From dfe12b03eb40535d3393239d9acac155c82ab8f6 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 18 Jun 2007 10:04:23 +0000 Subject: added new document on recording syslog priority to log files --- doc/manual.html | 108 ++++++++++++++++----------------- doc/property_replacer.html | 15 ++++- doc/rsyslog_recording_pri.html | 134 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 201 insertions(+), 56 deletions(-) create mode 100644 doc/rsyslog_recording_pri.html diff --git a/doc/manual.html b/doc/manual.html index 8e15cc91..f3bb40cb 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -1,54 +1,54 @@ - - -rsyslog documentation - - -

RSyslog - Documentation

-

Rsyslog is an enhanced syslogd -supporting, among others, MySQL, syslog/tcp, -fine grain output format control, and the ability to filter on any message part. -It is quite compatible to stock -sysklogd and can be used as a drop-in replacement. Its -advanced features make it suitable for enterprise-class, -encryption protected syslog -relay chains while at the same time being very easy to setup -for the novice user.

-

Visit the rsyslog status page to obtain current -version information and ports. If you like rsyslog, you might want to lend us -a helping hand. It doesn't require a lot of time - even a single mouse click -helps. Learn how to help the rsyslog project.

-

Follow the links below for the

- -

We have some in-depth papers on

- -

Also, there is an article from Dennis Olvany on -Syslog-to-SQL with rsyslog-0.8.4 on FreeBSD 5.4 -(which unfortunately is a bit outdated now). Thanks to Ozgur Karatas, we also have a turkish install howto (online-only, based on the 1.0.1 release).

-

Our rsyslog history page is for you if you would like to learn a little more -on why there is an rsyslog at all.

-

Documentation is added continously. Please note that the documentation here -matches only the current version of rsyslog. If you use an older version, be sure -to use the doc that came with it.

-

You can also browse the following online ressources:

- -

And don't forget about the rsyslog mailing list. -If you are interested in the "backstage", you may find -Rainer's -syslog blog an interesting read.

- - + + +rsyslog documentation + + +

RSyslog - Documentation

+

Rsyslog is an enhanced syslogd +supporting, among others, MySQL, syslog/tcp, +fine grain output format control, and the ability to filter on any message part. +It is quite compatible to stock +sysklogd and can be used as a drop-in replacement. Its +advanced features make it suitable for enterprise-class, +encryption protected syslog +relay chains while at the same time being very easy to setup +for the novice user.

+

Visit the rsyslog status page to obtain current +version information and ports. If you like rsyslog, you might want to lend us +a helping hand. It doesn't require a lot of time - even a single mouse click +helps. Learn how to help the rsyslog project.

+

Follow the links below for the

+ +

We have some in-depth papers on

+ +

Also, there is an article from Dennis Olvany on +Syslog-to-SQL with rsyslog-0.8.4 on FreeBSD 5.4 +(which unfortunately is a bit outdated now). Thanks to Ozgur Karatas, we also have a turkish install howto (online-only, based on the 1.0.1 release).

+

Our rsyslog history page is for you if you would like to learn a little more +on why there is an rsyslog at all.

+

Documentation is added continously. Please note that the documentation here +matches only the current version of rsyslog. If you use an older version, be sure +to use the doc that came with it.

+

You can also browse the following online ressources:

+ +

And don't forget about the rsyslog mailing list. +If you are interested in the "backstage", you may find +Rainer's +syslog blog an interesting read.

+ + diff --git a/doc/property_replacer.html b/doc/property_replacer.html index a6618616..9bd77cec 100644 --- a/doc/property_replacer.html +++ b/doc/property_replacer.html @@ -36,8 +36,12 @@ BSD syslogd. For example, when TAG is "named[12345]", programname is "named".MonitorWare backend (also for phpLogCon) syslogfacilitythe facility from the message - in numerical form -syslogprioritythe priority (actully severity!) from the - message - in numerical form + + syslogseverityseverity from the + message - in numerical form + +syslogpriorityan alis for syslogseverity - included for + historical reasons (be careful: it still is the severity, not PRI!) timegeneratedtimestamp when the message was RECEIVED. Always in high resolution timereportedtimestamp from the message. Resolution depends on @@ -106,5 +110,12 @@ are defined:

replacement character like space. +

Further Links

+ + diff --git a/doc/rsyslog_recording_pri.html b/doc/rsyslog_recording_pri.html new file mode 100644 index 00000000..c84d47fa --- /dev/null +++ b/doc/rsyslog_recording_pri.html @@ -0,0 +1,134 @@ + +Writing syslog Data to MySQL + + + +

Recording the Priority of Syslog Messages

+

Written by + Rainer + Gerhards (2007-06-18)

+

Abstract

+

The so-called priority (PRI) is very important in syslog messages, +because almost all filtering in syslog.conf is based on it. However, many +syslogds (including the Linux stock sysklogd) do not provide a way to record +that value. In this article, I'll give a brief overview of how PRI can be +written to a log file.

+

Background

+

The PRI value is a combination of so-called severity and facility. The +facility indicates where the message originated from (e.g. kernel, mail +subsystem) while the severity provides a glimpse of how important the message +might be (e.g. error or informational). Be careful with these values: they are +in no way consistent accross applications (especially severity). However, they +still form the basis of most filtering in syslog.conf. For example, the +directive (aka "selector line)

+

+mail.* /var/log/mail.log +

+

means that messages with the mail facility should be stored to +/var/log/mail.log, no matter which severity indicator they have (that is telling +us the asterisk). If you set up complex conditions, it can be annoying to find +out which PRI value a specific syslog message has. Most stock syslogds do not +provide any way to record them.

+

How is it done?

+

With rsyslog, PRI recording is simple. +All you need is the correct template. Even if you do not use rsyslog on a regular +basis, it might be a handy tool for finding out the priority.

+

Rsyslog provides a flexible system to specify the output formats. It is +template-based. A template with the traditional syslog format looks as follows:

+

+$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n" +

+

The part in quotes is the output formats. Things between percent-signs are +so-called messages properties. They are replaced with the respective content +from the syslog message when output is written. Everything outside of the +percent signs is literal text, which is simply written as specified.

+

Thankfully, rsyslog provides message properties for the priority. These are +called "PRI", "syslogfacility" and "syslogpriority" (case is important!). They are numerical +values. Starting with rsyslog 1.13.4, there is also a property "PRI-text", which +contains the priority in friendly text format (e.g. "syslog.info"). For the rest +of this article, I assume that you run version 1.13.4 or higher.

+

Recording the priority is now a simple matter of adding the respective field +to the template. It now looks like this:

+

+$template TraditionalFormatWithPRI,"%PRI-text%: %timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n" +

+

Now we have the right template - but how to write it to a file? You probably +have a line like this in your syslog.conf:

+

*.* -/var/log/messages.log

+

It does not specify a template. Consequently, rsyslog uses the traditional +format. In order to use some other format, simply specify the template after the +semicolon:

+

*.* -/var/log/messages.log;TraditionalFormatWithPRI

+

That's all you need to do. There is one common pitfall: you need to define +the template before you use it in a selector line. Otherwise, you will receive +an error.

+

Once you have applied the changes, you need to restart or HUP rsyslogd. It +will then pick the new configuration.

+

What if I do not want rsyslogd to be the standard syslogd?

+

If you do not want to switch to rsyslog, you can still use it as a setup aid. +A little bit of configuration is required.

+
    +
  1. Download, make and install rsyslog
    2. +
  2. copy your syslog.conf over to rsyslog.conf
    3. +
  3. add the template described above to it; select the file that should use + it
    4. +
  4. stop your regular syslog daemon for the time being
    5. +
  5. run rsyslogd (you may even do this interactively by calling it with the + -n additional option from a shell)
    6. +
  6. stop rsyslogd (press ctrl-c when running interactively)
    7. +
  7. restart your regular syslogd
    8. +
+

That's it - you can now review the priorities.

+

Some Sample Data

+

Below is some sample data created with the template specified above. Note the +priority recording at the start of each line.

+

+kern.info<6>: Jun 15 18:10:38 host kernel: PCI: Sharing IRQ 11 with 00:04.0
+kern.info<6>: Jun 15 18:10:38 host kernel: PCI: Sharing IRQ 11 with 01:00.0
+kern.warn<4>: Jun 15 18:10:38 host kernel: Yenta IRQ list 06b8, PCI irq11
+kern.warn<4>: Jun 15 18:10:38 host kernel: Socket status: 30000006
+kern.warn<4>: Jun 15 18:10:38 host kernel: Yenta IRQ list 06b8, PCI irq11
+kern.warn<4>: Jun 15 18:10:38 host kernel: Socket status: 30000010
+kern.info<6>: Jun 15 18:10:38 host kernel: cs: IO port probe 0x0c00-0x0cff: clean.
+kern.info<6>: Jun 15 18:10:38 host kernel: cs: IO port probe 0x0100-0x04ff: excluding 0x100-0x107 0x378-0x37f 0x4d0-0x4d7
+kern.info<6>: Jun 15 18:10:38 host kernel: cs: IO port probe 0x0a00-0x0aff: clean.
+local7.notice<189>: Jun 15 18:17:24 host dd: 1+0 records out
+local7.notice<189>: Jun 15 18:17:24 host random: Saving random seed: succeeded
+local7.notice<189>: Jun 15 18:17:25 host portmap: portmap shutdown succeeded
+local7.notice<189>: Jun 15 18:17:25 host network: Shutting down interface eth1: succeeded
+local7.notice<189>: Jun 15 18:17:25 host network: Shutting down loopback interface: succeeded
+local7.notice<189>: Jun 15 18:17:25 host pcmcia: Shutting down PCMCIA services: cardmgr
+user.notice<13>: Jun 15 18:17:25 host /etc/hotplug/net.agent: NET unregister event not supported
+local7.notice<189>: Jun 15 18:17:27 host pcmcia: modules.
+local7.notice<189>: Jun 15 18:17:29 host rc: Stopping pcmcia: succeeded
+local7.notice<189>: Jun 15 18:17:30 host rc: Starting killall: succeeded
+syslog.info<46>: Jun 15 18:17:33 host [origin software="rsyslogd" swVersion="1.13.3" x-pid="2464"] exiting on signal 15.
+syslog.info<46>: Jun 18 10:55:47 host [origin software="rsyslogd" swVersion="1.13.3" x-pid="2367"][x-configInfo udpReception="Yes" udpPort="514" tcpReception="Yes" tcpPort="1470"] restart
+user.notice<13>: Jun 18 10:55:50 host rger: test
+syslog.info<46>: Jun 18 10:55:52 host [origin software="rsyslogd" swVersion="1.13.3" x-pid="2367"] exiting on signal 2.

+

Feedback Requested

+

I would appreciate feedback on this paper. If you have additional ideas, +comments or find bugs, please +let me know.

+

References and Additional Material

+ +

Revision History

+ +

Copyright

+

Copyright (c) 2007 +Rainer Gerhards +and Adiscon.

+

Permission is granted to copy, distribute and/or modify this document under +the terms of the GNU Free Documentation License, Version 1.2 or any later +version published by the Free Software Foundation; with no Invariant Sections, +no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be +viewed at +http://www.gnu.org/copyleft/fdl.html.

+ + \ No newline at end of file -- cgit