From 170d0d6f375241e0d0ca85a1327df82165fec439 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 11 Nov 2008 11:00:37 +0100 Subject: added forgotten files they were new after restructuring the doc... --- doc/rsyslog_conf_examples.html | 209 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 209 insertions(+) create mode 100644 doc/rsyslog_conf_examples.html (limited to 'doc/rsyslog_conf_examples.html') diff --git a/doc/rsyslog_conf_examples.html b/doc/rsyslog_conf_examples.html new file mode 100644 index 00000000..b46460e5 --- /dev/null +++ b/doc/rsyslog_conf_examples.html @@ -0,0 +1,209 @@ + +Examples - rsyslog.conf + +

This is a part of the rsyslog.conf documentation.

+back +

Examples

+

Below are example for templates and selector lines. I hope +they are self-explanatory. If not, please see +www.monitorware.com/rsyslog/ for advise.

+

TEMPLATES

+

Please note that the samples are split across multiple lines. +A template MUST NOT actually be split across multiple lines.
+
+A template that resembles traditional syslogd file output:
+$template TraditionalFormat,"%timegenerated% %HOSTNAME%
+%syslogtag%%msg:::drop-last-lf%\n"
+
+A template that tells you a little more about the message:
+$template +precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,
+%syslogtag%,%msg%\n"
+
+A template for RFC 3164 format:
+$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% +%syslogtag%%msg%"
+
+A template for the format traditonally used for user messages:
+$template usermsg," XXXX%syslogtag%%msg%\n\r"
+
+And a template with the traditonal wall-message format:
+$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at +%timegenerated%
+
+A template that can be used for the database write (please note the SQL
+template option)
+$template MySQLInsert,"insert iut, message, receivedat values
+('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')
+into systemevents\r\n", SQL
+
+The following template emulates WinSyslog +format (it's an Adiscon +format, you do not feel bad if you don't know it ;)). It's interesting +to see how it takes different parts out of the date stamps. What +happens is that the date stamp is split into the actual date and time +and the these two are combined with just a comma in between them.
+
+$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,
+%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,
+%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,
+%syslogtag%%msg%\n"

+

SELECTOR LINES

+

# Store critical stuff in critical
+#
+*.=crit;kern.none /var/adm/critical
+
+This will store all messages with the priority crit in the file +/var/adm/critical, except for any kernel message.
+
+
+# Kernel messages are first, stored in the kernel
+# file, critical messages and higher ones also go
+# to another host and to the console. Messages to
+# the host finlandia are forwarded in RFC 3164
+# format (using the template defined above).
+#
+kern.* /var/adm/kernel
+kern.crit @finlandia;RFC3164fmt
+kern.crit /dev/console
+kern.info;kern.!err /var/adm/kernel-info
+
+The first rule direct any message that has the kernel facility to the +file /var/adm/kernel.
+
+The second statement directs all kernel messages of the priority crit +and higher to the remote host finlandia. This is useful, because if the +host crashes and the disks get irreparable errors you might not be able +to read the stored messages. If they're on a remote host, too, you +still can try to find out the reason for the crash.
+
+The third rule directs these messages to the actual console, so the +person who works on the machine will get them, too.
+
+The fourth line tells rsyslogd to save all kernel messages that come +with priorities from info up to warning in the file +/var/adm/kernel-info. Everything from err and higher is excluded.
+
+
+# The tcp wrapper loggs with mail.info, we display
+# all the connections on tty12
+#
+mail.=info /dev/tty12
+
+This directs all messages that uses mail.info (in source LOG_MAIL | +LOG_INFO) to /dev/tty12, the 12th console. For example the tcpwrapper +tcpd(8) uses this as it's default.
+
+
+# Store all mail concerning stuff in a file
+#
+mail.*;mail.!=info /var/adm/mail
+
+This pattern matches all messages that come with the mail facility, +except for the info priority. These will be stored in the file +/var/adm/mail.
+
+
+# Log all mail.info and news.info messages to info
+#
+mail,news.=info /var/adm/info
+
+This will extract all messages that come either with mail.info or with +news.info and store them in the file /var/adm/info.
+
+
+# Log info and notice messages to messages file
+#
+*.=info;*.=notice;\
+mail.none /var/log/messages
+
+This lets rsyslogd log all messages that come with either the info or +the notice facility into the file /var/log/messages, except for all
+messages that use the mail facility.
+
+
+# Log info messages to messages file
+#
+*.=info;\
+mail,news.none /var/log/messages
+
+This statement causes rsyslogd to log all messages that come with the +info priority to the file /var/log/messages. But any message coming +either with the mail or the news facility will not be stored.
+
+
+# Emergency messages will be displayed using wall
+#
+*.=emerg *
+
+This rule tells rsyslogd to write all emergency messages to all +currently logged in users. This is the wall action.
+
+
+# Messages of the priority alert will be directed
+# to the operator
+#
+*.alert root,rgerhards
+
+This rule directs all messages with a priority of alert or higher to +the terminals of the operator, i.e. of the users "root'' and +"rgerhards'' if they're logged in.
+
+
+*.* @finlandia
+
+This rule would redirect all messages to a remote host called +finlandia. This is useful especially in a cluster of machines where all +syslog messages will be stored on only one machine.
+
+In the format shown above, UDP is used for transmitting the message. +The destination port is set to the default auf 514. Rsyslog is also +capable of using much more secure and reliable TCP sessions for message +forwarding. Also, the destination port can be specified. To select TCP, +simply add one additional @ in front of the host name (that is, @host +is UPD, @@host is TCP). For example:
+
+
+*.* @@finlandia
+
+To specify the destination port on the remote machine, use a colon +followed by the port number after the machine name. The following +forwards to port 1514 on finlandia:
+
+
+*.* @@finlandia:1514
+
+This syntax works both with TCP and UDP based syslog. However, you will +probably primarily need it for TCP, as there is no well-accepted port +for this transport (it is non-standard). For UDP, you can usually stick +with the default auf 514, but might want to modify it for security rea-
+sons. If you would like to do that, it's quite easy:
+
+
+*.* @finlandia:1514
+
+
+
+*.* >dbhost,dbname,dbuser,dbpassword;dbtemplate
+
+This rule writes all message to the database "dbname" hosted on +"dbhost". The login is done with user "dbuser" and password +"dbpassword". The actual table that is updated is specified within the +template (which contains the insert statement). The template is called +"dbtemplate" in this case.

+

:msg,contains,"error" @errorServer

+

This rule forwards all messages that contain the word "error" +in the msg part to the server "errorServer". Forwarding is via UDP. +Please note the colon in fron

+ +

[manual index] +[rsyslog.conf] +[rsyslog site]

+

This documentation is part of the +rsyslog project.
+Copyright © 2008 by Rainer Gerhards and +Adiscon. Released under the GNU GPL +version 2 or higher.

+ + + -- cgit