diff options
| -rw-r--r-- | rsyslog.conf.5 | 126 | ||||
| -rw-r--r-- | rsyslogd.8 | 125 |
2 files changed, 195 insertions, 56 deletions
diff --git a/rsyslog.conf.5 b/rsyslog.conf.5 index e673e490..e15a4549 100644 --- a/rsyslog.conf.5 +++ b/rsyslog.conf.5 @@ -17,7 +17,7 @@ .\" along with this program; if not, write to the Free Software .\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. .\" -.TH RSYSLOG.CONF 5 "28 March 2008" "Version 3.12.5" "Linux System Administration" +.TH RSYSLOG.CONF 5 "04 April 2008" "Version 3.15.0" "Linux System Administration" .SH NAME rsyslog.conf \- rsyslogd(8) configuration file .SH DESCRIPTION @@ -40,6 +40,94 @@ to look at the html documentation, because the man pages only cover basic aspects of operation. +.SH MODULES + +Rsyslog has a modular design. Consequently, there is a growing number +of modules. See the html documentation for their full description. + +.TP +.I omsnmp +SNMP trap output module +.TP +.I omgssapi +Output module for GSS-enabled syslog +.TP +.I ommysql +Output module for MySQL +.TP +.I omprelp +Output module for the reliable RELP protocol (prevents message loss). +For details, see below at imrelp and the html documentation. +It can be used like this: +.IP +*.* :omrelp:server:port +.IP +*.* :omrelp:192.168.0.1:2514 # actual sample +.TP +.I ompgsql +Output module for PostgreSQL +.TP +.I omlibdbi +Generic database output module (Firebird/Interbase, MS SQL, Sybase, +SQLLite, Ingres, Oracle, mSQL) +.TP +.I imfile +Input module for text files +.TP +.I imudp +Input plugin for UDP syslog. Replaces the deprecated -r option. Can be +used like this: +.IP +$ModLoad imudp +.IP +$InputUDPServerRun 514 +.TP +.I imtcp +Input plugin for plain TCP syslog. Replaces the deprecated -t +option. Can be used like this: +.IP +$ModLoad imtcp +.IP +$InputTCPServerRun 514 +.TP +.TP +.I imtcp +Input plugin for the RELP protocol. RELP can be used instead +of UDP or plain TCP syslog to provide reliable delivery of +syslog messages. Please note that plain TCP syslog does NOT +provide truly reliable delivery, with it messages may be lost +when there is a connection problem or the server shuts down. +RELP prevents message loss in those cases. +It can be used like this: +.IP +$ModLoad imrelp +.IP +$InputRELPServerRun 2514 +.TP +.I imgssapi +Input plugin for plain TCP and GSS-enable syslog +.TP +.I immark +Support for mark messages +.TP +.I imklog +Kernel logging. To include kernel log messages, you need to do +.IP +$ModLoad imklog + +Please note that the klogd daemon is no longer necessary and consequently +no longer provided by the rsyslog package. +.TP +.I imuxsock +Unix sockets, including the system log socket. You need to specify +.IP +$ModLoad imudp + +in order to receive log messages from local system processes. This +config directive should only left out if you know exactly what you +are doing. + + .SH BASIC STRUCTURE Lines starting with a hash mark ('#') and empty lines are ignored. @@ -82,7 +170,16 @@ beginning with a slash ('/'). .B Example: .RS -*.* /var/log/traditionalfile.log;TraditionalFormat # log to a file in the traditional format +*.* /var/log/traditionalfile.log;RSYSLOG_TraditionalFormat # log to a file in the traditional format +.RE + +Note: if you would like to use high-precision timestamps in your log files, +just remove the ";RSYSLOG_TraditionalFormat". That will select the default +template, which, if not changed, uses RFC 3339 timestamps. + +.B Example: +.RS +*.* /var/log/file.log # log to a file with RFC3339 timestamps .RE .SS Named pipes @@ -95,9 +192,14 @@ the mkfifo(1) command before rsyslogd(8) is started. If the file you specified is a tty, special tty-handling is done, same with /dev/console. .SS Remote machine -To forward messages to another host, prepend the hostname with the at sign ("@"). A single at -sign means that messages will be forwarded via UDP protocol (the standard for syslog). If you -prepend two at signs ("@@"), the messages will be transmitted via TCP. +There are three ways to forward message: the traditional UDP transport, which is extremely +lossy but standard, the plain TCP based transport which loses messages only during certain +situations but is widely available and the RELP transport which does not lose messages +but is currently available only as part of rsyslogd 3.15.0 and above. + +To forward messages to another host via UDP, prepend the hostname with the at sign ("@"). +To forward it via plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend the +string ":omrelp:" in front of the hostname. .B Example: .RS @@ -105,7 +207,18 @@ prepend two at signs ("@@"), the messages will be transmitted via TCP. .RE .sp In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destination -port defaults to 514. +port defaults to 514. Due to the nature of UDP, you will probably lose some messages in transit. +If you expect high traffic volume, you can expect to lose a quite noticable number of messages +(the higher the traffic, the more likely and severe is message loss). + +.B If you would like to prevent message loss, use RELP: +.RS +*.* :omrelp:192.168.0.1:2514 +.RE +.sp +Note that a port number was given as there is no standard port for relp. + +Keep in mind that you need to load the correct input and output plugins (see "Modules" above). Please note that rsyslogd offers a variety of options in regarding to remote forwarding. For full details, please see the html documentation. @@ -610,7 +723,6 @@ the html documentation for all features and details. This is especially vital if up a more-then-extremely-simple system. .SH AUTHORS -The .B rsyslogd is taken from sysklogd sources, which have been heavily modified by Rainer Gerhards (rgerhards@adiscon.com) and others. @@ -1,7 +1,7 @@ .\" Copyright 2004-2008 Rainer Gerhards and Adiscon for the rsyslog modifications .\" May be distributed under the GNU General Public License .\" -.TH RSYSLOGD 8 "28 March 2008" "Version 3.12.5 (devel)" "Linux System Administration" +.TH RSYSLOGD 8 "02 April 2008" "Version 3.14.0" "Linux System Administration" .SH NAME rsyslogd \- reliable and extended syslogd .SH SYNOPSIS @@ -45,6 +45,8 @@ To use rsyslog's advanced features, you .B need to look at the html documentation, because the man pages only cover basic aspects of operation. +.B For details and configuration examples, see the rsyslog.conf (5) +.B man page and the online documentation at http://www.rsyslog.com/doc .BR Rsyslogd (8) is derived from the sysklogd package which in turn is derived from the @@ -83,11 +85,11 @@ option, is read at startup. Any lines that begin with the hash mark (``#'') and empty lines are ignored. If an error occurs during parsing the error element is ignored. It is tried to parse the rest of the line. -For details and configuration examples, see the -.B rsyslog.conf (5) -man page. .LP .SH OPTIONS +.B Note that in version 3 of rsyslog a number of command line options +.B have been deprecated and replaced with config file directives. The +.B -c option controls the backward compatibility mode in use. .TP .BI "\-A" When sending UDP messages, there are potentially multiple pathes to @@ -114,6 +116,28 @@ If neither -4 nor -6 is given, .B rsyslogd listens to all configured addresses of the system. .TP +.BI "\-c " "version" +Selects the desired backward compatibility mode. It must always be the +first option on the command line, as it influences processing of the +other options. To use the rsyslog v3 native interface, specify -c3. To +use compatibility mode , either do not use -c at all or use +-c<version> where +.IR version +is the rsyslog version that it shall be +compatible with. Using -c0 tells rsyslog to be command-line compatible +to sysklogd, which is the default if -c is not given. +.B Please note that rsyslogd issues warning messages if the -c3 +.B command line option is not given. +This is to alert you that your are running in compatibility +mode. Compatibility mode interfers with you rsyslog.conf commands and +may cause some undesired side-effects. It is meant to be used with a +plain old rsyslog.conf - if you use new features, things become +messy. So the best advice is to work through this document, convert +your options and config file and then use rsyslog in native mode. In +order to aid you in this process, rsyslog logs every +compatibility-mode config file directive it has generated. So you can +simply copy them from your logfile and paste them to the config. +.TP .B "\-d" Turns on debug mode. Using this the daemon will not proceed a .BR fork (2) @@ -214,51 +238,6 @@ debug option. .B CHLD Wait for childs if some were born, because of wall'ing messages. .LP -.SH SUPPORT FOR REMOTE LOGGING -.B Rsyslogd -provides network support to the syslogd facility. -Network support means that messages can be forwarded from one node -running rsyslogd to another node running rsyslogd (or a -compatible syslog implementation). -actually logged to a disk file. - -To enable this, proper configuration commands must -be entered in rsyslog.conf. See the rsyslog.conf html -documentation for details. - -The strategy is to have rsyslogd listen on a unix domain socket for -locally generated log messages. This behavior will allow rsyslogd to -inter-operate with the syslog found in the standard C library. At the -same time rsyslogd listens on the standard syslog port for messages -forwarded from other hosts. - -.SH OUTPUT TO DATABASES -.B Rsyslogd -has support for writing data to database tables. The exact specifics -are described in the -.B rsyslog.conf (5) -html documentation. Be sure to read it if you plan to use database logging. - -.SH OUTPUT TO NAMED PIPES (FIFOs) -.B Rsyslogd -has support for logging output to named pipes -(fifos). A fifo or named pipe can be used as a destination for log -messages by prepending a pipy symbol (``|'') to the name of the -file. This is handy for debugging. Note that the fifo must be created -with the mkfifo command before -.B rsyslogd -is started. -.IP -The following configuration file routes debug messages from the -kernel to a fifo: -.IP -.nf - # Sample configuration to route kernel debugging - # messages ONLY to /usr/adm/debug which is a - # named pipe. - kern.=debug |/usr/adm/debug -.fi -.LP .SH SECURITY THREATS There is the potential for the rsyslogd daemon to be used as a conduit for a denial of service attack. @@ -314,6 +293,54 @@ The Unix domain socket to from where local syslog messages are read. .I /var/run/rsyslogd.pid The file containing the process id of .BR rsyslogd . +.TP +.I prefix/lib/rsyslog +Default directory for +.B rsyslogd +modules. The +.I prefix +is specified during compilation (e.g. /usr/local). +.SH ENVIRONMENT +.TP +.B RSYSLOG_DEBUG +Controls runtime debug support.It contains an option string with the +following options possible (all are case insensitive): + +.RS +.IP LogFuncFlow +Print out the logical flow of functions (entering and exiting them) +.IP FileTrace +Ppecifies which files to trace LogFuncFlow. If not set (the +default), a LogFuncFlow trace is provided for all files. Set to +limit it to the files specified.FileTrace may be specified multiple +times, one file each (e.g. export RSYSLOG_DEBUG="LogFuncFlow +FileTrace=vm.c FileTrace=expr.c" +.IP PrintFuncDB +Print the content of the debug function database whenever debug +information is printed (e.g. abort case)! +.IP PrintAllDebugInfoOnExit +Print all debug information immediately before rsyslogd exits +(currently not implemented!) +.IP PrintMutexAction +Print mutex action as it happens. Useful for finding deadlocks and +such. +.IP NoLogTimeStamp +Do not prefix log lines with a timestamp (default is to do that). +.IP NoStdOut +Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG is not +set, this means no messages will be displayed at all. +.IP Help +Display a very short list of commands - hopefully a life saver if +you can't access the documentation... +.RE + +.TP +.B RSYSLOG_DEBUGLOG +If set, writes (allmost) all debug message to the specified log file +in addition to stdout. +.TP +.B RSYSLOG_MODDIR +Provides the default directory in which loadable modules reside. .PD .SH BUGS Please review the file BUGS for up-to-date information on known |