diff options
Diffstat (limited to 'doc/rsyslog_conf_examples.html')
| -rw-r--r-- | doc/rsyslog_conf_examples.html | 209 |
1 files changed, 209 insertions, 0 deletions
diff --git a/doc/rsyslog_conf_examples.html b/doc/rsyslog_conf_examples.html new file mode 100644 index 00000000..b46460e5 --- /dev/null +++ b/doc/rsyslog_conf_examples.html @@ -0,0 +1,209 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html><head><title>Examples - rsyslog.conf</title></head> +<body> +<p>This is a part of the rsyslog.conf documentation.</p> +<a href="rsyslog_conf.html">back</a> +<h2>Examples</h2> +<p>Below are example for templates and selector lines. I hope +they are self-explanatory. If not, please see +www.monitorware.com/rsyslog/ for advise.</p> +<h3>TEMPLATES</h3> +<p>Please note that the samples are split across multiple lines. +A template MUST NOT actually be split across multiple lines.<br> +<br> +A template that resembles traditional syslogd file output:<br> +$template TraditionalFormat,"%timegenerated% %HOSTNAME%<br> +%syslogtag%%msg:::drop-last-lf%\n"<br> +<br> +A template that tells you a little more about the message:<br> +$template +precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,<br> +%syslogtag%,%msg%\n"<br> +<br> +A template for RFC 3164 format:<br> +$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% +%syslogtag%%msg%"<br> +<br> +A template for the format traditonally used for user messages:<br> +$template usermsg," XXXX%syslogtag%%msg%\n\r"<br> +<br> +And a template with the traditonal wall-message format:<br> +$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at +%timegenerated%<br> +<br> +A template that can be used for the database write (please note the SQL<br> +template option)<br> +$template MySQLInsert,"insert iut, message, receivedat values<br> +('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')<br> +into systemevents\r\n", SQL<br> +<br> +The following template emulates <a href="http://www.winsyslog.com/en/">WinSyslog</a> +format (it's an <a href="http://www.adiscon.com/en/">Adiscon</a> +format, you do not feel bad if you don't know it ;)). It's interesting +to see how it takes different parts out of the date stamps. What +happens is that the date stamp is split into the actual date and time +and the these two are combined with just a comma in between them.<br> +<br> +$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,<br> +%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,<br> +%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,<br> +%syslogtag%%msg%\n"</p> +<h3>SELECTOR LINES</h3> +<p># Store critical stuff in critical<br> +#<br> +*.=crit;kern.none /var/adm/critical<br> +<br> +This will store all messages with the priority crit in the file +/var/adm/critical, except for any kernel message.<br> +<br> +<br> +# Kernel messages are first, stored in the kernel<br> +# file, critical messages and higher ones also go<br> +# to another host and to the console. Messages to<br> +# the host finlandia are forwarded in RFC 3164<br> +# format (using the template defined above).<br> +#<br> +kern.* /var/adm/kernel<br> +kern.crit @finlandia;RFC3164fmt<br> +kern.crit /dev/console<br> +kern.info;kern.!err /var/adm/kernel-info<br> +<br> +The first rule direct any message that has the kernel facility to the +file /var/adm/kernel.<br> +<br> +The second statement directs all kernel messages of the priority crit +and higher to the remote host finlandia. This is useful, because if the +host crashes and the disks get irreparable errors you might not be able +to read the stored messages. If they're on a remote host, too, you +still can try to find out the reason for the crash.<br> +<br> +The third rule directs these messages to the actual console, so the +person who works on the machine will get them, too.<br> +<br> +The fourth line tells rsyslogd to save all kernel messages that come +with priorities from info up to warning in the file +/var/adm/kernel-info. Everything from err and higher is excluded.<br> +<br> +<br> +# The tcp wrapper loggs with mail.info, we display<br> +# all the connections on tty12<br> +#<br> +mail.=info /dev/tty12<br> +<br> +This directs all messages that uses mail.info (in source LOG_MAIL | +LOG_INFO) to /dev/tty12, the 12th console. For example the tcpwrapper +tcpd(8) uses this as it's default.<br> +<br> +<br> +# Store all mail concerning stuff in a file<br> +#<br> +mail.*;mail.!=info /var/adm/mail<br> +<br> +This pattern matches all messages that come with the mail facility, +except for the info priority. These will be stored in the file +/var/adm/mail.<br> +<br> +<br> +# Log all mail.info and news.info messages to info<br> +#<br> +mail,news.=info /var/adm/info<br> +<br> +This will extract all messages that come either with mail.info or with +news.info and store them in the file /var/adm/info.<br> +<br> +<br> +# Log info and notice messages to messages file<br> +#<br> +*.=info;*.=notice;\<br> +mail.none /var/log/messages<br> +<br> +This lets rsyslogd log all messages that come with either the info or +the notice facility into the file /var/log/messages, except for all<br> +messages that use the mail facility.<br> +<br> +<br> +# Log info messages to messages file<br> +#<br> +*.=info;\<br> +mail,news.none /var/log/messages<br> +<br> +This statement causes rsyslogd to log all messages that come with the +info priority to the file /var/log/messages. But any message coming +either with the mail or the news facility will not be stored.<br> +<br> +<br> +# Emergency messages will be displayed using wall<br> +#<br> +*.=emerg *<br> +<br> +This rule tells rsyslogd to write all emergency messages to all +currently logged in users. This is the wall action.<br> +<br> +<br> +# Messages of the priority alert will be directed<br> +# to the operator<br> +#<br> +*.alert root,rgerhards<br> +<br> +This rule directs all messages with a priority of alert or higher to +the terminals of the operator, i.e. of the users "root'' and +"rgerhards'' if they're logged in.<br> +<br> +<br> +*.* @finlandia<br> +<br> +This rule would redirect all messages to a remote host called +finlandia. This is useful especially in a cluster of machines where all +syslog messages will be stored on only one machine.<br> +<br> +In the format shown above, UDP is used for transmitting the message. +The destination port is set to the default auf 514. Rsyslog is also +capable of using much more secure and reliable TCP sessions for message +forwarding. Also, the destination port can be specified. To select TCP, +simply add one additional @ in front of the host name (that is, @host +is UPD, @@host is TCP). For example:<br> +<br> +<br> +*.* @@finlandia<br> +<br> +To specify the destination port on the remote machine, use a colon +followed by the port number after the machine name. The following +forwards to port 1514 on finlandia:<br> +<br> +<br> +*.* @@finlandia:1514<br> +<br> +This syntax works both with TCP and UDP based syslog. However, you will +probably primarily need it for TCP, as there is no well-accepted port +for this transport (it is non-standard). For UDP, you can usually stick +with the default auf 514, but might want to modify it for security rea-<br> +sons. If you would like to do that, it's quite easy:<br> +<br> +<br> +*.* @finlandia:1514<br> +<br> +<br> +<br> +*.* >dbhost,dbname,dbuser,dbpassword;dbtemplate<br> +<br> +This rule writes all message to the database "dbname" hosted on +"dbhost". The login is done with user "dbuser" and password +"dbpassword". The actual table that is updated is specified within the +template (which contains the insert statement). The template is called +"dbtemplate" in this case.</p> +<p>:msg,contains,"error" @errorServer</p> +<p>This rule forwards all messages that contain the word "error" +in the msg part to the server "errorServer". Forwarding is via UDP. +Please note the colon in fron</p> + +<p>[<a href="manual.html">manual index</a>] +[<a href="rsyslog_conf.html">rsyslog.conf</a>] +[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> +<p><font size="2">This documentation is part of the +<a href="http://www.rsyslog.com/">rsyslog</a> project.<br> +Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and +<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL +version 2 or higher.</font></p> +</body> +</html> + |