From b11b227b1adce527415f73e89ad413a9603c5168 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 3 Dec 2007 13:32:33 +0000 Subject: added sample config provided by Peter Vrabec - thx! --- doc/rsyslog-example.conf | 163 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 doc/rsyslog-example.conf (limited to 'doc/rsyslog-example.conf') diff --git a/doc/rsyslog-example.conf b/doc/rsyslog-example.conf new file mode 100644 index 00000000..495bc566 --- /dev/null +++ b/doc/rsyslog-example.conf @@ -0,0 +1,163 @@ +# A commented quick reference and sample configuration +# WARNING: This is not a manual, the full manual of rsyslog configuration is in +# rsyslog.conf (5) manpage +# +# "$" starts lines that contain new directives. The full list of directives +# can be found in /usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html or online +# at http://www.rsyslog.com/doc if you do not have (or find) a local copy. +# +# Set syslogd options + +# Some global directives +# ---------------------- + +# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd +# -------------- +$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com + +# $UMASK - specifies the rsyslogd processes' umask +# ------ +$umask 0000 + +# $FileGroup - Set the group for dynaFiles newly created +# ---------- +$FileGroup loggroup + +# $FileOwner - Set the file owner for dynaFiles newly created. +# ---------- +$FileOwner loguser + +# $IncludeConfig - include other files into the main configuration file +# -------------- +$IncludeConfig /etc/some-included-file.conf # one file +$IncludeConfig /etc/rsyslog.d/ # whole directory (must contain the final slash) + +# $ModLoad - Dynamically loads a plug-in and activates it +# -------- +$ModLoad MySQL # load MySQL functionality +$ModLoad /rsyslog/modules/somemodule.so # load a module via absolute path + + + +# Templates +# --------- + +# Templates allow to specify any format a user might want. +# They MUST be defined BEFORE they are used. + +# A template consists of a template directive, a name, the actual template text +# and optional options. A sample is: +# +$template MyTemplateName,"\7Text %property% some more text\n", + +# where: +# * $template - tells rsyslog that this line contains a template. +# * MyTemplateName - template name. All other config lines refer to this name. +# * "\7Text %property% some more text\n" - templage text + +# The backslash is an escape character, i.e. \7 rings the bell, \n is a new line. +# To escape: +# % = \% +# \ = \\ + +# Template options are case-insensitive. Currently defined are: +# sql format the string suitable for a SQL statement. This will replace single +# quotes ("'") by two single quotes ("''") to prevent the SQL injection +# (NO_BACKSLASH_ESCAPES turned off) +# stdsql - format the string suitable for a SQL statement that is to +# be sent to a standards-compliant sql server. +# (NO_BACKSLASH_ESCAPES turned on) + + + +# Properties inside templates +# --------------------------- + +# Properties can be modified by the property replacer. They are accessed +# inside the template by putting them between percent signs. The full syntax is as follows: + +# %propname:fromChar:toChar:options% + +# FromChar and toChar are used to build substrings. +# If you need to obtain the first 2 characters of the +# message text, you can use this syntax: +"%msg:1:2%". +# If you do not whish to specify from and to, but you want to +# specify options, you still need to include the colons. + +# For example, to convert the full message text to lower case only, use +# "%msg:::lowercase%". + +# The full list of property options can be found in rsyslog.conf(5) manpage + + + +# Samples of template definitions +# ------------------------------- + +# A template that resambles traditional syslogd file output: +$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n" + +# A more verbose template: +$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n" + +# A template that resembles RFC 3164 on-the-wire format: +# (yes, there is NO space betwen syslogtag and msg! that's important!) +$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%" + +# a template resembling traditional wallmessage format: +$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r" + +# The template below emulates winsyslog format, but we need to check the time +# stamps used. It is also a good sampleof the property replacer in action. +$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n" + +# A template used for database writing (notice it *is* an actual +# sql-statement): +$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql + + + +# Samples of rules +# ---------------- +# Regular file +# ------------ +*.* /var/log/traditionalfile.log;TraditionalFormat # log to a file in the traditional format + +# Forwarding to remote machine +# ---------------------------- +*.* @172.19.2.16 # udp (standard for syslog) +*.* @@172.19.2.17 # tcp + +# Database action +# --------------- +# (you must have rsyslog-mysql package installed) +# !!! Don't forget to set permission of rsyslog.conf to 600 !!! +*.* >hostname,dbname,userid,password # (default Monitorware schema, can be created by /usr/share/doc/rsyslog-mysql-1.19.6/createDB.sql) + +# And this one uses the template defined above: +*.* >hostname,dbname,userid,password;dbFormat + +# Program to execute +# ------------------ +*.* ^alsaunmute # set default volume to soundcard + +# Filter using regex +# ------------------ +# if the user logges word rulez or rulezz or rulezzz or..., then we will shut down his pc +# (note, that + have to be double backslashed...) +:msg, regex, "rulez\\+" ^poweroff + +# A more complex example +# ---------------------- +$template bla_logged,"%timegenerated% the BLA was logged" +:msg, contains, "bla" ^logger;bla_logged + +# Pipes +# ----- +# first we need to create pipe by # mkfifo /a_big_pipe +*.* |/a_big_pipe + +# Discarding +# ---------- +*.* ~ # discards everything -- cgit