html b/doc/rsconf1_moddir.html
index ced07dc9..889de05d 100644
--- a/doc/rsconf1_moddir.html
+++ b/doc/rsconf1_moddir.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$ModDir</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> system default for user libraries, e.g.
@@ -24,4 +26,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_modload.html b/doc/rsconf1_modload.html
index a2b8087a..ce457ea5 100644
--- a/doc/rsconf1_modload.html
+++ b/doc/rsconf1_modload.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$ModLoad</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> </p>
diff --git a/doc/rsconf1_repeatedmsgreduction.html b/doc/rsconf1_repeatedmsgreduction.html
index 20e56f89..248e8343 100644
--- a/doc/rsconf1_repeatedmsgreduction.html
+++ b/doc/rsconf1_repeatedmsgreduction.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$RepeatedMsgReduction</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> depending on -e</p>
@@ -20,4 +22,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_resetconfigvariables.html b/doc/rsconf1_resetconfigvariables.html
index 9794d158..46cf0bdf 100644
--- a/doc/rsconf1_resetconfigvariables.html
+++ b/doc/rsconf1_resetconfigvariables.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$ResetConfigVariables</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> </p>
@@ -19,4 +21,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsconf1_umask.html b/doc/rsconf1_umask.html
index ee47dbad..8e41e672 100644
--- a/doc/rsconf1_umask.html
+++ b/doc/rsconf1_umask.html
@@ -3,6 +3,8 @@
<title>rsyslog.conf file</title>
</head>
<body>
+<a href="rsyslog_conf_global.html">back</a>
+
<h2>$UMASK</h2>
<p><b>Type:</b> global configuration directive</p>
<p><b>Default:</b> </p>
@@ -21,4 +23,4 @@ Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhard
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 2 or higher.</font></p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/doc/rsyslog_conf.html b/doc/rsyslog_conf.html
index 7cd40cb7..852d95b5 100644
--- a/doc/rsyslog_conf.html
+++ b/doc/rsyslog_conf.html
@@ -20,241 +20,13 @@ possible. While, for obvious reasons, <a href="features.html">enhanced
features</a> require a different config file syntax, rsyslogd
should be able to work with a standard syslog.conf file. This is
especially useful while you are migrating from syslogd to rsyslogd.</p>
-<h2>Modules</h2>
-<p>Rsyslog has a modular design. Consequently, there is a growing
-number of modules. Here is the entry point to their documentation and
-what they do (list is currently not complete)</p>
-<ul>
-<li><a href="omsnmp.html">omsnmp</a> - SNMP
-trap output module</li>
-<li><a href="omrelp.html">omrelp</a> - RELP
-output module</li>
-<li>omgssapi - output module for GSS-enabled syslog</li>
-<li><a href="ommysql.html">ommysql</a> - output module for MySQL</li>
-<li>ompgsql - output module for PostgreSQL</li>
-<li><a href="omlibdbi.html">omlibdbi</a> -
-generic database output module (Firebird/Interbase, MS SQL, Sybase,
-SQLLite, Ingres, Oracle, mSQL)</li>
-<li><a href="ommail.html">ommail</a> -
-permits rsyslog to alert folks by mail if something important happens</li>
-<li><a href="imfile.html">imfile</a>
--&nbsp; input module for text files</li>
-<li><a href="imrelp.html">imrelp</a> - RELP
-input module</li>
-<li>imudp - udp syslog message input</li>
-<li><a href="imtcp.html">imtcp</a> - input
-plugin for plain tcp syslog</li>
-<li><a href="imgssapi.html">imgssapi</a> -
-input plugin for plain tcp and GSS-enabled syslog</li>
-<li>immark - support for mark messages</li>
-<li><a href="imklog.html">imklog</a> - kernel logging</li>
-<li><a href="imuxsock.html">imuxsock</a> -
-unix sockets, including the system log socket</li>
-<li><a href="im3195.html">im3195</a> -
-accepts syslog messages via RFC 3195</li>
-</ul>
-<p>Please note that each module provides configuration
-directives, which are NOT necessarily being listed below. Also
-remember, that a modules configuration directive (and functionality) is
-only available if it has been loaded (using $ModLoad).</p>
+<h2><a href="rsyslog_conf_modules.html">Modules</a></h2>
<h2>Lines</h2>
Lines can be continued by specifying a backslash ("\") as the last
-character of the line.<br>
-<h2>Global Directives</h2>
-<p>All global directives need to be specified on a line by their
-own and must start with a dollar-sign. Here is a list in alphabetical
-order. Follow links for a description.</p>
-<p>Not all directives have an in-depth description right now.
-Default values for them are in bold. A more in-depth description will
-appear as implementation progresses. Directives may change during that
-process, we will NOT try hard to maintain backwards compatibility
-(after all, v3 is still very early in development and quite
-unstable...). So you have been warned ;)</p>
-<p><b>Be sure to read information about <a href="queues.html">queues in rsyslog</a></b> -
-many parameter settings modify queue parameters. If in doubt, use the
-default, it is usually well-chosen and applicable in most cases.</p>
-<ul>
-<li><a href="rsconf1_actionexeconlywhenpreviousissuspended.html">$ActionExecOnlyWhenPreviousIsSuspended</a></li>
-<li>$ActionExecOnlyOnceEveryInterval &lt;seconds&gt; -
-execute action only if the last execute is at last
-&lt;seconds&gt; seconds in the past (more info in <a href="ommail.html">ommail</a>,
-but may be used with any action)</li>
-<li><i><b>$ActionExecOnlyEveryNthTime</b> &lt;number&gt;</i> - If configured, the next action will
-only be executed every n-th time. For example, if configured to 3, the first two messages
-that go into the action will be dropped, the 3rd will actually cause the action to execute,
-the 4th and 5th will be dropped, the 6th executed under the action, ... and so on. Note:
-this setting is automatically re-set when the actual action is defined.</li>
-<li><i><b>$ActionExecOnlyEveryNthTimeTimeout</b> &lt;number-of-seconds&gt;</i> - has a meaning only if
-$ActionExecOnlyEveryNthTime is also configured for the same action. If so, the timeout
-setting specifies after which period the counting of "previous actions" expires and
-a new action count is begun. Specify 0 (the default) to disable timeouts.
-<br>
-<i>Why is this option needed?</i> Consider this case: a message comes in at, eg., 10am. That's
-count 1. Then, nothing happens for the next 10 hours. At 8pm, the next
-one occurs. That's count 2. Another 5 hours later, the next message
-occurs, bringing the total count to 3. Thus, this message now triggers
-the rule.
-<br>
-The question is if this is desired behavior? Or should the rule only be
-triggered if the messages occur within an e.g. 20 minute window? If the
-later is the case, you need a
-<br>
-$ActionExecOnlyEveryNthTimeTimeout 1200
-<br>
-This directive will timeout previous messages seen if they are older
-than 20 minutes. In the example above, the count would now be always 1
-and consequently no rule would ever be triggered.
-
-<li>$ActionFileDefaultTemplate [templateName] - sets a new default template for file actions</li>
-<li>$ActionFileEnableSync [on/<span style="font-weight: bold;">off</span>] - enables file
-syncing capability of omfile</li>
-<li>$ActionForwardDefaultTemplate [templateName] - sets a new
-default template for UDP and plain TCP forwarding action</li>
-<li>$ActionGSSForwardDefaultTemplate [templateName] - sets a
-new default template for GSS-API forwarding action</li>
-<li>$ActionQueueCheckpointInterval &lt;number&gt;</li>
-<li>$ActionQueueDequeueSlowdown &lt;number&gt; [number
-is timeout in <i> micro</i>seconds (1000000us is 1sec!),
-default 0 (no delay). Simple rate-limiting!]</li>
-<li>$ActionQueueDiscardMark &lt;number&gt; [default
-9750]</li>
-<li>$ActionQueueDiscardSeverity &lt;number&gt;
-[*numerical* severity! default 4 (warning)]</li>
-<li>$ActionQueueFileName &lt;name&gt;</li>
-<li>$ActionQueueHighWaterMark &lt;number&gt; [default
-8000]</li>
-<li>$ActionQueueImmediateShutdown [on/<b>off</b>]</li>
-<li>$ActionQueueSize &lt;number&gt;</li>
-<li>$ActionQueueLowWaterMark &lt;number&gt; [default
-2000]</li>
-<li>$ActionQueueMaxFileSize &lt;size_nbr&gt;, default 1m</li>
-<li>$ActionQueueTimeoutActionCompletion &lt;number&gt;
-[number is timeout in ms (1000ms is 1sec!), default 1000, 0 means
-immediate!]</li>
-<li>$ActionQueueTimeoutEnqueue &lt;number&gt; [number
-is timeout in ms (1000ms is 1sec!), default 2000, 0 means indefinite]</li>
-<li>$ActionQueueTimeoutShutdown &lt;number&gt; [number
-is timeout in ms (1000ms is 1sec!), default 0 (indefinite)]</li>
-<li>$ActionQueueWorkerTimeoutThreadShutdown
-&lt;number&gt; [number is timeout in ms (1000ms is 1sec!),
-default 60000 (1 minute)]</li>
-<li>$ActionQueueType [FixedArray/LinkedList/<b>Direct</b>/Disk]</li>
-<li>$ActionQueueSaveOnShutdown&nbsp; [on/<b>off</b>]
-</li>
-<li>$ActionQueueWorkerThreads &lt;number&gt;, num worker threads, default 1, recommended 1</li>
-<li>$ActionQueueWorkerThreadMinumumMessages &lt;number&gt;, default 100</li>
-<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li>
-<li>$ActionResumeRetryCount &lt;number&gt; [default 0, -1 means eternal]</li>
-<li>$ActionSendResendLastMsgOnReconn &lt;[on/<b>off</b>]&gt; specifies if the last message is to be resend when a connecition broken and has been reconnedcted. May increase reliability, but comes at the risk of message duplication.
-<li>$ActionSendStreamDriver &lt;driver basename&gt; just like $DefaultNetstreamDriver, but for the specific action
-</li><li>$ActionSendStreamDriverMode &lt;mode&gt;, default 0, mode to use with the stream driver
-(driver-specific)</li><li>$ActionSendStreamDriverAuthMode &lt;mode&gt;,&nbsp; authentication mode to use with the stream driver
-(driver-specific)</li><li>$ActionSendStreamDriverPermittedPeer &lt;ID&gt;,&nbsp; accepted fingerprint (SHA1) or name of remote peer
-(driver-specific) -<span style="font-weight: bold;"> directive may go away</span>!</li>
-<li><a href="rsconf1_allowedsender.html">$AllowedSender</a></li>
-<li><a href="rsconf1_controlcharacterescapeprefix.html">$ControlCharacterEscapePrefix</a></li>
-<li><a href="rsconf1_debugprintcfsyslinehandlerlist.html">$DebugPrintCFSyslineHandlerList</a></li>
-
-<li><a href="rsconf1_debugprintmodulelist.html">$DebugPrintModuleList</a></li>
-<li><a href="rsconf1_debugprinttemplatelist.html">$DebugPrintTemplateList</a></li>
-<li>$DefaultNetstreamDriver &lt;drivername&gt;, the default <a href="netstream.html">network stream driver</a> to use. Defaults to&nbsp;ptcp.$DefaultNetstreamDriverCAFile &lt;/path/to/cafile.pem&gt;</li>
-<li>$DefaultNetstreamDriverCertFile &lt;/path/to/certfile.pem&gt;</li>
-<li>$DefaultNetstreamDriverKeyFile &lt;/path/to/keyfile.pem&gt;</li>
-<li><a href="rsconf1_dircreatemode.html">$DirCreateMode</a></li>
-<li><a href="rsconf1_dirgroup.html">$DirGroup</a></li>
-<li><a href="rsconf1_dirowner.html">$DirOwner</a></li>
-<li><a href="rsconf1_dropmsgswithmaliciousdnsptrrecords.html">$DropMsgsWithMaliciousDnsPTRRecords</a></li>
-<li><a href="rsconf1_droptrailinglfonreception.html">$DropTrailingLFOnReception</a></li>
-<li><a href="rsconf1_dynafilecachesize.html">$DynaFileCacheSize</a></li>
-<li><a href="rsconf1_escapecontrolcharactersonreceive.html">$EscapeControlCharactersOnReceive</a></li>
-<li>$ErrorMessagesToStderr [<b>on</b>|off] - direct rsyslogd error message to stderr (in addition to other targets)</li>
-<li><a href="rsconf1_failonchownfailure.html">$FailOnChownFailure</a></li>
-<li><a href="rsconf1_filecreatemode.html">$FileCreateMode</a></li>
-<li><a href="rsconf1_filegroup.html">$FileGroup</a></li>
-<li><a href="rsconf1_fileowner.html">$FileOwner</a></li>
-<li><a href="rsconf1_gssforwardservicename.html">$GssForwardServiceName</a></li>
-<li><a href="rsconf1_gsslistenservicename.html">$GssListenServiceName</a></li>
-<li><a href="rsconf1_gssmode.html">$GssMode</a></li>
-<li><a href="rsconf1_includeconfig.html">$IncludeConfig</a></li><li>MainMsgQueueCheckpointInterval &lt;number&gt;</li>
-<li>$MainMsgQueueDequeueSlowdown &lt;number&gt; [number
-is timeout in <i> micro</i>seconds (1000000us is 1sec!),
-default 0 (no delay). Simple rate-limiting!]</li>
-<li>$MainMsgQueueDiscardMark &lt;number&gt; [default
-9750]</li>
-<li>$MainMsgQueueDiscardSeverity &lt;severity&gt;
-[either a textual or numerical severity! default 4 (warning)]</li>
-<li>$MainMsgQueueFileName &lt;name&gt;</li>
-<li>$MainMsgQueueHighWaterMark &lt;number&gt; [default
-8000]</li>
-<li>$MainMsgQueueImmediateShutdown [on/<b>off</b>]</li>
-<li><a href="rsconf1_mainmsgqueuesize.html">$MainMsgQueueSize</a></li>
-<li>$MainMsgQueueLowWaterMark &lt;number&gt; [default
-2000]</li>
-<li>$MainMsgQueueMaxFileSize &lt;size_nbr&gt;, default
-1m</li>
-<li>$MainMsgQueueTimeoutActionCompletion
-&lt;number&gt; [number is timeout in ms (1000ms is 1sec!),
-default
-1000, 0 means immediate!]</li>
-<li>$MainMsgQueueTimeoutEnqueue &lt;number&gt; [number
-is timeout in ms (1000ms is 1sec!), default 2000, 0 means indefinite]</li>
-<li>$MainMsgQueueTimeoutShutdown &lt;number&gt; [number
-is timeout in ms (1000ms is 1sec!), default 0 (indefinite)]</li>
-<li>$MainMsgQueueWorkerTimeoutThreadShutdown
-&lt;number&gt; [number is timeout in ms (1000ms is 1sec!),
-default 60000 (1 minute)]</li>
-<li>$MainMsgQueueType [<b>FixedArray</b>/LinkedList/Direct/Disk]</li>
-<li>$MainMsgQueueSaveOnShutdown&nbsp; [on/<b>off</b>]
-</li>
-<li>$MainMsgQueueWorkerThreads &lt;number&gt;, num
-worker threads, default 1, recommended 1</li>
-<li>$MainMsgQueueWorkerThreadMinumumMessages &lt;number&gt;, default 100</li>
-<li><a href="rsconf1_markmessageperiod.html">$MarkMessagePeriod</a> (immark)</li>
-<li><b><i>$MaxMessageSize</i></b> &lt;size_nbr&gt;, default 2k - allows to specify maximum supported message size
-(both for sending and receiving). The default
-should be sufficient for almost all cases. Do not set this below 1k, as it would cause
-interoperability problems with other syslog implementations.<br>
-Change the setting to e.g. 32768 if you would like to
-support large message sizes for IHE (32k is the current maximum
-needed for IHE). I was initially tempted to set the default to 32k,
-but there is a some memory footprint with the current
-implementation in rsyslog.
-<br>If you intend to receive Windows Event Log data (e.g. via
-<a href="http://www.eventreporter.com/">EventReporter</a>), you might want to
-increase this number to an even higher value, as event
-log messages can be very lengthy ("$MaxMessageSize 64k" is not a bad idea).
-Note: testing showed that 4k seems to be
-the typical maximum for <b>UDP</b> based syslog. This is an IP stack
-restriction. Not always ... but very often. If you go beyond
-that value, be sure to test that rsyslogd actually does what
-you think it should do ;) It is highly suggested to use a TCP based transport
-instead of UDP (plain TCP syslog, RELP). This resolves the UDP stack size restrictions.
-<br>Note that 2k, the current default, is the smallest size that must be
-supported in order to be compliant to the upcoming new syslog RFC series.
-</li>
-<li><a href="rsconf1_moddir.html">$ModDir</a></li>
-<li><a href="rsconf1_modload.html">$ModLoad</a></li>
-<li><a href="rsconf1_repeatedmsgreduction.html">$RepeatedMsgReduction</a></li>
-<li><a href="rsconf1_resetconfigvariables.html">$ResetConfigVariables</a></li>
-<li>$WorkDirectory &lt;name&gt; (directory for spool
-and other work files)</li>
-<li>$UDPServerAddress &lt;IP&gt; (imudp) -- local IP
-address (or name) the UDP listens should bind to</li>
-<li>$UDPServerRun &lt;port&gt; (imudp) -- former
--r&lt;port&gt; option, default 514, start UDP server on this
-port, "*" means all addresses</li>
-<li><a href="rsconf1_umask.html">$UMASK</a></li>
-</ul>
-<p><b>Where &lt;size_nbr&gt; is specified above,</b>
-modifiers can be used after the number part. For example, 1k means
-1024. Supported are k(ilo), m(ega), g(iga), t(era), p(eta) and e(xa).
-Lower case letters refer to the traditional binary defintion (e.g. 1m
-equals 1,048,576) whereas upper case letters refer to their new
-1000-based definition (e.g 1M equals 1,000,000).</p>
-<p>Numbers may include '.' and ',' for readability. So you can
-for example specify either "1000" or "1,000" with the same result.
-Please note that rsyslogd simply ignores the punctuation. Form it's
-point of view, "1,,0.0.,.,0" also has the value 1000. </p>
+character of the line. There is a hard-coded maximum line length of 4K.
+If you need lines larger than that, you need to change compile-time
+settings inside rsyslog and recompile.
+<h2><a href="rsyslog_conf_global.html">Global Directives</a></h2>
<h2>Basic Structure</h2>
<p>Rsyslog supports standard sysklogd's configuration file format
and extends it. So in general, you can take a "normal" syslog.conf and
@@ -273,975 +45,15 @@ priorities belonging to the specified action.<br>
<br>
Lines starting with a hash mark ("#'') and empty lines are ignored.
</p>
-<h2>Templates</h2>
-<p>Templates are a key feature of rsyslog. They allow to specify
-any
-format a user might want. They are also used for dynamic file name
-generation. Every output in rsyslog uses templates - this holds true
-for files, user messages and so on. The database writer expects its
-template to be a proper SQL statement - so this is highly customizable
-too. You might ask how does all of this work when no templates at all
-are specified. Good question ;) The answer is simple, though. Templates
-compatible with the stock syslogd formats are hardcoded into rsyslogd.
-So if no template is specified, we use one of these hardcoded
-templates. Search for "template_" in syslogd.c and you will find the
-hardcoded ones.</p>
-<p>A template consists of a template directive, a name, the
-actual template text and optional options. A sample is:</p>
-<blockquote><code>$template MyTemplateName,"\7Text
-%property% some more text\n",&lt;options&gt;</code></blockquote>
-<p>The "$template" is the template directive. It tells rsyslog
-that this line contains a template. "MyTemplateName" is the template
-name. All
-other config lines refer to this name. The text within quotes is the
-actual template text. The backslash is an escape character, much as it
-is in C. It does all these "cool" things. For example, \7 rings the
-bell (this is an ASCII value), \n is a new line. C programmers and perl
-coders have the advantage of knowing this, but the set in rsyslog is a
-bit restricted currently.
-</p>
-<p>All text in the template is used literally, except for things
-within percent signs. These are properties and allow you access to the
-contents of the syslog message. Properties are accessed via the
-property replacer (nice name, huh) and it can do cool things, too. For
-example, it can pick a substring or do date-specific formatting. More
-on this is below, on some lines of the property replacer.<br>
-<br>
-The &lt;options&gt; part is optional. It carries options
-influencing the template as whole. See details below. Be sure NOT to
-mistake template options with property options - the later ones are
-processed by the property replacer and apply to a SINGLE property, only
-(and not the whole template).<br>
-<br>
-Template options are case-insensitive. Currently defined are: </p>
-<p><b>sql</b> - format the string suitable for a SQL
-statement in MySQL format. This will replace single quotes ("'") and
-the backslash character by their backslash-escaped counterpart ("\'"
-and "\\") inside each field. Please note that in MySQL configuration,
-the <code class="literal">NO_BACKSLASH_ESCAPES</code>
-mode must be turned off for this format to work (this is the default).</p>
-<p><b>stdsql</b> - format the string suitable for a
-SQL statement that is to be sent to a standards-compliant sql server.
-This will replace single quotes ("'") by two single quotes ("''")
-inside each field. You must use stdsql together with MySQL if in MySQL
-configuration the
-<code class="literal">NO_BACKSLASH_ESCAPES</code> is
-turned on.</p>
-<p>Either the <b>sql</b> or <b>stdsql</b>&nbsp;
-option <b>must</b> be specified when a template is used
-for writing to a database, otherwise injection might occur. Please note
-that due to the unfortunate fact that several vendors have violated the
-sql standard and introduced their own escape methods, it is impossible
-to have a single option doing all the work.&nbsp; So you yourself
-must make sure you are using the right format. <b>If you choose
-the wrong one, you are still vulnerable to sql injection.</b><br>
-<br>
-Please note that the database writer *checks* that the sql option is
-present in the template. If it is not present, the write database
-action is disabled. This is to guard you against accidental forgetting
-it and then becoming vulnerable to SQL injection. The sql option can
-also be useful with files - especially if you want to import them into
-a database on another machine for performance reasons. However, do NOT
-use it if you do not have a real need for it - among others, it takes
-some toll on the processing time. Not much, but on a really busy system
-you might notice it ;)</p>
-<p>The default template for the write to database action has the
-sql option set. As we currently support only MySQL and the sql option
-matches the default MySQL configuration, this is a good choice.
-However, if you have turned on
-<code class="literal">NO_BACKSLASH_ESCAPES</code> in
-your MySQL config, you need to supply a template with the stdsql
-option. Otherwise you will become vulnerable to SQL injection. <br>
-<br>
-To escape:<br>
-% = \%<br>
-\ = \\ --&gt; '\' is used to escape (as in C)<br>
-$template TraditionalFormat,%timegenerated% %HOSTNAME%
-%syslogtag%%msg%\n"<br>
-<br>
-Properties can be accessed by the <a href="property_replacer.html">property
-replacer</a> (see there for details).</p>
-<p><b>Please note that templates can also by
-used to generate selector lines with dynamic file names.</b> For
-example, if you would like to split syslog messages from different
-hosts to different files (one per host), you can define the following
-template:</p>
-<blockquote><code>$template
-DynFile,"/var/log/system-%HOSTNAME%.log"</code></blockquote>
-<p>This template can then be used when defining an output
-selector line. It will result in something like
-"/var/log/system-localhost.log"</p>
-<p>Template
-names beginning with "RSYSLOG_" are reserved for rsyslog use. Do NOT
-use them if, otherwise you may receive a conflict in the future (and
-quite unpredictable behaviour). There is a small set of pre-defined
-templates that you can use without the need to define it:</p>
-<ul>
-<li><span style="font-weight: bold;">RSYSLOG_TraditionalFileFormat</span>
-- the "old style" default log file format with low-precision timestamps</li>
-<li><span style="font-weight: bold;">RSYSLOG_FileFormat</span>
-- a modern-style logfile format similar to TraditionalFileFormat, buth
-with high-precision timestamps and timezone information</li>
-<li><span style="font-weight: bold;">RSYSLOG_TraditionalForwardFormat</span>
-- the traditional forwarding format with low-precision timestamps. Most
-useful if you send&nbsp;messages to other syslogd's or rsyslogd
-below
-version 3.12.5.</li>
-<li><span style="font-weight: bold;">RSYSLOG_ForwardFormat</span>
-- a new high-precision forwarding format very similar to the
-traditional one, but with high-precision timestamps and timezone
-information. Recommended to be used when sending messages to rsyslog
-3.12.5 or above.</li>
-<li><span style="font-weight: bold;">RSYSLOG_SyslogProtocol23Format</span>
-- the format specified in IETF's internet-draft
-ietf-syslog-protocol-23, which is assumed to be come the new syslog
-standard RFC. This format includes several improvements. The rsyslog
-message parser understands this format, so you can use it together with
-all relatively recent versions of rsyslog. Other syslogd's may get
-hopelessly confused if receiving that format, so check before you use
-it. Note that the format is unlikely to change when the final RFC comes
-out, but this may happen.</li>
-<li><span style="font-weight: bold;">RSYSLOG_DebugFormat</span>
-- a special format used for troubleshooting property problems. This format
-is meant to be written to a log file. Do <b>not</b> use for production or remote
-forwarding.</li>
-</ul>
-<h2>Output Channels</h2>
-<p>Output Channels are a new concept first introduced in rsyslog
-0.9.0. <b>As of this writing, it is most likely that they will
-be replaced by something different in the future.</b> So if you
-use them, be prepared to change you configuration file syntax when you
-upgrade to a later release.<br>
-<br>
-The idea behind output channel definitions is that it shall provide an
-umbrella for any type of output that the user might want. In essence,<br>
-this is the "file" part of selector lines (and this is why we are not
-sure output channel syntax will stay after the next review). There is a<br>
-difference, though: selector channels both have filter conditions
-(currently facility and severity) as well as the output destination.
-Output channels define the output definition, only. As of this build,
-they can only be used to write to files - not pipes, ttys or whatever
-else. If we stick with output channels, this will change over time.</p>
-<p>In concept, an output channel includes everything needed to
-know about an output actions. In practice, the current implementation
-only carries<br>
-a filename, a maximum file size and a command to be issued when this
-file size is reached. More things might be present in future version,
-which might also change the syntax of the directive.</p>
-<p>Output channels are defined via an $outchannel directive. It's
-syntax is as follows:<br>
-<br>
-$outchannel name,file-name,max-size,action-on-max-size<br>
-<br>
-name is the name of the output channel (not the file), file-name is the
-file name to be written to, max-size the maximum allowed size and
-action-on-max-size a command to be issued when the max size is reached.
-This command always has exactly one parameter. The binary is that part
-of action-on-max-size before the first space, its parameter is
-everything behind that space.<br>
-<br>
-Please note that max-size is queried BEFORE writing the log message to
-the file. So be sure to set this limit reasonably low so that any
-message might fit. For the current release, setting it 1k lower than
-you expected is helpful. The max-size must always be specified in bytes
-- there are no special symbols (like 1k, 1m,...) at this point of
-development.<br>
-<br>
-Keep in mind that $outchannel just defines a channel with "name". It
-does not activate it. To do so, you must use a selector line (see
-below). That selector line includes the channel name plus an $ sign in
-front of it. A sample might be:<br>
-<br>
-*.* $mychannel<br>
-<br>
-In its current form, output channels primarily provide the ability to
-size-limit an output file. To do so, specify a maximum size. When this
-size is reached, rsyslogd will execute the action-on-max-size command
-and then reopen the file and retry. The command should be something
-like a <a href="log_rotation_fix_size.html">log rotation
-script</a> or a similar thing.</p>
-<p>If there is no action-on-max-size command or the command did
-not resolve the situation, the file is closed and never reopened by
-rsyslogd (except, of course, by huping it). This logic was integrated
-when we first experienced severe issues with files larger 2gb, which
-could lead to rsyslogd dumping core. In such cases, it is more
-appropriate to stop writing to a single file. Meanwhile, rsyslogd has
-been fixed to support files larger 2gb, but obviously only on file
-systems and operating system versions that do so. So it can still make
-sense to enforce a 2gb file size limit.</p>
-<h2>Filter Conditions</h2>
-<p>Rsyslog offers four different types "filter conditions":</p>
-<ul>
-<li>BSD-style blocks</li>
-<li>"traditional" severity and facility based selectors</li>
-<li>property-based filters</li>
-<li>expression-based filters</li>
-</ul>
-<h3>Blocks</h3>
-<p>Rsyslogd supports BSD-style blocks inside rsyslog.conf. Each
-block of lines is separated from the previous block by a program or
-hostname specification. A block will only log messages corresponding to
-the most recent program and hostname specifications given. Thus, a
-block which selects &#8216;ppp&#8217; as the program, directly followed by a block
-that selects messages from the hostname &#8216;dialhost&#8217;, then the second
-block will only log messages from the ppp program on dialhost.
-</p>
-<p>A program specification is a line beginning with &#8216;!prog&#8217; and
-the following blocks will be associated with calls to syslog from that
-specific program. A program specification for &#8216;foo&#8217; will also match any
-message logged by the kernel with the prefix &#8216;foo: &#8217;. Alternatively, a
-program specification &#8216;-foo&#8217; causes the following blocks to be applied
-to messages from any program but the one specified. A hostname
-specification of the form &#8216;+hostname&#8217; and the following blocks will be
-applied to messages received from the specified hostname.
-Alternatively, a hostname specification &#8216;-hostname&#8217; causes the
-following blocks to be applied to messages from any host but the one
-specified. If the hostname is given as &#8216;@&#8217;, the local hostname will be
-used. (NOT YET IMPLEMENTED) A program or hostname specification may be
-reset by giving the program or hostname as &#8216;*&#8217;.</p>
-<p>Please note that the "#!prog", "#+hostname" and "#-hostname"
-syntax available in BSD syslogd is not supported by rsyslogd. By
-default, no hostname or program is set.</p>
-<h3>Selectors</h3>
-<p><b>Selectors are the traditional way of filtering syslog
-messages.</b> They have been kept in rsyslog with their original
-syntax, because it is well-known, highly effective and also needed for
-compatibility with stock syslogd configuration files. If you just need
-to filter based on priority and facility, you should do this with
-selector lines. They are <b>not</b> second-class citizens
-in rsyslog and offer the best performance for this job.</p>
-<p>The selector field itself again consists of two parts, a
-facility and a priority, separated by a period (".''). Both parts are
-case insensitive and can also be specified as decimal numbers, but
-don't do that, you have been warned. Both facilities and priorities are
-described in rsyslog(3). The names mentioned below correspond to the
-similar LOG_-values in /usr/include/rsyslog.h.<br>
-<br>
-The facility is one of the following keywords: auth, authpriv, cron,
-daemon, kern, lpr, mail, mark, news, security (same as auth), syslog,
-user, uucp and local0 through local7. The keyword security should not
-be used anymore and mark is only for internal use and therefore should
-not be used in applications. Anyway, you may want to specify and
-redirect these messages here. The facility specifies the subsystem that
-produced the message, i.e. all mail programs log with the mail facility
-(LOG_MAIL) if they log using syslog.<br>
-<br>
-The priority is one of the following keywords, in ascending order:
-debug, info, notice, warning, warn (same as warning), err, error (same
-as err), crit, alert, emerg, panic (same as emerg). The keywords error,
-warn and panic are deprecated and should not be used anymore. The
-priority defines the severity of the message.<br>
-<br>
-The behavior of the original BSD syslogd is that all messages of the
-specified priority and higher are logged according to the given action.
-Rsyslogd behaves the same, but has some extensions.<br>
-<br>
-In addition to the above mentioned names the rsyslogd(8) understands
-the following extensions: An asterisk ("*'') stands for all facilities
-or all priorities, depending on where it is used (before or after the
-period). The keyword none stands for no priority of the given facility.<br>
-<br>
-You can specify multiple facilities with the same priority pattern in
-one statement using the comma (",'') operator. You may specify as much
-facilities as you want. Remember that only the facility part from such
-a statement is taken, a priority part would be skipped.</p>
-<p>Multiple selectors may be specified for a single action using
-the semicolon (";'') separator. Remember that each selector in the
-selector field is capable to overwrite the preceding ones. Using this
-behavior you can exclude some priorities from the pattern.</p>
-<p>Rsyslogd has a syntax extension to the original BSD source,
-that makes its use more intuitively. You may precede every priority
-with an equation sign ("='') to specify only this single priority and
-not any of the above. You may also (both is valid, too) precede the
-priority with an exclamation mark ("!'') to ignore all that
-priorities, either exact this one or this and any higher priority. If
-you use both extensions than the exclamation mark must occur before the
-equation sign, just use it intuitively.</p>
-<h3>Property-Based Filters</h3>
-<p>Property-based filters are unique to rsyslogd. They allow to
-filter on any property, like HOSTNAME, syslogtag and msg. A list of all
-currently-supported properties can be found in the <a href="property_replacer.html">property replacer documentation</a>
-(but keep in mind that only the properties, not the replacer is
-supported). With this filter, each properties can be checked against a
-specified value, using a specified compare operation. Currently, there
-is only a single compare operation (contains) available, but additional
-operations will be added in the future.</p>
-<p>A property-based filter must start with a colon in column 0.
-This tells rsyslogd that it is the new filter type. The colon must be
-followed by the property name, a comma, the name of the compare
-operation to carry out, another comma and then the value to compare
-against. This value must be quoted. There can be spaces and tabs
-between the commas. Property names and compare operations are
-case-sensitive, so "msg" works, while "MSG" is an invalid property
-name. In brief, the syntax is as follows:</p>
-<p><code><b>:property, [!]compare-operation, "value"</b></code></p>
-<p>The following <b>compare-operations</b> are
-currently supported:</p>
-<table id="table1" border="1" width="100%">
-<tbody>
-<tr>
-<td>contains</td>
-<td>Checks if the string provided in value is contained in
-the property. There must be an exact match, wildcards are not supported.</td>
-</tr>
-<tr>
-<td>isequal</td>
-<td>Compares the "value" string provided and the property
-contents. These two values must be exactly equal to match. The
-difference to contains is that contains searches for the value anywhere
-inside the property value, whereas all characters must be identical for
-isequal. As such, isequal is most useful for fields like syslogtag or
-FROMHOST, where you probably know the exact contents.</td>
-</tr>
-<tr>
-<td>startswith</td>
-<td>Checks if the value is found exactly at the beginning
-of the property value. For example, if you search for "val" with
-<p><code><b>:msg, startswith, "val"</b></code></p>
-<p>it will be a match if msg contains "values are in this
-message" but it won't match if the msg contains "There are values in
-this message" (in the later case, contains would match). Please note
-that "startswith" is by far faster than regular expressions. So even
-once they are implemented, it can make very much sense
-(performance-wise) to use "startswith".</p>
-</td>
-</tr>
-<tr>
-<td>regex</td>
-<td>Compares the property against the provided POSIX
-regular
-expression.</td>
-</tr>
-</tbody>
-</table>
-<p>You can use the bang-character (!) immediately in front of a
-compare-operation, the outcome of this operation is negated. For
-example, if msg contains "This is an informative message", the
-following sample would not match:</p>
-<p><code><b>:msg, contains, "error"</b></code></p>
-<p>but this one matches:</p>
-<p><code><b>:msg, !contains, "error"</b></code></p>
-<p>Using negation can be useful if you would like to do some
-generic processing but exclude some specific events. You can use the
-discard action in conjunction with that. A sample would be:</p>
-<p><code><b>*.*
-/var/log/allmsgs-including-informational.log<br>
-:msg, contains, "informational"&nbsp; <font color="#ff0000" size="4">~</font>
-<br>
-*.* /var/log/allmsgs-but-informational.log</b></code></p>
-<p>Do not overlook the red tilde in line 2! In this sample, all
-messages are written to the file allmsgs-including-informational.log.
-Then, all messages containing the string "informational" are discarded.
-That means the config file lines below the "discard line" (number 2 in
-our sample) will not be applied to this message. Then, all remaining
-lines will also be written to the file allmsgs-but-informational.log.</p>
-<p><b>Value</b> is a quoted string. It supports some
-escape sequences:</p>
-<p>\" - the quote character (e.g. "String with \"Quotes\"")<br>
-\\ - the backslash character (e.g. "C:\\tmp")</p>
-<p>Escape sequences always start with a backslash. Additional
-escape sequences might be added in the future. Backslash characters <b>must</b>
-be escaped. Any other sequence then those outlined above is invalid and
-may lead to unpredictable results.</p>
-<p>Probably, "msg" is the most prominent use case of property
-based filters. It is the actual message text. If you would like to
-filter based on some message content (e.g. the presence of a specific
-code), this can be done easily by:</p>
-<p><code><b>:msg, contains, "ID-4711"</b></code></p>
-<p>This filter will match when the message contains the string
-"ID-4711". Please note that the comparison is case-sensitive, so it
-would not match if "id-4711" would be contained in the message.</p>
-<p><code><b>:msg, regex, "fatal .* error"</b></code></p>
-<p>This filter uses a POSIX regular expression. It matches when
-the
-string contains the words "fatal" and "error" with anything in between
-(e.g. "fatal net error" and "fatal lib error" but not "fatal error" as
-two spaces are required by the regular expression!).</p>
-<p>Getting property-based filters right can sometimes be
-challenging. In order to help you do it with as minimal effort as
-possible, rsyslogd spits out debug information for all property-based
-filters during their evaluation. To enable this, run rsyslogd in
-foreground and specify the "-d" option.</p>
-<p>Boolean operations inside property based filters (like
-'message contains "ID17" or message contains "ID18"') are currently not
-supported (except for "not" as outlined above). Please note that while
-it is possible to query facility and severity via property-based
-filters, it is far more advisable to use classic selectors (see above)
-for those cases.</p>
-<h3>Expression-Based Filters</h3>
-Expression based filters allow
-filtering on arbitrary complex expressions, which can include boolean,
-arithmetic and string operations. Expression filters will evolve into a
-full configuration scripting language. Unfortunately, their syntax will
-slightly change during that process. So if you use them now, you need
-to be prepared to change your configuration files some time later.
-However, we try to implement the scripting facility as soon as possible
-(also in respect to stage work needed). So the window of exposure is
-probably not too long.<br>
-<br>
-Expression based filters are indicated by the keyword "if" in column 1
-of a new line. They have this format:<br>
-<br>
-if expr then action-part-of-selector-line<br>
-<br>
-"If" and "then" are fixed keywords that mus be present. "expr" is a
-(potentially quite complex) expression. So the <a href="expression.h">expression documentation</a> for
-details. "action-part-of-selector-line" is an action, just as you know
-it (e.g. "/var/log/logfile" to write to that file).<br>
-<br>
-A few quick samples:<br>
-<br>
-<code>
-*.* /var/log/file1 # the traditional way<br>
-if $msg contains 'error' /var/log/errlog # the expression-based way<br>
-</code>
-<br>
-Right now, you need to specify numerical values if you would like to
-check for facilities and severity. These can be found in <a href="http://www.ietf.org/rfc/rfc3164.txt">RFC 3164</a>.
-If you don't like that, you can of course also use the textual property
-- just be sure to use the right one. As expression support is enhanced,
-this will change. For example, if you would like to filter on message
-that have facility local0, start with "DEVNAME" and have either
-"error1" or "error0" in their message content, you could use the
-following filter:<br>
-<br>
-<code>
-if $syslogfacility-text == 'local0' and $msg
-startswith 'DEVNAME' and ($msg contains 'error1' or $msg contains
-'error0') then /var/log/somelog<br>
-</code>
-<br>
-Please note that the above <span style="font-weight: bold;">must
-all be on one line</span>! And if you would like to store all
-messages except those that contain "error1" or "error0", you just need
-to add a "not":<br>
-<br>
-<code>
-if $syslogfacility-text == 'local0' and $msg
-startswith 'DEVNAME' and <span style="font-weight: bold;">not</span>
-($msg contains 'error1' or $msg contains
-'error0') then /var/log/somelog<br>
-</code>
-<br>
-If you would like to do case-insensitive comparisons, use
-"contains_i" instead of "contains" and "startswith_i" instead of
-"startswith".<br>
-<br>
-Note that regular expressions are currently NOT
-supported in expression-based filters. These will be added later when
-function support is added to the expression engine (the reason is that
-regular expressions will be a separate loadable module, which requires
-some more prequisites before it can be implemented).<br>
-<h2>ACTIONS</h2>
-<p>The action field of a rule describes what to do with the
-message. In general, message content is written to a kind of "logfile".
-But also other actions might be done, like writing to a database table
-or forwarding to another host.<br>
-<br>
-Templates can be used with all actions. If used, the specified template
-is used to generate the message content (instead of the default
-template). To specify a template, write a semicolon after the action
-value immediately followed by the template name.<br>
-<br>
-Beware: templates MUST be defined BEFORE they are used. It is OK to
-define some templates, then use them in selector lines, define more
-templates and use use them in the following selector lines. But it is
-NOT permitted to use a template in a selector line that is above its
-definition. If you do this, the action will be ignored.</p>
-<p><b>You can have multiple actions for a single selector </b>&nbsp;(or
-more precisely a single filter of such a selector line). Each action
-must be on its own line and the line must start with an ampersand
-('&amp;') character and have no filters. An example would be</p>
-<p><code><b>*.=crit rger<br>
-&amp; root<br>
-&amp; /var/log/critmsgs</b></code></p>
-<p>These three lines send critical messages to the user rger and
-root and also store them in /var/log/critmsgs. <b>Using multiple
-actions per selector is</b> convenient and also <b>offers
-a performance benefit</b>. As the filter needs to be evaluated
-only once, there is less computation required to process the directive
-compared to the otherwise-equal config directives below:</p>
-<p><code><b>*.=crit rger<br>
-*.=crit root<br>
-*.=crit /var/log/critmsgs</b></code></p>
-<p>&nbsp;</p>
-<h3>Regular File</h3>
-<p>Typically messages are logged to real files. The file has to
-be specified with full pathname, beginning with a slash "/''.<br>
-<br>
-You may prefix each entry with the minus "-'' sign to omit syncing the
-file after every logging. Note that you might lose information if the
-system crashes right behind a write attempt. Nevertheless this might
-give you back some performance, especially if you run programs that use
-logging in a very verbose manner.</p>
-<p>If your system is connected to a reliable UPS and you receive
-lots of log data (e.g. firewall logs), it might be a very good idea to
-turn of
-syncing by specifying the "-" in front of the file name. </p>
-<p><b>The filename can be either static </b>(always
-the same) or <b>dynamic</b> (different based on message
-received). The later is useful if you would automatically split
-messages into different files based on some message criteria. For
-example, dynamic file name selectors allow you to split messages into
-different files based on the host that sent them. With dynamic file
-names, everything is automatic and you do not need any filters. </p>
-<p>It works via the template system. First, you define a template
-for the file name. An example can be seen above in the description of
-template. We will use the "DynFile" template defined there. Dynamic
-filenames are indicated by specifying a questions mark "?" instead of a
-slash, followed by the template name. Thus, the selector line for our
-dynamic file name would look as follows:</p>
-<blockquote>
-<code>*.* ?DynFile</code>
-</blockquote>
-<p>That's all you need to do. Rsyslog will now automatically
-generate file names for you and store the right messages into the right
-files. Please note that the minus sign also works with dynamic file
-name selectors. Thus, to avoid syncing, you may use</p>
-<blockquote>
-<code>*.* -?DynFile</code></blockquote>
-<p>And of course you can use templates to specify the output
-format:</p>
-<blockquote>
-<code>*.* ?DynFile;MyTemplate</code></blockquote>
-<p><b>A word of caution:</b> rsyslog creates files as
-needed. So if a new host is using your syslog server, rsyslog will
-automatically create a new file for it.</p>
-<p><b>Creating directories is also supported</b>. For
-example you can use the hostname as directory and the program name as
-file name:</p>
-<blockquote>
-<code>$template DynFile,"/var/log/%HOSTNAME%/%programname%.log"</code></blockquote>
-<h3>Named Pipes</h3>
-<p>This version of rsyslogd(8) has support for logging output to
-named pipes (fifos). A fifo or named pipe can be used as a destination
-for log messages by prepending a pipe symbol ("|'') to the name of the
-file. This is handy for debugging. Note that the fifo must be created
-with the mkfifo(1) command before rsyslogd(8) is started.</p>
-<h3>Terminal and Console</h3>
-<p>If the file you specified is a tty, special tty-handling is
-done, same with /dev/console.</p>
-<h3>Remote Machine</h3>
-<p>Rsyslogd provides full remote logging, i.e. is able to send
-messages to a remote host running rsyslogd(8) and to receive messages
-from remote hosts. Using this feature you're able to control all syslog
-messages on one host, if all other machines will log remotely to that.
-This tears down<br>
-administration needs.<br>
-<br>
-<b>Please note that this version of rsyslogd by default does NOT
-forward messages it has received from the network to another host.
-Specify the "-h" option to enable this.</b></p>
-<p>To forward messages to another host, prepend the hostname with
-the at sign ("@"). A single at sign means that messages will
-be forwarded via UDP protocol (the standard for syslog). If you prepend
-two at signs ("@@"), the messages will be transmitted via TCP. Please
-note that plain TCP based syslog is not officially standardized, but
-most major syslogds support it (e.g. syslog-ng or WinSyslog). The
-forwarding action indicator (at-sign) can be followed by one or more
-options. If they are given, they must be immediately (without a space)
-following the final at sign and be enclosed in parenthesis. The
-individual options must be separated by commas. The following options
-are right now defined:</p>
-<table id="table2" border="1" width="100%">
-<tbody>
-<tr>
-<td>
-<p align="center"><b>z&lt;number&gt;</b></p>
-</td>
-<td>Enable zlib-compression for the message. The
-&lt;number&gt; is the compression level. It can be 1 (lowest
-gain, lowest CPU overhead) to 9 (maximum compression, highest CPU
-overhead). The level can also be 0, which means "no compression". If
-given, the "z" option is ignored. So this does not make an awful lot of
-sense. There is hardly a difference between level 1 and 9 for typical
-syslog messages. You can expect a compression gain between 0% and 30%
-for typical messages. Very chatty messages may compress up to 50%, but
-this is seldom seen with typically traffic. Please note that rsyslogd
-checks the compression gain. Messages with 60 bytes or less will never
-be compressed. This is because compression gain is pretty unlikely and
-we prefer to save CPU cycles. Messages over that size are always
-compressed. However, it is checked if there is a gain in compression
-and only if there is, the compressed message is transmitted. Otherwise,
-the uncompressed messages is transmitted. This saves the receiver CPU
-cycles for decompression. It also prevents small message to actually
-become larger in compressed form.
-<p><b>Please note that when a TCP transport is used,
-compression will also turn on syslog-transport-tls framing. See the "o"
-option for important information on the implications.</b></p>
-<p>Compressed messages are automatically detected and
-decompressed by the receiver. There is nothing that needs to be
-configured on the receiver side.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p align="center"><b>o</b></p>
-</td>
-<td><b>This option is experimental. Use at your own
-risk and only if you know why you need it! If in doubt, do NOT turn it
-on.</b>
-<p>This option is only valid for plain TCP based
-transports. It selects a different framing based on IETF internet draft
-syslog-transport-tls-06. This framing offers some benefits over
-traditional LF-based framing. However, the standardization effort is
-not yet complete. There may be changes in upcoming versions of this
-standard. Rsyslog will be kept in line with the standard. There is some
-chance that upcoming changes will be incompatible to the current
-specification. In this case, all systems using -transport-tls framing
-must be upgraded. There will be no effort made to retain compatibility
-between different versions of rsyslog. The primary reason for that is
-that it seems technically impossible to provide compatibility between
-some of those changes. So you should take this note very serious. It is
-not something we do not *like* to do (and may change our mind if enough
-people beg...), it is something we most probably *can not* do for
-technical reasons (aka: you can beg as much as you like, it won't
-change anything...).</p>
-<p>The most important implication is that compressed syslog
-messages via TCP must be considered with care. Unfortunately, it is
-technically impossible to transfer compressed records over traditional
-syslog plain tcp transports, so you are left with two evil choices...</p>
-</td>
-</tr>
-</tbody>
-</table>
-<p><br>
-The hostname may be followed by a colon and the destination port.</p>
-<p>The following is an example selector line with forwarding:</p>
-<p>*.*&nbsp;&nbsp;&nbsp; @@(o,z9)192.168.0.1:1470</p>
-<p>In this example, messages are forwarded via plain TCP with
-experimental framing and maximum compression to the host 192.168.0.1 at
-port 1470.</p>
-<p>*.* @192.168.0.1</p>
-<p>In the example above, messages are forwarded via UDP to the
-machine 192.168.0.1, the destination port defaults to 514. Messages
-will not be compressed.</p>
-<p>Note that IPv6 addresses contain colons. So if an IPv6 address is specified
-in the hostname part, rsyslogd could not detect where the IP address ends
-and where the port starts. There is a syntax extension to support this:
-put squary brackets around the address (e.g. "[2001::1]"). Square
-brackets also work with real host names and IPv4 addresses, too.
-<p>A valid sample to send messages to the IPv6 host 2001::1 at port 515
-is as follows:
-<p>*.* @[2001::1]:515
-<p>This works with TCP, too.
-<p><b>Note to sysklogd users:</b> sysklogd does <b>not</b>
-support RFC 3164 format, which is the default forwarding template in
-rsyslog. As such, you will experience duplicate hostnames if rsyslog is
-the sender and sysklogd is the receiver. The fix is simple: you need to
-use a different template. Use that one:</p>
-<p class="MsoPlainText">$template
-sysklogd,"&lt;%PRI%&gt;%TIMESTAMP% %syslogtag%%msg%\""<br>
-*.* @192.168.0.1;sysklogd</p>
-<h3>List of Users</h3>
-<p>Usually critical messages are also directed to "root'' on
-that machine. You can specify a list of users that shall get the
-message by simply writing the login. You may specify more than one user
-by separating them with commas (",''). If they're logged in they get
-the message. Don't think a mail would be sent, that might be too late.</p>
-<h3>Everyone logged on</h3>
-<p>Emergency messages often go to all users currently online to
-notify them that something strange is happening with the system. To
-specify this wall(1)-feature use an asterisk ("*'').</p>
-<h3>Call Plugin</h3>
-<p>This is a generic way to call an output plugin. The plugin
-must support this functionality. Actual parameters depend on the
-module, so see the module's doc on what to supply. The general syntax
-is as follows:</p>
-<p>:modname:params;template</p>
-<p>Currently, the ommysql database output module supports this
-syntax (in addtion to the "&gt;" syntax it traditionally
-supported). For ommysql, the module name is "ommysql" and the params
-are the traditional ones. The ;template part is not module specific, it
-is generic rsyslog functionality available to all modules.</p>
-<p>As an example, the ommysql module may be called as follows:</p>
-<p>:ommysql:dbhost,dbname,dbuser,dbpassword;dbtemplate</p>
-<p>For details, please see the "Database Table" section of this
-documentation.</p>
-<p>Note: as of this writing, the ":modname:" part is hardcoded
-into the module. So the name to use is not necessarily the name the
-module's plugin file is called.</p>
-<h3>Database Table</h3>
-<p>This allows logging of the message to a database table.
-Currently, only MySQL databases are supported. However, other database
-drivers will most probably be developed as plugins. By default, a <a href="http://www.monitorware.com/">MonitorWare</a>-compatible
-schema is required for this to work. You can create that schema with
-the createDB.SQL file that came with the rsyslog package. You can also<br>
-use any other schema of your liking - you just need to define a proper
-template and assign this template to the action.<br>
-<br>
-The database writer is called by specifying a greater-then sign
-("&gt;") in front of the database connect information. Immediately
-after that<br>
-sign the database host name must be given, a comma, the database name,
-another comma, the database user, a comma and then the user's password.
-If a specific template is to be used, a semicolon followed by the
-template name can follow the connect information. This is as follows:<br>
-<br>
-&gt;dbhost,dbname,dbuser,dbpassword;dbtemplate</p>
-<p><b>Important: to use the database functionality, the
-MySQL output module must be loaded in the config file</b> BEFORE
-the first database table action is used. This is done by placing the</p>
-<p><code><b>$ModLoad ommysql</b></code></p>
-<p>directive some place above the first use of the database write
-(we recommend doing at the the beginning of the config file).</p>
-<h3>Discard</h3>
-<p>If the discard action is carried out, the received message is
-immediately discarded. No further processing of it occurs. Discard has
-primarily been added to filter out messages before carrying on any
-further processing. For obvious reasons, the results of "discard" are
-depending on where in the configuration file it is being used. Please
-note that once a message has been discarded there is no way to retrieve
-it in later configuration file lines.</p>
-<p>Discard can be highly effective if you want to filter out some
-annoying messages that otherwise would fill your log files. To do that,
-place the discard actions early in your log files. This often plays
-well with property-based filters, giving you great freedom in
-specifying what you do not want.</p>
-<p>Discard is just the single tilde character with no further
-parameters:</p>
-<p>~</p>
-<p>For example,</p>
-<p>*.*&nbsp;&nbsp; ~</p>
-<p>discards everything (ok, you can achive the same by not
-running rsyslogd at all...).</p>
-<h3>Output Channel</h3>
-<p>Binds an output channel definition (see there for details) to
-this action. Output channel actions must start with a $-sign, e.g. if
-you would like to bind your output channel definition "mychannel" to
-the action, use "$mychannel". Output channels support template
-definitions like all all other actions.</p>
-<h3>Shell Execute</h3>
-<p>This executes a program in a subshell. The program is passed
-the template-generated message as the only command line parameter.
-Rsyslog waits until the program terminates and only then continues to
-run.</p>
-<p>^program-to-execute;template</p>
-<p>The program-to-execute can be any valid executable. It
-receives the template string as a single parameter (argv[1]).</p>
-<p><b>WARNING:</b> The Shell Execute action was added
-to serve an urgent need. While it is considered reasonable save when
-used with some thinking, its implications must be considered. The
-current implementation uses a system() call to execute the command.
-This is not the best way to do it (and will hopefully changed in
-further releases). Also, proper escaping of special characters is done
-to prevent command injection. However, attackers always find smart ways
-to circumvent escaping, so we can not say if the escaping applied will
-really safe you from all hassles. Lastly, rsyslog will wait until the
-shell command terminates. Thus, a program error in it (e.g. an infinite
-loop) can actually disable rsyslog. Even without that, during the
-programs run-time no messages are processed by rsyslog. As the IP
-stacks buffers are quickly overflowed, this bears an increased risk of
-message loss. You must be aware of these implications. Even though they
-are severe, there are several cases where the "shell execute" action is
-very useful. This is the reason why we have included it in its current
-form. To mitigate its risks, always a) test your program thoroughly, b)
-make sure its runtime is as short as possible (if it requires a longer
-run-time, you might want to spawn your own sub-shell asynchronously),
-c) apply proper firewalling so that only known senders can send syslog
-messages to rsyslog. Point c) is especially important: if rsyslog is
-accepting message from any hosts, chances are much higher that an
-attacker might try to exploit the "shell execute" action.</p>
-<h2>TEMPLATE NAME</h2>
-<p>Every ACTION can be followed by a template name. If so, that
-template is used for message formatting. If no name is given, a
-hard-coded default template is used for the action. There can only be
-one template name for each given action. The default template is
-specific to each action. For a description of what a template is and
-what you can do with it, see "TEMPLATES" at the top of this document.</p>
-<h2>EXAMPLES</h2>
-<p>Below are example for templates and selector lines. I hope
+<h2><a href="rsyslog_conf_templates.html">Templates</a></h2>
+<h2><a href="rsyslog_conf_output.html">Output Channels</a></h2>
+<h2><a href="rsyslog_conf_filter.html">Filter Conditions</a></h2>
+<h2><a href="rsyslog_conf_actions.html">Actions</a></h2>
+<h2><a href="rsyslog_conf_examples.html">Examples</a></h2>
+<p>Here you will find examples for templates and selector lines. I hope
they are self-explanatory. If not, please see
www.monitorware.com/rsyslog/ for advise.</p>
-<h3>TEMPLATES</h3>
-<p>Please note that the samples are split across multiple lines.
-A template MUST NOT actually be split across multiple lines.<br>
-<br>
-A template that resembles traditional syslogd file output:<br>
-$template TraditionalFormat,"%timegenerated% %HOSTNAME%<br>
-%syslogtag%%msg:::drop-last-lf%\n"<br>
-<br>
-A template that tells you a little more about the message:<br>
-$template
-precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,<br>
-%syslogtag%,%msg%\n"<br>
-<br>
-A template for RFC 3164 format:<br>
-$template RFC3164fmt,"&lt;%PRI%&gt;%TIMESTAMP% %HOSTNAME%
-%syslogtag%%msg%"<br>
-<br>
-A template for the format traditonally used for user messages:<br>
-$template usermsg," XXXX%syslogtag%%msg%\n\r"<br>
-<br>
-And a template with the traditonal wall-message format:<br>
-$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at
-%timegenerated%<br>
-<br>
-A template that can be used for the database write (please note the SQL<br>
-template option)<br>
-$template MySQLInsert,"insert iut, message, receivedat values<br>
-('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')<br>
-into systemevents\r\n", SQL<br>
-<br>
-The following template emulates <a href="http://www.winsyslog.com/en/">WinSyslog</a>
-format (it's an <a href="http://www.adiscon.com/en/">Adiscon</a>
-format, you do not feel bad if you don't know it ;)). It's interesting
-to see how it takes different parts out of the date stamps. What
-happens is that the date stamp is split into the actual date and time
-and the these two are combined with just a comma in between them.<br>
-<br>
-$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,<br>
-%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,<br>
-%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,<br>
-%syslogtag%%msg%\n"</p>
-<h3>SELECTOR LINES</h3>
-<p># Store critical stuff in critical<br>
-#<br>
-*.=crit;kern.none /var/adm/critical<br>
-<br>
-This will store all messages with the priority crit in the file
-/var/adm/critical, except for any kernel message.<br>
-<br>
-<br>
-# Kernel messages are first, stored in the kernel<br>
-# file, critical messages and higher ones also go<br>
-# to another host and to the console. Messages to<br>
-# the host finlandia are forwarded in RFC 3164<br>
-# format (using the template defined above).<br>
-#<br>
-kern.* /var/adm/kernel<br>
-kern.crit @finlandia;RFC3164fmt<br>
-kern.crit /dev/console<br>
-kern.info;kern.!err /var/adm/kernel-info<br>
-<br>
-The first rule direct any message that has the kernel facility to the
-file /var/adm/kernel.<br>
-<br>
-The second statement directs all kernel messages of the priority crit
-and higher to the remote host finlandia. This is useful, because if the
-host crashes and the disks get irreparable errors you might not be able
-to read the stored messages. If they're on a remote host, too, you
-still can try to find out the reason for the crash.<br>
-<br>
-The third rule directs these messages to the actual console, so the
-person who works on the machine will get them, too.<br>
-<br>
-The fourth line tells rsyslogd to save all kernel messages that come
-with priorities from info up to warning in the file
-/var/adm/kernel-info. Everything from err and higher is excluded.<br>
-<br>
-<br>
-# The tcp wrapper loggs with mail.info, we display<br>
-# all the connections on tty12<br>
-#<br>
-mail.=info /dev/tty12<br>
-<br>
-This directs all messages that uses mail.info (in source LOG_MAIL |
-LOG_INFO) to /dev/tty12, the 12th console. For example the tcpwrapper
-tcpd(8) uses this as it's default.<br>
-<br>
-<br>
-# Store all mail concerning stuff in a file<br>
-#<br>
-mail.*;mail.!=info /var/adm/mail<br>
-<br>
-This pattern matches all messages that come with the mail facility,
-except for the info priority. These will be stored in the file
-/var/adm/mail.<br>
-<br>
-<br>
-# Log all mail.info and news.info messages to info<br>
-#<br>
-mail,news.=info /var/adm/info<br>
-<br>
-This will extract all messages that come either with mail.info or with
-news.info and store them in the file /var/adm/info.<br>
-<br>
-<br>
-# Log info and notice messages to messages file<br>
-#<br>
-*.=info;*.=notice;\<br>
-mail.none /var/log/messages<br>
-<br>
-This lets rsyslogd log all messages that come with either the info or
-the notice facility into the file /var/log/messages, except for all<br>
-messages that use the mail facility.<br>
-<br>
-<br>
-# Log info messages to messages file<br>
-#<br>
-*.=info;\<br>
-mail,news.none /var/log/messages<br>
-<br>
-This statement causes rsyslogd to log all messages that come with the
-info priority to the file /var/log/messages. But any message coming
-either with the mail or the news facility will not be stored.<br>
-<br>
-<br>
-# Emergency messages will be displayed using wall<br>
-#<br>
-*.=emerg *<br>
-<br>
-This rule tells rsyslogd to write all emergency messages to all
-currently logged in users. This is the wall action.<br>
-<br>
-<br>
-# Messages of the priority alert will be directed<br>
-# to the operator<br>
-#<br>
-*.alert root,rgerhards<br>
-<br>
-This rule directs all messages with a priority of alert or higher to
-the terminals of the operator, i.e. of the users "root'' and
-"rgerhards'' if they're logged in.<br>
-<br>
-<br>
-*.* @finlandia<br>
-<br>
-This rule would redirect all messages to a remote host called
-finlandia. This is useful especially in a cluster of machines where all
-syslog messages will be stored on only one machine.<br>
-<br>
-In the format shown above, UDP is used for transmitting the message.
-The destination port is set to the default auf 514. Rsyslog is also
-capable of using much more secure and reliable TCP sessions for message
-forwarding. Also, the destination port can be specified. To select TCP,
-simply add one additional @ in front of the host name (that is, @host
-is UPD, @@host is TCP). For example:<br>
-<br>
-<br>
-*.* @@finlandia<br>
-<br>
-To specify the destination port on the remote machine, use a colon
-followed by the port number after the machine name. The following
-forwards to port 1514 on finlandia:<br>
-<br>
-<br>
-*.* @@finlandia:1514<br>
-<br>
-This syntax works both with TCP and UDP based syslog. However, you will
-probably primarily need it for TCP, as there is no well-accepted port
-for this transport (it is non-standard). For UDP, you can usually stick
-with the default auf 514, but might want to modify it for security rea-<br>
-sons. If you would like to do that, it's quite easy:<br>
-<br>
-<br>
-*.* @finlandia:1514<br>
-<br>
-<br>
-<br>
-*.* &gt;dbhost,dbname,dbuser,dbpassword;dbtemplate<br>
-<br>
-This rule writes all message to the database "dbname" hosted on
-"dbhost". The login is done with user "dbuser" and password
-"dbpassword". The actual table that is updated is specified within the
-template (which contains the insert statement). The template is called
-"dbtemplate" in this case.</p>
-<p>:msg,contains,"error" @errorServer</p>
-<p>This rule forwards all messages that contain the word "error"
-in the msg part to the server "errorServer". Forwarding is via UDP.
-Please note the colon in fron</p>
-<h2>CONFIGURATION FILE SYNTAX DIFFERENCES</h2>
+<h2>Configuration File Syntax Differences</h2>
<p>Rsyslogd uses a slightly different syntax for its
configuration file than the original BSD sources. Originally all
messages of a specific priority and above were forwarded to the log
@@ -1256,4 +68,15 @@ additional
<a href="features.html">features</a> (like template
and database support). For obvious reasons, the syntax for defining
such features is available in rsyslogd, only.</p>
-</body></html>
+
+<p>[<a href="rsyslog_conf.html">back to top</a>]
+[<a href="manual.html">manual index</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+</body>
+</html>
+>
diff --git a/doc/rsyslog_conf_actions.html b/doc/rsyslog_conf_actions.html
new file mode 100644
index 00000000..2ef3f4b0
--- /dev/null
+++ b/doc/rsyslog_conf_actions.html
@@ -0,0 +1,336 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><title>Actions - rsyslog.conf</title></head>
+<body>
+<p>This is a part of the rsyslog.conf documentation.</p>
+<a href="rsyslog_conf.html">back</a>
+<h2>Actions</h2>
+<p>The action field of a rule describes what to do with the
+message. In general, message content is written to a kind of "logfile".
+But also other actions might be done, like writing to a database table
+or forwarding to another host.<br>
+<br>
+Templates can be used with all actions. If used, the specified template
+is used to generate the message content (instead of the default
+template). To specify a template, write a semicolon after the action
+value immediately followed by the template name.<br>
+<br>
+Beware: templates MUST be defined BEFORE they are used. It is OK to
+define some templates, then use them in selector lines, define more
+templates and use use them in the following selector lines. But it is
+NOT permitted to use a template in a selector line that is above its
+definition. If you do this, the action will be ignored.</p>
+<p><b>You can have multiple actions for a single selector </b>&nbsp;(or
+more precisely a single filter of such a selector line). Each action
+must be on its own line and the line must start with an ampersand
+('&amp;') character and have no filters. An example would be</p>
+<p><code><b>*.=crit rger<br>
+&amp; root<br>
+&amp; /var/log/critmsgs</b></code></p>
+<p>These three lines send critical messages to the user rger and
+root and also store them in /var/log/critmsgs. <b>Using multiple
+actions per selector is</b> convenient and also <b>offers
+a performance benefit</b>. As the filter needs to be evaluated
+only once, there is less computation required to process the directive
+compared to the otherwise-equal config directives below:</p>
+<p><code><b>*.=crit rger<br>
+*.=crit root<br>
+*.=crit /var/log/critmsgs</b></code></p>
+<p>&nbsp;</p>
+<h3>Regular File</h3>
+<p>Typically messages are logged to real files. The file has to
+be specified with full pathname, beginning with a slash "/''.<br>
+<br>
+<br>
+You may prefix each entry with the minus "-'' sign to omit syncing the
+file after every logging. Note that you might lose information if the
+system crashes right behind a write attempt. Nevertheless this might
+give you back some performance, especially if you run programs that use
+logging in a very verbose manner.</p>
+<p>If your system is connected to a reliable UPS and you receive
+lots of log data (e.g. firewall logs), it might be a very good idea to
+turn of
+syncing by specifying the "-" in front of the file name. </p>
+<p><b>The filename can be either static </b>(always
+the same) or <b>dynamic</b> (different based on message
+received). The later is useful if you would automatically split
+messages into different files based on some message criteria. For
+example, dynamic file name selectors allow you to split messages into
+different files based on the host that sent them. With dynamic file
+names, everything is automatic and you do not need any filters. </p>
+<p>It works via the template system. First, you define a template
+for the file name. An example can be seen above in the description of
+template. We will use the "DynFile" template defined there. Dynamic
+filenames are indicated by specifying a questions mark "?" instead of a
+slash, followed by the template name. Thus, the selector line for our
+dynamic file name would look as follows:</p>
+<blockquote>
+<code>*.* ?DynFile</code>
+</blockquote>
+<p>That's all you need to do. Rsyslog will now automatically
+generate file names for you and store the right messages into the right
+files. Please note that the minus sign also works with dynamic file
+name selectors. Thus, to avoid syncing, you may use</p>
+<blockquote>
+<code>*.* -?DynFile</code></blockquote>
+<p>And of course you can use templates to specify the output
+format:</p>
+<blockquote>
+<code>*.* ?DynFile;MyTemplate</code></blockquote>
+<p><b>A word of caution:</b> rsyslog creates files as
+needed. So if a new host is using your syslog server, rsyslog will
+automatically create a new file for it.</p>
+<p><b>Creating directories is also supported</b>. For
+example you can use the hostname as directory and the program name as
+file name:</p>
+<blockquote>
+<code>$template DynFile,"/var/log/%HOSTNAME%/%programname%.log"</code></blockquote>
+<h3>Named Pipes</h3>
+<p>This version of rsyslogd(8) has support for logging output to
+named pipes (fifos). A fifo or named pipe can be used as a destination
+for log messages by prepending a pipe symbol ("|'') to the name of the
+file. This is handy for debugging. Note that the fifo must be created
+with the mkfifo(1) command before rsyslogd(8) is started.</p>
+<h3>Terminal and Console</h3>
+<p>If the file you specified is a tty, special tty-handling is
+done, same with /dev/console.</p>
+<h3>Remote Machine</h3>
+<p>Rsyslogd provides full remote logging, i.e. is able to send
+messages to a remote host running rsyslogd(8) and to receive messages
+from remote hosts. Using this feature you're able to control all syslog
+messages on one host, if all other machines will log remotely to that.
+This tears down<br>
+administration needs.<br>
+<br>
+<b>Please note that this version of rsyslogd by default does NOT
+forward messages it has received from the network to another host.
+Specify the "-h" option to enable this.</b></p>
+<p>To forward messages to another host, prepend the hostname with
+the at sign ("@"). A single at sign means that messages will
+be forwarded via UDP protocol (the standard for syslog). If you prepend
+two at signs ("@@"), the messages will be transmitted via TCP. Please
+note that plain TCP based syslog is not officially standardized, but
+most major syslogds support it (e.g. syslog-ng or WinSyslog). The
+forwarding action indicator (at-sign) can be followed by one or more
+options. If they are given, they must be immediately (without a space)
+following the final at sign and be enclosed in parenthesis. The
+individual options must be separated by commas. The following options
+are right now defined:</p>
+<table id="table2" border="1" width="100%">
+<tbody>
+<tr>
+<td>
+<p align="center"><b>z&lt;number&gt;</b></p>
+</td>
+<td>Enable zlib-compression for the message. The
+&lt;number&gt; is the compression level. It can be 1 (lowest
+gain, lowest CPU overhead) to 9 (maximum compression, highest CPU
+overhead). The level can also be 0, which means "no compression". If
+given, the "z" option is ignored. So this does not make an awful lot of
+sense. There is hardly a difference between level 1 and 9 for typical
+syslog messages. You can expect a compression gain between 0% and 30%
+for typical messages. Very chatty messages may compress up to 50%, but
+this is seldom seen with typically traffic. Please note that rsyslogd
+checks the compression gain. Messages with 60 bytes or less will never
+be compressed. This is because compression gain is pretty unlikely and
+we prefer to save CPU cycles. Messages over that size are always
+compressed. However, it is checked if there is a gain in compression
+and only if there is, the compressed message is transmitted. Otherwise,
+the uncompressed messages is transmitted. This saves the receiver CPU
+cycles for decompression. It also prevents small message to actually
+become larger in compressed form.
+<p><b>Please note that when a TCP transport is used,
+compression will also turn on syslog-transport-tls framing. See the "o"
+option for important information on the implications.</b></p>
+<p>Compressed messages are automatically detected and
+decompressed by the receiver. There is nothing that needs to be
+configured on the receiver side.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p align="center"><b>o</b></p>
+</td>
+<td><b>This option is experimental. Use at your own
+risk and only if you know why you need it! If in doubt, do NOT turn it
+on.</b>
+<p>This option is only valid for plain TCP based
+transports. It selects a different framing based on IETF internet draft
+syslog-transport-tls-06. This framing offers some benefits over
+traditional LF-based framing. However, the standardization effort is
+not yet complete. There may be changes in upcoming versions of this
+standard. Rsyslog will be kept in line with the standard. There is some
+chance that upcoming changes will be incompatible to the current
+specification. In this case, all systems using -transport-tls framing
+must be upgraded. There will be no effort made to retain compatibility
+between different versions of rsyslog. The primary reason for that is
+that it seems technically impossible to provide compatibility between
+some of those changes. So you should take this note very serious. It is
+not something we do not *like* to do (and may change our mind if enough
+people beg...), it is something we most probably *can not* do for
+technical reasons (aka: you can beg as much as you like, it won't
+change anything...).</p>
+<p>The most important implication is that compressed syslog
+messages via TCP must be considered with care. Unfortunately, it is
+technically impossible to transfer compressed records over traditional
+syslog plain tcp transports, so you are left with two evil choices...</p>
+</td>
+</tr>
+</tbody>
+</table>
+<p><br>
+The hostname may be followed by a colon and the destination port.</p>
+<p>The following is an example selector line with forwarding:</p>
+<p>*.*&nbsp;&nbsp;&nbsp; @@(o,z9)192.168.0.1:1470</p>
+<p>In this example, messages are forwarded via plain TCP with
+experimental framing and maximum compression to the host 192.168.0.1 at
+port 1470.</p>
+<p>*.* @192.168.0.1</p>
+<p>In the example above, messages are forwarded via UDP to the
+machine 192.168.0.1, the destination port defaults to 514. Messages
+will not be compressed.</p>
+<p>Note that IPv6 addresses contain colons. So if an IPv6 address is specified
+in the hostname part, rsyslogd could not detect where the IP address ends
+and where the port starts. There is a syntax extension to support this:
+put squary brackets around the address (e.g. "[2001::1]"). Square
+brackets also work with real host names and IPv4 addresses, too.
+<p>A valid sample to send messages to the IPv6 host 2001::1 at port 515
+is as follows:
+<p>*.* @[2001::1]:515
+<p>This works with TCP, too.
+<p><b>Note to sysklogd users:</b> sysklogd does <b>not</b>
+support RFC 3164 format, which is the default forwarding template in
+rsyslog. As such, you will experience duplicate hostnames if rsyslog is
+the sender and sysklogd is the receiver. The fix is simple: you need to
+use a different template. Use that one:</p>
+<p class="MsoPlainText">$template
+sysklogd,"&lt;%PRI%&gt;%TIMESTAMP% %syslogtag%%msg%\""<br>
+*.* @192.168.0.1;sysklogd</p>
+<h3>List of Users</h3>
+<p>Usually critical messages are also directed to "root'' on
+that machine. You can specify a list of users that shall get the
+message by simply writing the login. You may specify more than one user
+by separating them with commas (",''). If they're logged in they get
+the message. Don't think a mail would be sent, that might be too late.</p>
+<h3>Everyone logged on</h3>
+<p>Emergency messages often go to all users currently online to
+notify them that something strange is happening with the system. To
+specify this wall(1)-feature use an asterisk ("*'').</p>
+<h3>Call Plugin</h3>
+<p>This is a generic way to call an output plugin. The plugin
+must support this functionality. Actual parameters depend on the
+module, so see the module's doc on what to supply. The general syntax
+is as follows:</p>
+<p>:modname:params;template</p>
+<p>Currently, the ommysql database output module supports this
+syntax (in addtion to the "&gt;" syntax it traditionally
+supported). For ommysql, the module name is "ommysql" and the params
+are the traditional ones. The ;template part is not module specific, it
+is generic rsyslog functionality available to all modules.</p>
+<p>As an example, the ommysql module may be called as follows:</p>
+<p>:ommysql:dbhost,dbname,dbuser,dbpassword;dbtemplate</p>
+<p>For details, please see the "Database Table" section of this
+documentation.</p>
+<p>Note: as of this writing, the ":modname:" part is hardcoded
+into the module. So the name to use is not necessarily the name the
+module's plugin file is called.</p>
+<h3>Database Table</h3>
+<p>This allows logging of the message to a database table.
+Currently, only MySQL databases are supported. However, other database
+drivers will most probably be developed as plugins. By default, a <a href="http://www.monitorware.com/">MonitorWare</a>-compatible
+schema is required for this to work. You can create that schema with
+the createDB.SQL file that came with the rsyslog package. You can also<br>
+use any other schema of your liking - you just need to define a proper
+template and assign this template to the action.<br>
+<br>
+The database writer is called by specifying a greater-then sign
+("&gt;") in front of the database connect information. Immediately
+after that<br>
+sign the database host name must be given, a comma, the database name,
+another comma, the database user, a comma and then the user's password.
+If a specific template is to be used, a semicolon followed by the
+template name can follow the connect information. This is as follows:<br>
+<br>
+&gt;dbhost,dbname,dbuser,dbpassword;dbtemplate</p>
+<p><b>Important: to use the database functionality, the
+MySQL output module must be loaded in the config file</b> BEFORE
+the first database table action is used. This is done by placing the</p>
+<p><code><b>$ModLoad ommysql</b></code></p>
+<p>directive some place above the first use of the database write
+(we recommend doing at the the beginning of the config file).</p>
+<h3>Discard</h3>
+<p>If the discard action is carried out, the received message is
+immediately discarded. No further processing of it occurs. Discard has
+primarily been added to filter out messages before carrying on any
+further processing. For obvious reasons, the results of "discard" are
+depending on where in the configuration file it is being used. Please
+note that once a message has been discarded there is no way to retrieve
+it in later configuration file lines.</p>
+<p>Discard can be highly effective if you want to filter out some
+annoying messages that otherwise would fill your log files. To do that,
+place the discard actions early in your log files. This often plays
+well with property-based filters, giving you great freedom in
+specifying what you do not want.</p>
+<p>Discard is just the single tilde character with no further
+parameters:</p>
+<p>~</p>
+<p>For example,</p>
+<p>*.*&nbsp;&nbsp; ~</p>
+<p>discards everything (ok, you can achive the same by not
+running rsyslogd at all...).</p>
+<h3>Output Channel</h3>
+<p>Binds an output channel definition (see there for details) to
+this action. Output channel actions must start with a $-sign, e.g. if
+you would like to bind your output channel definition "mychannel" to
+the action, use "$mychannel". Output channels support template
+definitions like all all other actions.</p>
+<h3>Shell Execute</h3>
+<p>This executes a program in a subshell. The program is passed
+the template-generated message as the only command line parameter.
+Rsyslog waits until the program terminates and only then continues to
+run.</p>
+<p>^program-to-execute;template</p>
+<p>The program-to-execute can be any valid executable. It
+receives the template string as a single parameter (argv[1]).</p>
+<p><b>WARNING:</b> The Shell Execute action was added
+to serve an urgent need. While it is considered reasonable save when
+used with some thinking, its implications must be considered. The
+current implementation uses a system() call to execute the command.
+This is not the best way to do it (and will hopefully changed in
+further releases). Also, proper escaping of special characters is done
+to prevent command injection. However, attackers always find smart ways
+to circumvent escaping, so we can not say if the escaping applied will
+really safe you from all hassles. Lastly, rsyslog will wait until the
+shell command terminates. Thus, a program error in it (e.g. an infinite
+loop) can actually disable rsyslog. Even without that, during the
+programs run-time no messages are processed by rsyslog. As the IP
+stacks buffers are quickly overflowed, this bears an increased risk of
+message loss. You must be aware of these implications. Even though they
+are severe, there are several cases where the "shell execute" action is
+very useful. This is the reason why we have included it in its current
+form. To mitigate its risks, always a) test your program thoroughly, b)
+make sure its runtime is as short as possible (if it requires a longer
+run-time, you might want to spawn your own sub-shell asynchronously),
+c) apply proper firewalling so that only known senders can send syslog
+messages to rsyslog. Point c) is especially important: if rsyslog is
+accepting message from any hosts, chances are much higher that an
+attacker might try to exploit the "shell execute" action.</p>
+<h3>Template Name</h3>
+<p>Every ACTION can be followed by a template name. If so, that
+template is used for message formatting. If no name is given, a
+hard-coded default template is used for the action. There can only be
+one template name for each given action. The default template is
+specific to each action. For a description of what a template is and
+what you can do with it, see "TEMPLATES" at the top of this document.</p>
+
+
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+</body>
+</html>
+
diff --git a/doc/rsyslog_conf_examples.html b/doc/rsyslog_conf_examples.html
new file mode 100644
index 00000000..b46460e5
--- /dev/null
+++ b/doc/rsyslog_conf_examples.html
@@ -0,0 +1,209 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><title>Examples - rsyslog.conf</title></head>
+<body>
+<p>This is a part of the rsyslog.conf documentation.</p>
+<a href="rsyslog_conf.html">back</a>
+<h2>Examples</h2>
+<p>Below are example for templates and selector lines. I hope
+they are self-explanatory. If not, please see
+www.monitorware.com/rsyslog/ for advise.</p>
+<h3>TEMPLATES</h3>
+<p>Please note that the samples are split across multiple lines.
+A template MUST NOT actually be split across multiple lines.<br>
+<br>
+A template that resembles traditional syslogd file output:<br>
+$template TraditionalFormat,"%timegenerated% %HOSTNAME%<br>
+%syslogtag%%msg:::drop-last-lf%\n"<br>
+<br>
+A template that tells you a little more about the message:<br>
+$template
+precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,<br>
+%syslogtag%,%msg%\n"<br>
+<br>
+A template for RFC 3164 format:<br>
+$template RFC3164fmt,"&lt;%PRI%&gt;%TIMESTAMP% %HOSTNAME%
+%syslogtag%%msg%"<br>
+<br>
+A template for the format traditonally used for user messages:<br>
+$template usermsg," XXXX%syslogtag%%msg%\n\r"<br>
+<br>
+And a template with the traditonal wall-message format:<br>
+$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at
+%timegenerated%<br>
+<br>
+A template that can be used for the database write (please note the SQL<br>
+template option)<br>
+$template MySQLInsert,"insert iut, message, receivedat values<br>
+('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')<br>
+into systemevents\r\n", SQL<br>
+<br>
+The following template emulates <a href="http://www.winsyslog.com/en/">WinSyslog</a>
+format (it's an <a href="http://www.adiscon.com/en/">Adiscon</a>
+format, you do not feel bad if you don't know it ;)). It's interesting
+to see how it takes different parts out of the date stamps. What
+happens is that the date stamp is split into the actual date and time
+and the these two are combined with just a comma in between them.<br>
+<br>
+$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,<br>
+%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,<br>
+%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,<br>
+%syslogtag%%msg%\n"</p>
+<h3>SELECTOR LINES</h3>
+<p># Store critical stuff in critical<br>
+#<br>
+*.=crit;kern.none /var/adm/critical<br>
+<br>
+This will store all messages with the priority crit in the file
+/var/adm/critical, except for any kernel message.<br>
+<br>
+<br>
+# Kernel messages are first, stored in the kernel<br>
+# file, critical messages and higher ones also go<br>
+# to another host and to the console. Messages to<br>
+# the host finlandia are forwarded in RFC 3164<br>
+# format (using the template defined above).<br>
+#<br>
+kern.* /var/adm/kernel<br>
+kern.crit @finlandia;RFC3164fmt<br>
+kern.crit /dev/console<br>
+kern.info;kern.!err /var/adm/kernel-info<br>
+<br>
+The first rule direct any message that has the kernel facility to the
+file /var/adm/kernel.<br>
+<br>
+The second statement directs all kernel messages of the priority crit
+and higher to the remote host finlandia. This is useful, because if the
+host crashes and the disks get irreparable errors you might not be able
+to read the stored messages. If they're on a remote host, too, you
+still can try to find out the reason for the crash.<br>
+<br>
+The third rule directs these messages to the actual console, so the
+person who works on the machine will get them, too.<br>
+<br>
+The fourth line tells rsyslogd to save all kernel messages that come
+with priorities from info up to warning in the file
+/var/adm/kernel-info. Everything from err and higher is excluded.<br>
+<br>
+<br>
+# The tcp wrapper loggs with mail.info, we display<br>
+# all the connections on tty12<br>
+#<br>
+mail.=info /dev/tty12<br>
+<br>
+This directs all messages that uses mail.info (in source LOG_MAIL |
+LOG_INFO) to /dev/tty12, the 12th console. For example the tcpwrapper
+tcpd(8) uses this as it's default.<br>
+<br>
+<br>
+# Store all mail concerning stuff in a file<br>
+#<br>
+mail.*;mail.!=info /var/adm/mail<br>
+<br>
+This pattern matches all messages that come with the mail facility,
+except for the info priority. These will be stored in the file
+/var/adm/mail.<br>
+<br>
+<br>
+# Log all mail.info and news.info messages to info<br>
+#<br>
+mail,news.=info /var/adm/info<br>
+<br>
+This will extract all messages that come either with mail.info or with
+news.info and store them in the file /var/adm/info.<br>
+<br>
+<br>
+# Log info and notice messages to messages file<br>
+#<br>
+*.=info;*.=notice;\<br>
+mail.none /var/log/messages<br>
+<br>
+This lets rsyslogd log all messages that come with either the info or
+the notice facility into the file /var/log/messages, except for all<br>
+messages that use the mail facility.<br>
+<br>
+<br>
+# Log info messages to messages file<br>
+#<br>
+*.=info;\<br>
+mail,news.none /var/log/messages<br>
+<br>
+This statement causes rsyslogd to log all messages that come with the
+info priority to the file /var/log/messages. But any message coming
+either with the mail or the news facility will not be stored.<br>
+<br>
+<br>
+# Emergency messages will be displayed using wall<br>
+#<br>
+*.=emerg *<br>
+<br>
+This rule tells rsyslogd to write all emergency messages to all
+currently logged in users. This is the wall action.<br>
+<br>
+<br>
+# Messages of the priority alert will be directed<br>
+# to the operator<br>
+#<br>
+*.alert root,rgerhards<br>
+<br>
+This rule directs all messages with a priority of alert or higher to
+the terminals of the operator, i.e. of the users "root'' and
+"rgerhards'' if they're logged in.<br>
+<br>
+<br>
+*.* @finlandia<br>
+<br>
+This rule would redirect all messages to a remote host called
+finlandia. This is useful especially in a cluster of machines where all
+syslog messages will be stored on only one machine.<br>
+<br>
+In the format shown above, UDP is used for transmitting the message.
+The destination port is set to the default auf 514. Rsyslog is also
+capable of using much more secure and reliable TCP sessions for message
+forwarding. Also, the destination port can be specified. To select TCP,
+simply add one additional @ in front of the host name (that is, @host
+is UPD, @@host is TCP). For example:<br>
+<br>
+<br>
+*.* @@finlandia<br>
+<br>
+To specify the destination port on the remote machine, use a colon
+followed by the port number after the machine name. The following
+forwards to port 1514 on finlandia:<br>
+<br>
+<br>
+*.* @@finlandia:1514<br>
+<br>
+This syntax works both with TCP and UDP based syslog. However, you will
+probably primarily need it for TCP, as there is no well-accepted port
+for this transport (it is non-standard). For UDP, you can usually stick
+with the default auf 514, but might want to modify it for security rea-<br>
+sons. If you would like to do that, it's quite easy:<br>
+<br>
+<br>
+*.* @finlandia:1514<br>
+<br>
+<br>
+<br>
+*.* &gt;dbhost,dbname,dbuser,dbpassword;dbtemplate<br>
+<br>
+This rule writes all message to the database "dbname" hosted on
+"dbhost". The login is done with user "dbuser" and password
+"dbpassword". The actual table that is updated is specified within the
+template (which contains the insert statement). The template is called
+"dbtemplate" in this case.</p>
+<p>:msg,contains,"error" @errorServer</p>
+<p>This rule forwards all messages that contain the word "error"
+in the msg part to the server "errorServer". Forwarding is via UDP.
+Please note the colon in fron</p>
+
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+</body>
+</html>
+
diff --git a/doc/rsyslog_conf_filter.html b/doc/rsyslog_conf_filter.html
new file mode 100644
index 00000000..55244c15
--- /dev/null
+++ b/doc/rsyslog_conf_filter.html
@@ -0,0 +1,280 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><title>Filter Conditions - rsyslog.conf</title></head>
+<body>
+<p>This is a part of the rsyslog.conf documentation.</p>
+<a href="rsyslog_conf.html">back</a>
+<h2>Filter Conditions</h2>
+<p>Rsyslog offers four different types "filter conditions":</p>
+<ul>
+<li>BSD-style blocks</li>
+<li>"traditional" severity and facility based selectors</li>
+<li>property-based filters</li>
+<li>expression-based filters</li>
+</ul>
+<h3>Blocks</h3>
+<p>Rsyslogd supports BSD-style blocks inside rsyslog.conf. Each
+block of lines is separated from the previous block by a program or
+hostname specification. A block will only log messages corresponding to
+the most recent program and hostname specifications given. Thus, a
+block which selects &#8216;ppp&#8217; as the program, directly followed by a block
+that selects messages from the hostname &#8216;dialhost&#8217;, then the second
+block will only log messages from the ppp program on dialhost.
+</p>
+<p>A program specification is a line beginning with &#8216;!prog&#8217; and
+the following blocks will be associated with calls to syslog from that
+specific program. A program specification for &#8216;foo&#8217; will also match any
+message logged by the kernel with the prefix &#8216;foo: &#8217;. Alternatively, a
+program specification &#8216;-foo&#8217; causes the following blocks to be applied
+to messages from any program but the one specified. A hostname
+specification of the form &#8216;+hostname&#8217; and the following blocks will be
+applied to messages received from the specified hostname.
+Alternatively, a hostname specification &#8216;-hostname&#8217; causes the
+following blocks to be applied to messages from any host but the one
+specified. If the hostname is given as &#8216;@&#8217;, the local hostname will be
+used. (NOT YET IMPLEMENTED) A program or hostname specification may be
+reset by giving the program or hostname as &#8216;*&#8217;.</p>
+<p>Please note that the "#!prog", "#+hostname" and "#-hostname"
+syntax available in BSD syslogd is not supported by rsyslogd. By
+default, no hostname or program is set.</p>
+<h3>Selectors</h3>
+<p><b>Selectors are the traditional way of filtering syslog
+messages.</b> They have been kept in rsyslog with their original
+syntax, because it is well-known, highly effective and also needed for
+compatibility with stock syslogd configuration files. If you just need
+to filter based on priority and facility, you should do this with
+selector lines. They are <b>not</b> second-class citizens
+in rsyslog and offer the best performance for this job.</p>
+<p>The selector field itself again consists of two parts, a
+facility and a priority, separated by a period (".''). Both parts are
+case insensitive and can also be specified as decimal numbers, but
+don't do that, you have been warned. Both facilities and priorities are
+described in rsyslog(3). The names mentioned below correspond to the
+similar LOG_-values in /usr/include/rsyslog.h.<br>
+<br>
+The facility is one of the following keywords: auth, authpriv, cron,
+daemon, kern, lpr, mail, mark, news, security (same as auth), syslog,
+user, uucp and local0 through local7. The keyword security should not
+be used anymore and mark is only for internal use and therefore should
+not be used in applications. Anyway, you may want to specify and
+redirect these messages here. The facility specifies the subsystem that
+produced the message, i.e. all mail programs log with the mail facility
+(LOG_MAIL) if they log using syslog.<br>
+<br>
+The priority is one of the following keywords, in ascending order:
+debug, info, notice, warning, warn (same as warning), err, error (same
+as err), crit, alert, emerg, panic (same as emerg). The keywords error,
+warn and panic are deprecated and should not be used anymore. The
+priority defines the severity of the message.<br>
+<br>
+The behavior of the original BSD syslogd is that all messages of the
+specified priority and higher are logged according to the given action.
+Rsyslogd behaves the same, but has some extensions.<br>
+<br>
+In addition to the above mentioned names the rsyslogd(8) understands
+the following extensions: An asterisk ("*'') stands for all facilities
+or all priorities, depending on where it is used (before or after the
+period). The keyword none stands for no priority of the given facility.<br>
+<br>
+You can specify multiple facilities with the same priority pattern in
+one statement using the comma (",'') operator. You may specify as much
+facilities as you want. Remember that only the facility part from such
+a statement is taken, a priority part would be skipped.</p>
+<p>Multiple selectors may be specified for a single action using
+the semicolon (";'') separator. Remember that each selector in the
+selector field is capable to overwrite the preceding ones. Using this
+behavior you can exclude some priorities from the pattern.</p>
+<p>Rsyslogd has a syntax extension to the original BSD source,
+that makes its use more intuitively. You may precede every priority
+with an equation sign ("='') to specify only this single priority and
+not any of the above. You may also (both is valid, too) precede the
+priority with an exclamation mark ("!'') to ignore all that
+priorities, either exact this one or this and any higher priority. If
+you use both extensions than the exclamation mark must occur before the
+equation sign, just use it intuitively.</p>
+<h3>Property-Based Filters</h3>
+<p>Property-based filters are unique to rsyslogd. They allow to
+filter on any property, like HOSTNAME, syslogtag and msg. A list of all
+currently-supported properties can be found in the <a href="property_replacer.html">property replacer documentation</a>
+(but keep in mind that only the properties, not the replacer is
+supported). With this filter, each properties can be checked against a
+specified value, using a specified compare operation. Currently, there
+is only a single compare operation (contains) available, but additional
+operations will be added in the future.</p>
+<p>A property-based filter must start with a colon in column 0.
+This tells rsyslogd that it is the new filter type. The colon must be
+followed by the property name, a comma, the name of the compare
+operation to carry out, another comma and then the value to compare
+against. This value must be quoted. There can be spaces and tabs
+between the commas. Property names and compare operations are
+case-sensitive, so "msg" works, while "MSG" is an invalid property
+name. In brief, the syntax is as follows:</p>
+<p><code><b>:property, [!]compare-operation, "value"</b></code></p>
+<p>The following <b>compare-operations</b> are
+currently supported:</p>
+<table id="table1" border="1" width="100%">
+<tbody>
+<tr>
+<td>contains</td>
+<td>Checks if the string provided in value is contained in
+the property. There must be an exact match, wildcards are not supported.</td>
+</tr>
+<tr>
+<td>isequal</td>
+<td>Compares the "value" string provided and the property
+contents. These two values must be exactly equal to match. The
+difference to contains is that contains searches for the value anywhere
+inside the property value, whereas all characters must be identical for
+isequal. As such, isequal is most useful for fields like syslogtag or
+FROMHOST, where you probably know the exact contents.</td>
+</tr>
+<tr>
+<td>startswith</td>
+<td>Checks if the value is found exactly at the beginning
+of the property value. For example, if you search for "val" with
+<p><code><b>:msg, startswith, "val"</b></code></p>
+<p>it will be a match if msg contains "values are in this
+message" but it won't match if the msg contains "There are values in
+this message" (in the later case, contains would match). Please note
+that "startswith" is by far faster than regular expressions. So even
+once they are implemented, it can make very much sense
+(performance-wise) to use "startswith".</p>
+</td>
+</tr>
+<tr>
+<td>regex</td>
+<td>Compares the property against the provided POSIX
+regular
+expression.</td>
+</tr>
+</tbody>
+</table>
+<p>You can use the bang-character (!) immediately in front of a
+compare-operation, the outcome of this operation is negated. For
+example, if msg contains "This is an informative message", the
+following sample would not match:</p>
+<p><code><b>:msg, contains, "error"</b></code></p>
+<p>but this one matches:</p>
+<p><code><b>:msg, !contains, "error"</b></code></p>
+<p>Using negation can be useful if you would like to do some
+generic processing but exclude some specific events. You can use the
+discard action in conjunction with that. A sample would be:</p>
+<p><code><b>*.*
+/var/log/allmsgs-including-informational.log<br>
+:msg, contains, "informational"&nbsp; <font color="#ff0000" size="4">~</font>
+<br>
+*.* /var/log/allmsgs-but-informational.log</b></code></p>
+<p>Do not overlook the red tilde in line 2! In this sample, all
+messages are written to the file allmsgs-including-informational.log.
+Then, all messages containing the string "informational" are discarded.
+That means the config file lines below the "discard line" (number 2 in
+our sample) will not be applied to this message. Then, all remaining
+lines will also be written to the file allmsgs-but-informational.log.</p>
+<p><b>Value</b> is a quoted string. It supports some
+escape sequences:</p>
+<p>\" - the quote character (e.g. "String with \"Quotes\"")<br>
+\\ - the backslash character (e.g. "C:\\tmp")</p>
+<p>Escape sequences always start with a backslash. Additional
+escape sequences might be added in the future. Backslash characters <b>must</b>
+be escaped. Any other sequence then those outlined above is invalid and
+may lead to unpredictable results.</p>
+<p>Probably, "msg" is the most prominent use case of property
+based filters. It is the actual message text. If you would like to
+filter based on some message content (e.g. the presence of a specific
+code), this can be done easily by:</p>
+<p><code><b>:msg, contains, "ID-4711"</b></code></p>
+<p>This filter will match when the message contains the string
+"ID-4711". Please note that the comparison is case-sensitive, so it
+would not match if "id-4711" would be contained in the message.</p>
+<p><code><b>:msg, regex, "fatal .* error"</b></code></p>
+<p>This filter uses a POSIX regular expression. It matches when
+the
+string contains the words "fatal" and "error" with anything in between
+(e.g. "fatal net error" and "fatal lib error" but not "fatal error" as
+two spaces are required by the regular expression!).</p>
+<p>Getting property-based filters right can sometimes be
+challenging. In order to help you do it with as minimal effort as
+possible, rsyslogd spits out debug information for all property-based
+filters during their evaluation. To enable this, run rsyslogd in
+foreground and specify the "-d" option.</p>
+<p>Boolean operations inside property based filters (like
+'message contains "ID17" or message contains "ID18"') are currently not
+supported (except for "not" as outlined above). Please note that while
+it is possible to query facility and severity via property-based
+filters, it is far more advisable to use classic selectors (see above)
+for those cases.</p>
+<h3>Expression-Based Filters</h3>
+Expression based filters allow
+filtering on arbitrary complex expressions, which can include boolean,
+arithmetic and string operations. Expression filters will evolve into a
+full configuration scripting language. Unfortunately, their syntax will
+slightly change during that process. So if you use them now, you need
+to be prepared to change your configuration files some time later.
+However, we try to implement the scripting facility as soon as possible
+(also in respect to stage work needed). So the window of exposure is
+probably not too long.<br>
+<br>
+Expression based filters are indicated by the keyword "if" in column 1
+of a new line. They have this format:<br>
+<br>
+if expr then action-part-of-selector-line<br>
+<br>
+"If" and "then" are fixed keywords that mus be present. "expr" is a
+(potentially quite complex) expression. So the <a href="expression.html">expression documentation</a> for
+details. "action-part-of-selector-line" is an action, just as you know
+it (e.g. "/var/log/logfile" to write to that file).<br>
+<br>
+A few quick samples:<br>
+<br>
+<code>
+*.* /var/log/file1 # the traditional way<br>
+if $msg contains 'error' /var/log/errlog # the expression-based way<br>
+</code>
+<br>
+Right now, you need to specify numerical values if you would like to
+check for facilities and severity. These can be found in <a href="http://www.ietf.org/rfc/rfc3164.txt">RFC 3164</a>.
+If you don't like that, you can of course also use the textual property
+- just be sure to use the right one. As expression support is enhanced,
+this will change. For example, if you would like to filter on message
+that have facility local0, start with "DEVNAME" and have either
+"error1" or "error0" in their message content, you could use the
+following filter:<br>
+<br>
+<code>
+if $syslogfacility-text == 'local0' and $msg
+startswith 'DEVNAME' and ($msg contains 'error1' or $msg contains
+'error0') then /var/log/somelog<br>
+</code>
+<br>
+Please note that the above <span style="font-weight: bold;">must
+all be on one line</span>! And if you would like to store all
+messages except those that contain "error1" or "error0", you just need
+to add a "not":<br>
+<br>
+<code>
+if $syslogfacility-text == 'local0' and $msg
+startswith 'DEVNAME' and <span style="font-weight: bold;">not</span>
+($msg contains 'error1' or $msg contains
+'error0') then /var/log/somelog<br>
+</code>
+<br>
+If you would like to do case-insensitive comparisons, use
+"contains_i" instead of "contains" and "startswith_i" instead of
+"startswith".<br>
+<br>
+Note that regular expressions are currently NOT
+supported in expression-based filters. These will be added later when
+function support is added to the expression engine (the reason is that
+regular expressions will be a separate loadable module, which requires
+some more prequisites before it can be implemented).<br>
+
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+</body>
+</html>
+
diff --git a/doc/rsyslog_conf_global.html b/doc/rsyslog_conf_global.html
new file mode 100644
index 00000000..bc618dd0
--- /dev/null
+++ b/doc/rsyslog_conf_global.html
@@ -0,0 +1,227 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><title>Global Directives - rsyslog.conf</title></head>
+<body>
+<p>This is a part of the rsyslog.conf documentation.</p>
+<a href="rsyslog_conf.html">back</a>
+<h2>Global Directives</h2>
+<p>All global directives need to be specified on a line by their
+own and must start with a dollar-sign. Here is a list in alphabetical
+order. Follow links for a description.</p>
+<p>Please note that not all directives here are actually global. Some affect
+only the next action. This documentation will be changed soon.
+<p>Not all directives have an in-depth description right now.
+Default values for them are in bold. A more in-depth description will
+appear as implementation progresses.
+</p>
+<p><b>Be sure to read information about <a href="queues.html">queues in rsyslog</a></b> -
+many parameter settings modify queue parameters. If in doubt, use the
+default, it is usually well-chosen and applicable in most cases.</p>
+<ul>
+<li><a href="rsconf1_actionexeconlywhenpreviousissuspended.html">$ActionExecOnlyWhenPreviousIsSuspended</a></li>
+<li>$ActionExecOnlyOnceEveryInterval &lt;seconds&gt; -
+execute action only if the last execute is at last
+&lt;seconds&gt; seconds in the past (more info in <a href="ommail.html">ommail</a>,
+but may be used with any action)</li>
+<li><i><b>$ActionExecOnlyEveryNthTime</b> &lt;number&gt;</i> - If configured, the next action will
+only be executed every n-th time. For example, if configured to 3, the first two messages
+that go into the action will be dropped, the 3rd will actually cause the action to execute,
+the 4th and 5th will be dropped, the 6th executed under the action, ... and so on. Note:
+this setting is automatically re-set when the actual action is defined.</li>
+<li><i><b>$ActionExecOnlyEveryNthTimeTimeout</b> &lt;number-of-seconds&gt;</i> - has a meaning only if
+$ActionExecOnlyEveryNthTime is also configured for the same action. If so, the timeout
+setting specifies after which period the counting of "previous actions" expires and
+a new action count is begun. Specify 0 (the default) to disable timeouts.
+<br>
+<i>Why is this option needed?</i> Consider this case: a message comes in at, eg., 10am. That's
+count 1. Then, nothing happens for the next 10 hours. At 8pm, the next
+one occurs. That's count 2. Another 5 hours later, the next message
+occurs, bringing the total count to 3. Thus, this message now triggers
+the rule.
+<br>
+The question is if this is desired behavior? Or should the rule only be
+triggered if the messages occur within an e.g. 20 minute window? If the
+later is the case, you need a
+<br>
+$ActionExecOnlyEveryNthTimeTimeout 1200
+<br>
+This directive will timeout previous messages seen if they are older
+than 20 minutes. In the example above, the count would now be always 1
+and consequently no rule would ever be triggered.
+
+<li>$ActionFileDefaultTemplate [templateName] - sets a new default template for file actions</li>
+<li>$ActionFileEnableSync [on/<span style="font-weight: bold;">off</span>] - enables file
+syncing capability of omfile</li>
+<li>$ActionForwardDefaultTemplate [templateName] - sets a new
+default template for UDP and plain TCP forwarding action</li>
+<li>$ActionGSSForwardDefaultTemplate [templateName] - sets a
+new default template for GSS-API forwarding action</li>
+<li>$ActionQueueCheckpointInterval &lt;number&gt;</li>
+<li>$ActionQueueDequeueSlowdown &lt;number&gt; [number
+is timeout in <i> micro</i>seconds (1000000us is 1sec!),
+default 0 (no delay). Simple rate-limiting!]</li>
+<li>$ActionQueueDiscardMark &lt;number&gt; [default
+9750]</li>
+<li>$ActionQueueDiscardSeverity &lt;number&gt;
+[*numerical* severity! default 4 (warning)]</li>
+<li>$ActionQueueFileName &lt;name&gt;</li>
+<li>$ActionQueueHighWaterMark &lt;number&gt; [default
+8000]</li>
+<li>$ActionQueueImmediateShutdown [on/<b>off</b>]</li>
+<li>$ActionQueueSize &lt;number&gt;</li>
+<li>$ActionQueueLowWaterMark &lt;number&gt; [default
+2000]</li>
+<li>$ActionQueueMaxFileSize &lt;size_nbr&gt;, default 1m</li>
+<li>$ActionQueueTimeoutActionCompletion &lt;number&gt;
+[number is timeout in ms (1000ms is 1sec!), default 1000, 0 means
+immediate!]</li>
+<li>$ActionQueueTimeoutEnqueue &lt;number&gt; [number
+is timeout in ms (1000ms is 1sec!), default 2000, 0 means indefinite]</li>
+<li>$ActionQueueTimeoutShutdown &lt;number&gt; [number
+is timeout in ms (1000ms is 1sec!), default 0 (indefinite)]</li>
+<li>$ActionQueueWorkerTimeoutThreadShutdown
+&lt;number&gt; [number is timeout in ms (1000ms is 1sec!),
+default 60000 (1 minute)]</li>
+<li>$ActionQueueType [FixedArray/LinkedList/<b>Direct</b>/Disk]</li>
+<li>$ActionQueueSaveOnShutdown&nbsp; [on/<b>off</b>]
+</li>
+<li>$ActionQueueWorkerThreads &lt;number&gt;, num worker threads, default 1, recommended 1</li>
+<li>$ActionQueueWorkerThreadMinumumMessages &lt;number&gt;, default 100</li>
+<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li>
+<li>$ActionResumeRetryCount &lt;number&gt; [default 0, -1 means eternal]</li>
+<li>$ActionSendResendLastMsgOnReconn &lt;[on/<b>off</b>]&gt; specifies if the last message is to be resend when a connecition broken and has been reconnedcted. May increase reliability, but comes at the risk of message duplication.
+<li>$ActionSendStreamDriver &lt;driver basename&gt; just like $DefaultNetstreamDriver, but for the specific action
+</li><li>$ActionSendStreamDriverMode &lt;mode&gt;, default 0, mode to use with the stream driver
+(driver-specific)</li><li>$ActionSendStreamDriverAuthMode &lt;mode&gt;,&nbsp; authentication mode to use with the stream driver
+(driver-specific)</li><li>$ActionSendStreamDriverPermittedPeer &lt;ID&gt;,&nbsp; accepted fingerprint (SHA1) or name of remote peer
+(driver-specific) -<span style="font-weight: bold;"> directive may go away</span>!</li>
+<li><a href="rsconf1_allowedsender.html">$AllowedSender</a></li>
+<li><a href="rsconf1_controlcharacterescapeprefix.html">$ControlCharacterEscapePrefix</a></li>
+<li><a href="rsconf1_debugprintcfsyslinehandlerlist.html">$DebugPrintCFSyslineHandlerList</a></li>
+
+<li><a href="rsconf1_debugprintmodulelist.html">$DebugPrintModuleList</a></li>
+<li><a href="rsconf1_debugprinttemplatelist.html">$DebugPrintTemplateList</a></li>
+<li>$DefaultNetstreamDriver &lt;drivername&gt;, the default <a href="netstream.html">network stream driver</a> to use. Defaults to&nbsp;ptcp.$DefaultNetstreamDriverCAFile &lt;/path/to/cafile.pem&gt;</li>
+<li>$DefaultNetstreamDriverCertFile &lt;/path/to/certfile.pem&gt;</li>
+<li>$DefaultNetstreamDriverKeyFile &lt;/path/to/keyfile.pem&gt;</li>
+<li><a href="rsconf1_dircreatemode.html">$DirCreateMode</a></li>
+<li><a href="rsconf1_dirgroup.html">$DirGroup</a></li>
+<li><a href="rsconf1_dirowner.html">$DirOwner</a></li>
+<li><a href="rsconf1_dropmsgswithmaliciousdnsptrrecords.html">$DropMsgsWithMaliciousDnsPTRRecords</a></li>
+<li><a href="rsconf1_droptrailinglfonreception.html">$DropTrailingLFOnReception</a></li>
+<li><a href="rsconf1_dynafilecachesize.html">$DynaFileCacheSize</a></li>
+<li><a href="rsconf1_escapecontrolcharactersonreceive.html">$EscapeControlCharactersOnReceive</a></li>
+<li>$ErrorMessagesToStderr [<b>on</b>|off] - direct rsyslogd error message to stderr (in addition to other targets)</li>
+<li><a href="rsconf1_failonchownfailure.html">$FailOnChownFailure</a></li>
+<li><a href="rsconf1_filecreatemode.html">$FileCreateMode</a></li>
+<li><a href="rsconf1_filegroup.html">$FileGroup</a></li>
+<li><a href="rsconf1_fileowner.html">$FileOwner</a></li>
+<li><a href="rsconf1_gssforwardservicename.html">$GssForwardServiceName</a></li>
+<li><a href="rsconf1_gsslistenservicename.html">$GssListenServiceName</a></li>
+<li><a href="rsconf1_gssmode.html">$GssMode</a></li>
+<li>$HUPisRestart [<b>on</b>/off] - if set to on, a HUP is a full daemon restart. This means any queued messages are discarded (depending
+on queue configuration, of course) all modules are unloaded and reloaded. This mode keeps compatible with sysklogd, but is
+not recommended for use with rsyslog. To do a full restart, simply stop and start the daemon. The default is "on" for
+compatibility reasons. If it is set to "off", a HUP will only close open files. This is a much quicker action and usually
+the only one that is needed e.g. for log rotation. <b>It is recommended to set the setting to "off".</b></li>
+<li><a href="rsconf1_includeconfig.html">$IncludeConfig</a></li><li>MainMsgQueueCheckpointInterval &lt;number&gt;</li>
+<li>$MainMsgQueueDequeueSlowdown &lt;number&gt; [number
+is timeout in <i> micro</i>seconds (1000000us is 1sec!),
+default 0 (no delay). Simple rate-limiting!]</li>
+<li>$MainMsgQueueDiscardMark &lt;number&gt; [default 9750]</li>
+<li>$MainMsgQueueDiscardSeverity &lt;severity&gt;
+[either a textual or numerical severity! default 4 (warning)]</li>
+<li>$MainMsgQueueFileName &lt;name&gt;</li>
+<li>$MainMsgQueueHighWaterMark &lt;number&gt; [default
+8000]</li>
+<li>$MainMsgQueueImmediateShutdown [on/<b>off</b>]</li>
+<li><a href="rsconf1_mainmsgqueuesize.html">$MainMsgQueueSize</a></li>
+<li>$MainMsgQueueLowWaterMark &lt;number&gt; [default
+2000]</li>
+<li>$MainMsgQueueMaxFileSize &lt;size_nbr&gt;, default
+1m</li>
+<li>$MainMsgQueueTimeoutActionCompletion
+&lt;number&gt; [number is timeout in ms (1000ms is 1sec!),
+default
+1000, 0 means immediate!]</li>
+<li>$MainMsgQueueTimeoutEnqueue &lt;number&gt; [number
+is timeout in ms (1000ms is 1sec!), default 2000, 0 means indefinite]</li>
+<li>$MainMsgQueueTimeoutShutdown &lt;number&gt; [number
+is timeout in ms (1000ms is 1sec!), default 0 (indefinite)]</li>
+<li>$MainMsgQueueWorkerTimeoutThreadShutdown
+&lt;number&gt; [number is timeout in ms (1000ms is 1sec!),
+default 60000 (1 minute)]</li>
+<li>$MainMsgQueueType [<b>FixedArray</b>/LinkedList/Direct/Disk]</li>
+<li>$MainMsgQueueSaveOnShutdown&nbsp; [on/<b>off</b>]
+</li>
+<li>$MainMsgQueueWorkerThreads &lt;number&gt;, num
+worker threads, default 1, recommended 1</li>
+<li>$MainMsgQueueWorkerThreadMinumumMessages &lt;number&gt;, default 100</li>
+<li><a href="rsconf1_markmessageperiod.html">$MarkMessagePeriod</a> (immark)</li>
+<li><b><i>$MaxMessageSize</i></b> &lt;size_nbr&gt;, default 2k - allows to specify maximum supported message size
+(both for sending and receiving). The default
+should be sufficient for almost all cases. Do not set this below 1k, as it would cause
+interoperability problems with other syslog implementations.<br>
+Change the setting to e.g. 32768 if you would like to
+support large message sizes for IHE (32k is the current maximum
+needed for IHE). I was initially tempted to set the default to 32k,
+but there is a some memory footprint with the current
+implementation in rsyslog.
+<br>If you intend to receive Windows Event Log data (e.g. via
+<a href="http://www.eventreporter.com/">EventReporter</a>), you might want to
+increase this number to an even higher value, as event
+log messages can be very lengthy ("$MaxMessageSize 64k" is not a bad idea).
+Note: testing showed that 4k seems to be
+the typical maximum for <b>UDP</b> based syslog. This is an IP stack
+restriction. Not always ... but very often. If you go beyond
+that value, be sure to test that rsyslogd actually does what
+you think it should do ;) It is highly suggested to use a TCP based transport
+instead of UDP (plain TCP syslog, RELP). This resolves the UDP stack size restrictions.
+<br>Note that 2k, the current default, is the smallest size that must be
+supported in order to be compliant to the upcoming new syslog RFC series.
+</li>
+<li><a href="rsconf1_moddir.html">$ModDir</a></li>
+<li><a href="rsconf1_modload.html">$ModLoad</a></li>
+<li><a href="rsconf1_repeatedmsgreduction.html">$RepeatedMsgReduction</a></li>
+<li><a href="rsconf1_resetconfigvariables.html">$ResetConfigVariables</a></li>
+<li><b>$OptimizeForUniprocessor</b> [on/<b>off</b>] - turns on optimizatons which lead to better
+performance on uniprocessors. If you run on multicore-machiens, turning this off lessens CPU load. The
+default may change as uniprocessor systems become less common.</li>
+<li>$WorkDirectory &lt;name&gt; (directory for spool and other work files)</li>
+<li>$UDPServerAddress &lt;IP&gt; (imudp) -- local IP
+address (or name) the UDP listens should bind to</li>
+<li>$UDPServerRun &lt;port&gt; (imudp) -- former
+-r&lt;port&gt; option, default 514, start UDP server on this
+port, "*" means all addresses</li>
+<li>$UDPServerTimeRequery &lt;nbr-of-times&gt; (imudp) -- this is a performance
+optimization. Getting the system time is very costly. With this setting, imudp can
+be instructed to obtain the precise time only once every n-times. This logic is
+only activated if messages come in at a very fast rate, so doing less frequent
+time calls should usually be acceptable. The default value is two, because we have
+seen that even without optimization the kernel often returns twice the identical time.
+You can set this value as high as you like, but do so at your own risk. The higher
+the value, the less precise the timestamp.
+<li><a href="rsconf1_umask.html">$UMASK</a></li>
+</ul>
+<p><b>Where &lt;size_nbr&gt; is specified above,</b>
+modifiers can be used after the number part. For example, 1k means
+1024. Supported are k(ilo), m(ega), g(iga), t(era), p(eta) and e(xa).
+Lower case letters refer to the traditional binary defintion (e.g. 1m
+equals 1,048,576) whereas upper case letters refer to their new
+1000-based definition (e.g 1M equals 1,000,000).</p>
+<p>Numbers may include '.' and ',' for readability. So you can
+for example specify either "1000" or "1,000" with the same result.
+Please note that rsyslogd simply ignores the punctuation. Form it's
+point of view, "1,,0.0.,.,0" also has the value 1000. </p>
+
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+</body>
+</html>
+
+
diff --git a/doc/rsyslog_conf_modules.html b/doc/rsyslog_conf_modules.html
new file mode 100644
index 00000000..890a55c8
--- /dev/null
+++ b/doc/rsyslog_conf_modules.html
@@ -0,0 +1,53 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><title>Modules - rsyslog.conf</title></head>
+<body>
+<p>This is a part of the rsyslog.conf documentation.</p>
+<a href="rsyslog_conf.html">back</a>
+<h2>Modules</h2>
+<p>Rsyslog has a modular design. Consequently, there is a growing
+number of modules. Here is the entry point to their documentation and
+what they do (list is currently not complete)</p>
+<ul>
+<li><a href="omsnmp.html">omsnmp</a> - SNMP
+trap output module</li>
+<li><a href="omrelp.html">omrelp</a> - RELP
+output module</li>
+<li>omgssapi - output module for GSS-enabled syslog</li>
+<li><a href="ommysql.html">ommysql</a> - output module for MySQL</li>
+<li>ompgsql - output module for PostgreSQL</li>
+<li><a href="omlibdbi.html">omlibdbi</a> -
+generic database output module (Firebird/Interbase, MS SQL, Sybase,
+SQLLite, Ingres, Oracle, mSQL)</li>
+<li><a href="ommail.html">ommail</a> -
+permits rsyslog to alert folks by mail if something important happens</li>
+<li><a href="imfile.html">imfile</a>
+-&nbsp; input module for text files</li>
+<li><a href="imrelp.html">imrelp</a> - RELP
+input module</li>
+<li>imudp - udp syslog message input</li>
+<li><a href="imtcp.html">imtcp</a> - input
+plugin for plain tcp syslog</li>
+<li><a href="imgssapi.html">imgssapi</a> -
+input plugin for plain tcp and GSS-enabled syslog</li>
+<li>immark - support for mark messages</li>
+<li><a href="imklog.html">imklog</a> - kernel logging</li>
+<li><a href="imuxsock.html">imuxsock</a> -
+unix sockets, including the system log socket</li>
+<li><a href="im3195.html">im3195</a> -
+accepts syslog messages via RFC 3195</li>
+</ul>
+<p>Please note that each module provides configuration
+directives, which are NOT necessarily being listed below. Also
+remember, that a modules configuration directive (and functionality) is
+only available if it has been loaded (using $ModLoad).</p>
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+</body>
+</html>
+
diff --git a/doc/rsyslog_conf_nomatch.html b/doc/rsyslog_conf_nomatch.html
new file mode 100644
index 00000000..5f25f3e4
--- /dev/null
+++ b/doc/rsyslog_conf_nomatch.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><title>nomatch mode - property replacer - rsyslog.conf</title></head>
+<body>
+<h1>nomatch mode - property replacer - rsyslog.con</h1>
+<p>This is a part of the <a href="rsyslog_conf.html">rsyslog.conf documentation</a>
+of the <a href="property_replacer.html">property replacer</a>.</p>
+<p><b>The "nomatch-Mode" specifies which string the property replacer
+shall return if a regular expression did not find the search string.</b>. Traditionally,
+the string "**NO MATCH**" was returned, but many people complained this was almost never useful.
+Still, this mode is support as "<b>DFLT</b>" for legacy configurations.
+<p>Three additional and potentially useful modes exist: in one (<b>BLANK</b>) a blank string
+is returned. This is probably useful for inserting values into databases where no
+value shall be inserted if the expression could not be found.
+<p>A similar mode is "<b>ZERO</b>" where the string "0" is returned. This is suitable
+for numerical values. A use case may be
+that you record a traffic log based on firewall rules and the "bytes transmitted" counter
+is extracted via a regular expression. If no "bytes transmitted" counter is available
+in the current message, it is probably a good idea to return an empty string, which the
+database layer can turn into a zero.
+<p>The other mode is "<b>FIELD</b>", in which the complete field is returned. This may be useful
+in cases where absense of a match is considered a failure and the message that triggered
+it shall be logged.
+<p>If in doubt, <b>it is highly suggested to use the
+<a href="http://www.rsyslog.com/tool-regex">rsyslog online regular expression
+checker and generator</a> to see these options in action</b>. With that online tool,
+you can craft regular expressions based on samples and try out the different modes.
+
+<h2>Summary of nomatch Modes</h2>
+<table border="1" cellspacing="0">
+<tr><td><b>Mode</b></td><td><b>Returned</b></td></tr>
+<tr><td>DFLT</td><td>"**NO MATCH**"</td></tr>
+<tr><td>BLANK</td><td>"" (empty string)</td></tr>
+<tr><td>ZERO</td><td>"0"</td></tr>
+<tr><td>FIELD</td><td>full content of original field</td></tr>
+<tr><td>&nbsp;</td><td><a href="http://www.rsyslog.com/tool-regex">Interactive Tool</a></td></tr>
+</table>
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+</body>
+</html>
+
+
diff --git a/doc/rsyslog_conf_output.html b/doc/rsyslog_conf_output.html
new file mode 100644
index 00000000..c52aaa5e
--- /dev/null
+++ b/doc/rsyslog_conf_output.html
@@ -0,0 +1,81 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><title>Output Channels - rsyslog.conf</title></head>
+<body>
+<p>This is a part of the rsyslog.conf documentation.</p>
+<a href="rsyslog_conf.html">back</a>
+<h2>Output Channels</h2>
+<p>Output Channels are a new concept first introduced in rsyslog
+0.9.0. <b>As of this writing, it is most likely that they will
+be replaced by something different in the future.</b> So if you
+use them, be prepared to change you configuration file syntax when you
+upgrade to a later release.<br>
+<br>
+The idea behind output channel definitions is that it shall provide an
+umbrella for any type of output that the user might want. In essence,<br>
+this is the "file" part of selector lines (and this is why we are not
+sure output channel syntax will stay after the next review). There is a<br>
+difference, though: selector channels both have filter conditions
+(currently facility and severity) as well as the output destination.
+they can only be used to write to files - not pipes, ttys or whatever
+Output channels define the output definition, only. As of this build,
+else. If we stick with output channels, this will change over time.</p>
+<p>In concept, an output channel includes everything needed to
+know about an output actions. In practice, the current implementation
+only carries<br>
+a filename, a maximum file size and a command to be issued when this
+file size is reached. More things might be present in future version,
+which might also change the syntax of the directive.</p>
+<p>Output channels are defined via an $outchannel directive. It's
+syntax is as follows:<br>
+<br>
+$outchannel name,file-name,max-size,action-on-max-size<br>
+<br>
+name is the name of the output channel (not the file), file-name is the
+file name to be written to, max-size the maximum allowed size and
+action-on-max-size a command to be issued when the max size is reached.
+This command always has exactly one parameter. The binary is that part
+of action-on-max-size before the first space, its parameter is
+everything behind that space.<br>
+<br>
+Please note that max-size is queried BEFORE writing the log message to
+the file. So be sure to set this limit reasonably low so that any
+message might fit. For the current release, setting it 1k lower than
+you expected is helpful. The max-size must always be specified in bytes
+- there are no special symbols (like 1k, 1m,...) at this point of
+development.<br>
+<br>
+Keep in mind that $outchannel just defines a channel with "name". It
+does not activate it. To do so, you must use a selector line (see
+below). That selector line includes the channel name plus an $ sign in
+front of it. A sample might be:<br>
+<br>
+*.* $mychannel<br>
+<br>
+In its current form, output channels primarily provide the ability to
+size-limit an output file. To do so, specify a maximum size. When this
+size is reached, rsyslogd will execute the action-on-max-size command
+and then reopen the file and retry. The command should be something
+like a <a href="log_rotation_fix_size.html">log rotation
+script</a> or a similar thing.</p>
+<p>If there is no action-on-max-size command or the command did
+not resolve the situation, the file is closed and never reopened by
+rsyslogd (except, of course, by huping it). This logic was integrated
+when we first experienced severe issues with files larger 2gb, which
+could lead to rsyslogd dumping core. In such cases, it is more
+appropriate to stop writing to a single file. Meanwhile, rsyslogd has
+been fixed to support files larger 2gb, but obviously only on file
+systems and operating system versions that do so. So it can still make
+sense to enforce a 2gb file size limit.</p>
+
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+</body>
+</html>
+
+
diff --git a/doc/rsyslog_conf_templates.html b/doc/rsyslog_conf_templates.html
new file mode 100644
index 00000000..90b5fafe
--- /dev/null
+++ b/doc/rsyslog_conf_templates.html
@@ -0,0 +1,150 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><title>Templates - rsyslog.conf</title></head>
+<body>
+<p>This is a part of the rsyslog.conf - documentation.</p>
+<a href="rsyslog_conf.html">back</a>
+<h2>Templates</h2>
+<p>Templates are a key feature of rsyslog. They allow to specify
+any
+format a user might want. They are also used for dynamic file name
+generation. Every output in rsyslog uses templates - this holds true
+for files, user messages and so on. The database writer expects its
+template to be a proper SQL statement - so this is highly customizable
+too. You might ask how does all of this work when no templates at all
+are specified. Good question ;) The answer is simple, though. Templates
+compatible with the stock syslogd formats are hardcoded into rsyslogd.
+So if no template is specified, we use one of these hardcoded
+templates. Search for "template_" in syslogd.c and you will find the
+hardcoded ones.</p>
+<p>A template consists of a template directive, a name, the
+actual template text and optional options. A sample is:</p>
+<blockquote><code>$template MyTemplateName,"\7Text
+%property% some more text\n",&lt;options&gt;</code></blockquote>
+<p>The "$template" is the template directive. It tells rsyslog
+that this line contains a template. "MyTemplateName" is the template
+name. All
+other config lines refer to this name. The text within quotes is the
+actual template text. The backslash is an escape character, much as it
+is in C. It does all these "cool" things. For example, \7 rings the
+bell (this is an ASCII value), \n is a new line. C programmers and perl
+coders have the advantage of knowing this, but the set in rsyslog is a
+bit restricted currently.
+</p>
+<p>All text in the template is used literally, except for things
+within percent signs. These are properties and allow you access to the
+contents of the syslog message. Properties are accessed via the
+property replacer (nice name, huh) and it can do cool things, too. For
+example, it can pick a substring or do date-specific formatting. More
+on this is below, on some lines of the property replacer.<br>
+<br>
+The &lt;options&gt; part is optional. It carries options
+influencing the template as whole. See details below. Be sure NOT to
+mistake template options with property options - the later ones are
+processed by the property replacer and apply to a SINGLE property, only
+(and not the whole template).<br>
+<br>
+Template options are case-insensitive. Currently defined are: </p>
+<p><b>sql</b> - format the string suitable for a SQL
+statement in MySQL format. This will replace single quotes ("'") and
+the backslash character by their backslash-escaped counterpart ("\'"
+and "\\") inside each field. Please note that in MySQL configuration,
+the <code class="literal">NO_BACKSLASH_ESCAPES</code>
+mode must be turned off for this format to work (this is the default).</p>
+<p><b>stdsql</b> - format the string suitable for a
+SQL statement that is to be sent to a standards-compliant sql server.
+This will replace single quotes ("'") by two single quotes ("''")
+inside each field. You must use stdsql together with MySQL if in MySQL
+configuration the
+<code class="literal">NO_BACKSLASH_ESCAPES</code> is
+turned on.</p>
+<p>Either the <b>sql</b> or <b>stdsql</b>&nbsp;
+option <b>must</b> be specified when a template is used
+for writing to a database, otherwise injection might occur. Please note
+that due to the unfortunate fact that several vendors have violated the
+sql standard and introduced their own escape methods, it is impossible
+to have a single option doing all the work.&nbsp; So you yourself
+must make sure you are using the right format. <b>If you choose
+the wrong one, you are still vulnerable to sql injection.</b><br>
+<br>
+Please note that the database writer *checks* that the sql option is
+present in the template. If it is not present, the write database
+action is disabled. This is to guard you against accidental forgetting
+it and then becoming vulnerable to SQL injection. The sql option can
+also be useful with files - especially if you want to import them into
+a database on another machine for performance reasons. However, do NOT
+use it if you do not have a real need for it - among others, it takes
+some toll on the processing time. Not much, but on a really busy system
+you might notice it ;)</p>
+<p>The default template for the write to database action has the
+sql option set. As we currently support only MySQL and the sql option
+matches the default MySQL configuration, this is a good choice.
+However, if you have turned on
+<code class="literal">NO_BACKSLASH_ESCAPES</code> in
+your MySQL config, you need to supply a template with the stdsql
+option. Otherwise you will become vulnerable to SQL injection. <br>
+<br>
+To escape:<br>
+% = \%<br>
+\ = \\ --&gt; '\' is used to escape (as in C)<br>
+$template TraditionalFormat,%timegenerated% %HOSTNAME%
+%syslogtag%%msg%\n"<br>
+<br>
+Properties can be accessed by the <a href="property_replacer.html">property
+replacer</a> (see there for details).</p>
+<p><b>Please note that templates can also by
+used to generate selector lines with dynamic file names.</b> For
+example, if you would like to split syslog messages from different
+hosts to different files (one per host), you can define the following
+template:</p>
+<blockquote><code>$template
+DynFile,"/var/log/system-%HOSTNAME%.log"</code></blockquote>
+<p>This template can then be used when defining an output
+selector line. It will result in something like
+"/var/log/system-localhost.log"</p>
+<p>Template
+names beginning with "RSYSLOG_" are reserved for rsyslog use. Do NOT
+use them if, otherwise you may receive a conflict in the future (and
+quite unpredictable behaviour). There is a small set of pre-defined
+templates that you can use without the need to define it:</p>
+<ul>
+<li><span style="font-weight: bold;">RSYSLOG_TraditionalFileFormat</span>
+- the "old style" default log file format with low-precision timestamps</li>
+<li><span style="font-weight: bold;">RSYSLOG_FileFormat</span>
+- a modern-style logfile format similar to TraditionalFileFormat, buth
+with high-precision timestamps and timezone information</li>
+<li><span style="font-weight: bold;">RSYSLOG_TraditionalForwardFormat</span>
+- the traditional forwarding format with low-precision timestamps. Most
+useful if you send&nbsp;messages to other syslogd's or rsyslogd
+below
+version 3.12.5.</li>
+<li><span style="font-weight: bold;">RSYSLOG_ForwardFormat</span>
+- a new high-precision forwarding format very similar to the
+traditional one, but with high-precision timestamps and timezone
+information. Recommended to be used when sending messages to rsyslog
+3.12.5 or above.</li>
+<li><span style="font-weight: bold;">RSYSLOG_SyslogProtocol23Format</span>
+- the format specified in IETF's internet-draft
+ietf-syslog-protocol-23, which is assumed to be come the new syslog
+standard RFC. This format includes several improvements. The rsyslog
+message parser understands this format, so you can use it together with
+all relatively recent versions of rsyslog. Other syslogd's may get
+hopelessly confused if receiving that format, so check before you use
+it. Note that the format is unlikely to change when the final RFC comes
+out, but this may happen.</li>
+<li><span style="font-weight: bold;">RSYSLOG_DebugFormat</span>
+- a special format used for troubleshooting property problems. This format
+is meant to be written to a log file. Do <b>not</b> use for production or remote
+forwarding.</li>
+</ul>
+
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+</body>
+</html>
+
diff --git a/doc/rsyslog_high_database_rate.html b/doc/rsyslog_high_database_rate.html
index 158a4df6..2bae58c6 100644
--- a/doc/rsyslog_high_database_rate.html
+++ b/doc/rsyslog_high_database_rate.html
@@ -7,6 +7,7 @@
</head>
<body>
+<a href="features.html">back</a>
<h1>Handling a massive syslog database insert rate with Rsyslog</h1>
@@ -171,6 +172,14 @@ comments or find bugs (I *do* bugs - no way... ;)), please
http://www.gnu.org/copyleft/fdl.html</a>.</p>
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
</body>
diff --git a/doc/rsyslog_mysql.html b/doc/rsyslog_mysql.html
index 753c86ec..a27bd59e 100644
--- a/doc/rsyslog_mysql.html
+++ b/doc/rsyslog_mysql.html
@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>Writing syslog Data to MySQL</title>
-
+<a href="features.html">back</a>
<meta name="KEYWORDS" content="syslog, mysql, syslog to mysql, howto"></head>
<body>
<h1>Writing syslog messages to MySQL</h1>
@@ -259,4 +259,13 @@ document under the terms of the GNU Free Documentation License, Version
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license can be viewed at <a href="http://www.gnu.org/copyleft/fdl.html">
http://www.gnu.org/copyleft/fdl.html</a>.</p>
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+
</body></html>
diff --git a/doc/rsyslog_ng_comparison.html b/doc/rsyslog_ng_comparison.html
index 2f383f78..8e121a8d 100644
--- a/doc/rsyslog_ng_comparison.html
+++ b/doc/rsyslog_ng_comparison.html
@@ -1,6 +1,7 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>rsyslog vs. syslog-ng - a comparison</title></head>
<body>
+<a href="features.html">back</a>
<h1>rsyslog vs. syslog-ng</h1>
<p><small><i>Written by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a>
(2008-05-06)</i></small></p>
@@ -584,4 +585,13 @@ feature sheet. I have not yet been able to fully work through it. In
the mean time, you may want to read it in parallel. It is available at
<a href="http://www.balabit.com/network-security/syslog-ng/features/detailed/">Balabit's
site</a>.</p>
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+
</body></html>
diff --git a/doc/rsyslog_stunnel.html b/doc/rsyslog_stunnel.html
index 104a672e..f4f82cd0 100644
--- a/doc/rsyslog_stunnel.html
+++ b/doc/rsyslog_stunnel.html
@@ -1,5 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
+<a href="features.html">back</a>
<title>SSL Encrypting syslog with stunnel</title><meta name="KEYWORDS" content="syslog encryption, rsyslog, stunnel, secure syslog, tcp, reliable, howto, ssl"></head><body>
<h1>SSL Encrypting Syslog with Stunnel</h1>
@@ -236,5 +237,13 @@ comments or find bugs (I *do* bugs - no way... ;)), please
Texts. A copy of the license can be viewed at
<a href="http://www.gnu.org/copyleft/fdl.html">
http://www.gnu.org/copyleft/fdl.html</a>.</p>
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
-</body></html> \ No newline at end of file
+</body></html>
diff --git a/doc/rsyslog_tls.html b/doc/rsyslog_tls.html
index 7d156c3a..ebb08ebe 100644
--- a/doc/rsyslog_tls.html
+++ b/doc/rsyslog_tls.html
@@ -1,5 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>TLS (SSL) Encrypting syslog</title>
+<a href="features.html">back</a>
<meta name="KEYWORDS" content="syslog encryption, rsyslog, secure syslog, tcp, reliable, howto, ssl, tls">
</head>
@@ -304,4 +305,13 @@ document under the terms of the GNU Free Documentation License, Version
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license can be viewed at
<a href="http://www.gnu.org/copyleft/fdl.html">http://www.gnu.org/copyleft/fdl.html</a>.</p>
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
+
</body></html>
diff --git a/doc/syslog_protocol.html b/doc/syslog_protocol.html
index 72de5c27..57eb9ffe 100644
--- a/doc/syslog_protocol.html
+++ b/doc/syslog_protocol.html
@@ -3,6 +3,7 @@
<title>syslog-protocol support in rsyslog</title>
</head>
<body>
+<a href="features.html">back</a>
<h1>syslog-protocol support in rsyslog</h1>
<p><b><a href="http://www.rsyslog.com/">Rsyslog</a>&nbsp; provides a trial
implementation of the proposed
@@ -191,6 +192,14 @@ discussed ;)</p>
syslog-protocol should be further evaluated and be fully understood</li>
</ul>
<p>&nbsp;</p>
+<p>[<a href="manual.html">manual index</a>]
+[<a href="rsyslog_conf.html">rsyslog.conf</a>]
+[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
+version 2 or higher.</font></p>
</body>
</html>