rsyslog.conf file

From 071c9b511a711725537eff386f82a3af3ca930a8 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 4 Sep 2009 14:53:44 +0200 Subject: added $LogRSyslogStatusMessages configuration directive ...permitting to turn off rsyslog start/stop/HUP messages. See Debian ticket http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463793 --- doc/manual.html | 2 +- doc/rsyslog_conf_global.html | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/manual.html b/doc/manual.html index e1f7480e..52a8380e 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -19,7 +19,7 @@ rsyslog support available directly from the source!

Please visit the rsyslog sponsor's page to honor the project sponsors or become one yourself! We are very grateful for any help towards the project goals.

This documentation is for version 4.5.2 (v4-beta branch) of rsyslog. +

This documentation is for version 4.7.0 (v4-devel branch) of rsyslog. Visit the rsyslog status page to obtain current version information and project status.

If you like rsyslog, you might diff --git a/doc/rsyslog_conf_global.html b/doc/rsyslog_conf_global.html index 2bbb136e..f2642ca4 100644 --- a/doc/rsyslog_conf_global.html +++ b/doc/rsyslog_conf_global.html @@ -146,6 +146,10 @@ Usually that should not be a big issue, as the restart-type HUP can easily be re something along the lines of "/etc/init.d/rsyslog restart".

$IncludeConfig

MainMsgQueueCheckpointInterval <number>

+
$LogRSyslogStatusMessages [on/off] - If set to on (the default), +rsyslog emits message on startup and shutdown as well as when it is HUPed. +This information might be needed by some log analyzers. If set to off, no such +status messages are logged, what may be useful for other scenarios.
$MainMsgQueueDequeueSlowdown <number> [number is timeout in microseconds (1000000us is 1sec!), default 0 (no delay). Simple rate-limiting!]
-- cgit From 5f76568d3707cbbadfa3767558ded52cf5f27f47 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 4 Sep 2009 16:58:00 +0200 Subject: added new config option $InputUnixListenSocketCreatePath backport from v5-devel --- doc/imuxsock.html | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/imuxsock.html b/doc/imuxsock.html index 472470a0..15c365a6 100644 --- a/doc/imuxsock.html +++ b/doc/imuxsock.html @@ -46,6 +46,18 @@ Ignore timestamps included in the messages, applies to messages received via the
$SystemLogSocketName <name-of-socket> -- former -p option

$SystemLogFlowControl [on/off] - specifies if flow control should be applied to the system log socket.
+
$InputUnixListenSocketCreatePath [on/off] - create directories in the socket path +if they do not already exist. They are created with 0755 permissions with the owner being the process under +which rsyslogd runs. The default is not to create directories. Keep in mind, though, that rsyslogd always +creates the socket itself if it does not exist (just not the directories by default). +
Note that this statement affects the +next $AddUnixListenSocket directive that follows in sequence in the configuration file. It never works +on the system log socket (where it is deemed unnecessary). Also note that it is automatically +being reset to "off" after the $AddUnixListenSocket directive, so if you would have it active +for two additional listen sockets, you need to specify it in front of each one. This option is primarily considered +useful for defining additional sockets that reside on non-permanent file systems. As rsyslogd probably starts +up before the daemons that create these sockets, it is a vehicle to enable rsyslogd to listen to those +sockets even though their directories do not yet exist. [available since 4.7.0 and 5.3.0]

$AddUnixListenSocket <name-of-socket> adds additional unix socket, default none -- former -a option

$InputUnixListenSocketHostName <hostname> permits to override the hostname that shall be used inside messages taken from the next $AddUnixListenSocket socket. Note that @@ -57,20 +69,32 @@ that the local hostname can be overridden in cases where that is desired.

This documentation is sparse and incomplete.
Sample:
-
The following sample is the minimum setup required to accept syslog messages from applications running on the local system.
+
The following sample is the minimum setup required to accept syslog messages from applications running +on the local system.

$ModLoad imuxsock # needs to be done just once $SystemLogSocketFlowControl on # enable flow control (use if needed)
The following sample is a configuration where rsyslogd pulls logs from two jails, and assigns different hostnames to each of the jails:
-$ModLoad imuxsock # needs to be done just once +<textarea rows="6" cols="70">$ModLoad imuxsock # needs to be done just once $InputUnixListenSocketHostName jail1.example.net $AddUnixListenSocket /jail/1/dev/log $InputUnixListenSocketHostName jail2.example.net $AddUnixListenSocket /jail/2/dev/log +
The following sample is a configuration where rsyslogd reads the openssh log +messages via a separate socket, but this socket is created on a temporary file +system. As rsyslogd starts up before the sshd, it needs to create the socket +directories, because it otherwise can not open the socket and thus not listen +to openssh messages. Note that it is vital not to place any other socket between +the $InputUnixListenSocketCreatePath and the $InputUnixListenSocketHostName.
+$ModLoad imuxsock # needs to be done just once + +$InputUnixListenSocketCreatePath on # turn on for *next* socket +$InputUnixListenSocketHostName /var/run/sshd/dev/log +
[rsyslog.conf overview] [manual index] [rsyslog site]

This documentation is part of the -- cgit From bfac3c68f47b8769b0936fb80eeea8880793fd2d Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 11 Sep 2009 11:23:47 +0200 Subject: added new config directive $omfileForceChown to fix some broken system configs. See ticket for details: http://bugzilla.adiscon.com/show_bug.cgi?id=150 --- doc/rsconf1_omfileforcechown.html | 64 +++++++++++++++++++++++++++++++++++++++ doc/rsyslog_conf_global.html | 1 + 2 files changed, 65 insertions(+) create mode 100644 doc/rsconf1_omfileforcechown.html (limited to 'doc') diff --git a/doc/rsconf1_omfileforcechown.html b/doc/rsconf1_omfileforcechown.html new file mode 100644 index 00000000..7415a6f6 --- /dev/null +++ b/doc/rsconf1_omfileforcechown.html @@ -0,0 +1,64 @@ + + +rsyslog.conf file + + +back + +
$omfileForceChown
+
Type: global configuration directive
+
Parameter Values: boolean (on/off, yes/no)
+
Available since: 4.7.0+, 5.3.0+
+
Default: off
+
Description:
+
Forces rsyslogd to change the ownership for output files that already exist. Please note +that this tries to fix a potential problem that exists outside the scope of rsyslog. Actually, +it tries to fix invalid ownership/permission settings set by the original file creator. +
Rsyslog changes the ownership during initial execution with root privileges. When a privelege +drop is configured, privileges are dropped after the file owner ship is changed. Not that this currently +is a limitation in rsyslog's privilege drop code, which is on the TODO list to be removed. See Caveats +section below for the important implications. +
Caveats:
+
This directive tries to fix a problem that actually is outside the scope of rsyslog. As such, +there are a couple of restrictions and situations in which it will not work. Users are strongly +encouraged to fix their system instead of turning this directive on - it should only be used +as a last resort. +
At least in the following scenario, this directive will fail expectedly: +
It does not address +the situation that someone changes the ownership *after* rsyslogd has started. +Let's, for example, consider a log rotation script. +
+
rsyslog is started +
ownership is changed +
privileges dropped +
log rotation (lr) script starts +
lr removes files +
lr creates new files with root:adm (or whatever else) +
lr HUPs rsyslogd +
rsyslogd closes files +
rsyslogd tries to open files +
rsyslogd tries to change ownership --> fail as we are non-root now +
file open fails +
+ +Please note that once the privilege drop code is refactored, this directive will +no longer work, because then privileges will be dropped before any action is performed, +and thus we will no longer be able to chown files that do not belong to the +user rsyslogd is configured to run under. + +
So expect the directive to go away. It will not +be removed in version 4, but may disappear at any time for any version greater than 4. + +
Sample:
+
$FileOwner loguser + $omfileForceChown on
+ +
[rsyslog.conf overview] [manual +index] [rsyslog site]
+
This documentation is part of the +rsyslog project.
+Copyright © 2007 by Rainer Gerhards and +Adiscon. Released under the GNU GPL +version 2 or higher.
+ + diff --git a/doc/rsyslog_conf_global.html b/doc/rsyslog_conf_global.html index 74255c54..5f80f92e 100644 --- a/doc/rsyslog_conf_global.html +++ b/doc/rsyslog_conf_global.html @@ -225,6 +225,7 @@ error recovery thus can handle write errors without data loss. Note that this op severely reduces the effect of zip compression and should be switched to off for that use case. Note that the default -off- is primarily an aid to preserve the traditional syslogd behaviour. +
$omfileForceChown - force ownership change for all files

$RepeatedMsgContainsOriginalMsg [on/off] - "last message repeated n times" messages, if generated, have a different format that contains the message that is being repeated. Note that only the first "n" characters are included, with n to be at least 80 characters, most -- cgit From e4ca8a3119ece504819605b340a3f5ba36b3eab6 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 3 Nov 2009 09:20:02 +0100 Subject: added function getenv() to RainerScript --- doc/expression.html | 21 +++++++++++++-------- doc/rainerscript.html | 18 +++++++++++++++--- 2 files changed, 28 insertions(+), 11 deletions(-) (limited to 'doc') diff --git a/doc/expression.html b/doc/expression.html index 9e37cb7a..c401d9ab 100644 --- a/doc/expression.html +++ b/doc/expression.html @@ -1,17 +1,22 @@ -Expressions + +Expressions in rsyslog -back -
Expressions
+back to rsyslog filter conditions +
Expressions in rsyslog

Rsyslog supports expressions at a growing number of places. So -far, they are supported for filtering messages.
Expression support is provided by RainerScript. For now, please see the formal expression definition in RainerScript ABNF. It is the "expr" node.
C-like comments (/* some comment */) are supported inside the expression, but not yet in the rest of the configuration file.
[rsyslog.conf overview] +far, they are supported for filtering messages.
+
Expression support is provided by RainerScript. Please see the +RainerScript documentation for more details.
+
C-like comments (/* some comment */) are supported inside the expression, +but not yet in the rest of the configuration file.
+ +
[rsyslog.conf overview] [manual index] [rsyslog site]

This documentation is part of the -rsyslog -project.
-Copyright © 2008 by Rainer -Gerhards and +rsyslog project.
+Copyright © 2008, 2009 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 3 or higher.
diff --git a/doc/rainerscript.html b/doc/rainerscript.html index ef0e41cb..63a79040 100644 --- a/doc/rainerscript.html +++ b/doc/rainerscript.html @@ -51,13 +51,25 @@ of a and b should be tested as "a <> b". The "not" operator should be reserved to cases where it actually is needed to form a complex boolean expression. In those cases, parenthesis are highly recommended. +
Functions
+
RainerScript supports a currently quite limited set of functions: +
+
getenv(str) - like the OS call, returns the value of the environment +variable, if it exists. Returns an empty string if it does not exist. +
strlen(str) - returns the length of the provided string +
tolower(str) - converts the provided string into lowercase +
+
The following example can be used to build a dynamic filter based on some environment +variable: +
+if $msg contains getenv('TRIGGERVAR') then /path/to/errfile +

[rsyslog.conf overview] [manual index] [rsyslog site]

This documentation is part of the rsyslog project.
-Copyright © 2008 by Rainer -Gerhards and +Copyright © 2008, 2009 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 3 or higher.
- \ No newline at end of file + -- cgit From d06b63272d9d5eb568201026bfd42be2be845b18 Mon Sep 17 00:00:00 2001 From: Luis Fernando Munoz Mejias Date: Thu, 12 Nov 2009 14:37:14 +0100 Subject: doc --- doc/omoracle.html | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'doc') diff --git a/doc/omoracle.html b/doc/omoracle.html index cfcf277f..2bb6aa5d 100644 --- a/doc/omoracle.html +++ b/doc/omoracle.html @@ -13,10 +13,11 @@
Available since: : 4.3.0
Status: : contributed module, not maitained by rsyslog core authors
Description:
-
This module provides native support for logging to Oracle databases. It offers -superior performance over the more generic omlibdbi module. -It also includes a number of enhancements, most importantly prepared statements and -batching, what provides a big performance improvements. +
This module provides native support for logging to Oracle +databases. It offers superior performance over the more +generic omlibdbi module. It also includes +a number of enhancements, most importantly prepared statements and +batching, what provides a big performance improvement.

Note that this module is maintained by its original author. If you need assistance with it, it is suggested to post questions to the @@ -63,7 +64,7 @@ it is suggested to post questions to the $OmoracleStatement \ insert into foo(hostname,message)values(:host,:message) - Also note that identifiers to placeholders are arbitrarry. You + Also note that identifiers to placeholders are arbitrary. You need to define the properties on the template in the correct order you want them passed to the statement! -- cgit From 26893eb8edfa38fb06c61379919a817dadf01615 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 27 Nov 2009 10:39:46 +0100 Subject: added at least minimal doc for $EscapeControlCharacterTab --- doc/rsyslog_conf_global.html | 1 + 1 file changed, 1 insertion(+) (limited to 'doc') diff --git a/doc/rsyslog_conf_global.html b/doc/rsyslog_conf_global.html index 5f80f92e..76dce26d 100644 --- a/doc/rsyslog_conf_global.html +++ b/doc/rsyslog_conf_global.html @@ -130,6 +130,7 @@ our paper on using multiple rule sets in rsyslog $DropTrailingLFOnReception

$DynaFileCacheSize

$EscapeControlCharactersOnReceive
+
$EscapeControlCharactersOnReceive [on|off] - escape USASCII HT character

$ErrorMessagesToStderr [on|off] - direct rsyslogd error message to stderr (in addition to other targets)

$FailOnChownFailure

$FileCreateMode
-- cgit From 74000ea71eb47c19653e0cd7bbffb83d913c3923 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 20 Apr 2010 15:49:58 +0200 Subject: doc for imsolaris added --- doc/Makefile.am | 1 + doc/imsolaris.html | 47 +++++++++++++++++++++++++++++++++++++++++++ doc/rsyslog_conf_modules.html | 1 + 3 files changed, 49 insertions(+) create mode 100644 doc/imsolaris.html (limited to 'doc') diff --git a/doc/Makefile.am b/doc/Makefile.am index a1f192ee..9ca0afe6 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -39,6 +39,7 @@ html_files = \ imtcp.html \ imgssapi.html \ imrelp.html \ + imsolaris.html \ imuxsock.html \ imklog.html \ professional_support.html \ diff --git a/doc/imsolaris.html b/doc/imsolaris.html new file mode 100644 index 00000000..ce0e7e84 --- /dev/null +++ b/doc/imsolaris.html @@ -0,0 +1,47 @@ + + + +Solaris Input Module (imsolaris) + + + +back + +
Solaris Input Module
+
Module Name: imsolaris
+
Author: Rainer Gerhards +<rgerhards@adiscon.com>
+
Description:
+
Reads local Solaris log messages including the kernel log.
+
This module is specifically tailored for Solaris. Under Solaris, there +is no special kernel input device. Instead, both kernel messages as well as +messages emitted via syslog() are received from a single source. +
This module obeys the Solaris door() mechanism to detect a running syslogd +instance. As such, only one can be active at one time. If it detects another +active intance at startup, the module disables itself, but rsyslog will +continue to run. +
Configuration Directives:
+
+
$IMSolarisLogSocketName <name>
+This is the name of the log socket (stream) to read. If not given, /dev/log +is read. +
+
+Caveats/Known Bugs: +
None currently known. For obvious reasons, works on Solaris, only (and compilation +will most probably fail on any other platform). +
Sample:
+
The following sample pulls messages from the default log source +
+
+$ModLoad imsolaris + +
[rsyslog.conf overview] +[manual index] [rsyslog site]
+
This documentation is part of the +rsyslog +project.
+Copyright © 2010 by Rainer Gerhards and +Adiscon. +Released under the GNU GPL version 3 or higher.
+ diff --git a/doc/rsyslog_conf_modules.html b/doc/rsyslog_conf_modules.html index 675b8bb3..c36b8c6d 100644 --- a/doc/rsyslog_conf_modules.html +++ b/doc/rsyslog_conf_modules.html @@ -32,6 +32,7 @@ to message generators.
immark - support for mark messages

imklog - kernel logging

imuxsock - unix sockets, including the system log socket
+
imsolaris - input for the Sun Solaris system log source

im3195 - accepts syslog messages via RFC 3195
-- cgit From 9ba148cca62620d0bc9357b46393f9b5e2d6ede0 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 22 Apr 2010 15:32:15 +0200 Subject: preparing for 4.7.1 release --- doc/manual.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/manual.html b/doc/manual.html index 3d9a2f2d..a5f12a56 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -19,7 +19,7 @@ rsyslog support available directly from the source!

Please visit the rsyslog sponsor's page to honor the project sponsors or become one yourself! We are very grateful for any help towards the project goals.
-
This documentation is for version 4.7.0 (v4-devel branch) of rsyslog. +

This documentation is for version 4.7.1 (v4-devel branch) of rsyslog. Visit the rsyslog status page to obtain current version information and project status.

If you like rsyslog, you might -- cgit From d19806431653e6575a002ab48206c16d3041e465 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 26 Apr 2010 12:08:00 +0200 Subject: added new $Sleep directive to hold processing for a couple of seconds during startup --- doc/rsyslog_conf_global.html | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/rsyslog_conf_global.html b/doc/rsyslog_conf_global.html index 8137bcba..8c1cc9a7 100644 --- a/doc/rsyslog_conf_global.html +++ b/doc/rsyslog_conf_global.html @@ -273,6 +273,9 @@ the value, the less precise the timestamp.

$PrivDropToGroupID

$PrivDropToUser

$PrivDropToUserID
+
$Sleep <seconds> - puts the rsyslog main thread to sleep for the specified +number of seconds immediately when the directive is encountered. You should have a +good reason for using this directive!

$UMASK

Where <size_nbr> is specified above, @@ -291,7 +294,7 @@ point of view, "1,,0.0.,.,0" also has the value 1000.
[rsyslog site]

This documentation is part of the rsyslog project.
-Copyright © 2008, 2009 by Rainer Gerhards and +Copyright © 2008-2010 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 3 or higher.
-- cgit From 1ab2bb26d20eaffc36999cb2bb1d7c9be3994c56 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 3 May 2010 12:52:38 +0200 Subject: preparing for 4.7.2 --- doc/manual.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/manual.html b/doc/manual.html index a5f12a56..1d81a5f8 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -19,7 +19,7 @@ rsyslog support available directly from the source!

Please visit the rsyslog sponsor's page to honor the project sponsors or become one yourself! We are very grateful for any help towards the project goals.
-
This documentation is for version 4.7.1 (v4-devel branch) of rsyslog. +

This documentation is for version 4.7.2 (v4-devel branch) of rsyslog. Visit the rsyslog status page to obtain current version information and project status.

If you like rsyslog, you might -- cgit From 80ff634c841d692c1d9f335b88e225d6ce7317f7 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 6 Aug 2010 17:25:38 +0200 Subject: added omuxsock, which permits to write message to local Unix sockets this is the counterpart to imuxsock, enabling fast local forwarding --- doc/Makefile.am | 1 + doc/imuxsock.html | 2 +- doc/omuxsock.html | 43 +++++++++++++++++++++++++++++++++++++++++++ doc/rsyslog_conf_modules.html | 1 + 4 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 doc/omuxsock.html (limited to 'doc') diff --git a/doc/Makefile.am b/doc/Makefile.am index 5beebf0e..24a0ea74 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -100,6 +100,7 @@ html_files = \ gssapi.html \ licensing.html \ ommail.html \ + omuxsock.html \ omrelp.html \ syslog_parsing.html \ troubleshoot.html \ diff --git a/doc/imuxsock.html b/doc/imuxsock.html index 15c365a6..381374d2 100644 --- a/doc/imuxsock.html +++ b/doc/imuxsock.html @@ -100,7 +100,7 @@ $InputUnixListenSocketHostName /var/run/sshd/dev/log

This documentation is part of the rsyslog project.
-Copyright © 2008 by Rainer +Copyright © 2008-2010 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 3 or higher.

diff --git a/doc/omuxsock.html b/doc/omuxsock.html new file mode 100644 index 00000000..4ffc53eb --- /dev/null +++ b/doc/omuxsock.html @@ -0,0 +1,43 @@ + +Unix sockets output module (omuxsock) - sending syslog messages to local socket +back + + +
Mail Output Module (omuxsock)
+
Module Name:    omuxsock
+
Available since:    4.7.3, 5.5.7
+
Author: Rainer Gerhards <rgerhards@adiscon.com>
+
Description:
+
This module supports sending syslog messages to local Unix sockets. +Thus it provided a fast message-passing interface between different rsyslog +instances. The counterpart to omuxsock is imuxsock. +Note that the template used together with omuxsock must be suitable to be +processed by the receiver. +
Configuration Directives:
+
+
$OMUxSockSocket
+Name of the socket to send data to. This has no default and must +be set. +
+
$OMUxSockDefaultTemplate
+This can be used to override the default template to be used together +with omuxsock. This is primarily useful if there are many forwarding +actions and each of them should use the same template.
+
+Caveats/Known Bugs: +
Currently, only datagram sockets are supported. +
Sample:
+
The following sample writes all messages to the "/tmp/socksample" socket. +
+$ModLoad omucsock +$OMUxSockSocket /tmp/socksample +*.* :omuxsock: + +[manual index] [rsyslog site]
+
This documentation is part of the rsyslog +project.
+Copyright © 2010 by Rainer Gerhards and +Adiscon. +Released under the GNU GPL version 3 or higher.
+ + diff --git a/doc/rsyslog_conf_modules.html b/doc/rsyslog_conf_modules.html index c36b8c6d..a6555c1a 100644 --- a/doc/rsyslog_conf_modules.html +++ b/doc/rsyslog_conf_modules.html @@ -52,6 +52,7 @@ SQLLite, Ingres, Oracle, mSQL)
ommail - permits rsyslog to alert folks by mail if something important happens

omoracle - output module for Oracle (native OCI interface)
+
omuxsock - output module Unix domain sockets

Library Modules
-- cgit From 89f7dddf36d57c9261464560e3b2c0fb8ea88fd2 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 9 Aug 2010 08:09:15 +0200 Subject: doc nit: wrong title in omuxsock page thanks to David Lang for finding this issue --- doc/omuxsock.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/omuxsock.html b/doc/omuxsock.html index 4ffc53eb..5fa569eb 100644 --- a/doc/omuxsock.html +++ b/doc/omuxsock.html @@ -3,7 +3,7 @@ back -
Mail Output Module (omuxsock)
+
Unix sockets Output Module (omuxsock)

Module Name:    omuxsock

Available since:    4.7.3, 5.5.7

Author: Rainer Gerhards <rgerhards@adiscon.com>
-- cgit From 55256ac96815d6e13fc9df7206d50ef7dcaca4fe Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 10 Aug 2010 14:51:43 +0200 Subject: added imptcp imptcp is a simplified, Linux-specific and potentielly fast syslog plain tcp input plugin (NOT supporting TLS!) --- doc/Makefile.am | 1 + doc/imptcp.html | 84 +++++++++++++++++++++++++++++++++++++++++++ doc/rsyslog_conf_modules.html | 3 +- 3 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 doc/imptcp.html (limited to 'doc') diff --git a/doc/Makefile.am b/doc/Makefile.am index ca2ee71c..7ba86ad4 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -37,6 +37,7 @@ html_files = \ omlibdbi.html \ imfile.html \ imtcp.html \ + imptcp.html \ imgssapi.html \ imrelp.html \ imuxsock.html \ diff --git a/doc/imptcp.html b/doc/imptcp.html new file mode 100644 index 00000000..913563a5 --- /dev/null +++ b/doc/imptcp.html @@ -0,0 +1,84 @@ + + + +Plain TCP Syslog Input Module (imptcp) + +back + +
Plain TCP Syslog Input Module
+
Module Name:    imptcp
+
Available since: 4.7.3+, 5.5.8+? +
Author: Rainer Gerhards +<rgerhards@adiscon.com>
+
Description:
+
Provides the ability to receive syslog messages via plain TCP syslog. +This is a specialised input plugin tailored for high performance on Linux. It will +probably not run on any other platform. Also, it does no provide TLS services. +Encryption can be provided by using stunnel. +
This module has no limit on the number of listeners and sessions that can be used. +
Multiple receivers may be configured by +specifying $InputPTCPServerRun multiple times. +
+
Configuration Directives:
+
This plugin has config directives similar named as imtcp, but they all have PTCP in +their name instead of just TCP. Note that only a subset of the parameters are supported. +
+
$InputPTCPServerAddtlFrameDelimiter <Delimiter>
+CURRENTLY DISABLED
+This directive permits to specify an additional frame delimiter for plain tcp syslog. +The industry-standard specifies using the LF character as frame delimiter. Some vendors, +notable Juniper in their NetScreen products, use an invalid frame delimiter, in Juniper's +case the NUL character. This directive permits to specify the ASCII value of the delimiter +in question. Please note that this does not guarantee that all wrong implementations can +be cured with this directive. It is not even a sure fix with all versions of NetScreen, +as I suggest the NUL character is the effect of a (common) coding error and thus will +probably go away at some time in the future. But for the time being, the value 0 can +probably be used to make rsyslog handle NetScreen's invalid syslog/tcp framing. +For additional information, see this +forum thread. +
If this doesn't work for you, please do not blame the rsyslog team. Instead file +a bug report with Juniper! +
Note that a similar, but worse, issue exists with Cisco's IOS implementation. They do +not use any framing at all. This is confirmed from Cisco's side, but there seems to be +very limited interest in fixing this issue. This directive can not fix the Cisco bug. +That would require much more code changes, which I was unable to do so far. Full details +can be found at the Cisco tcp syslog anomaly +page. +
$InputPTCPServerNotifyOnConnectionClose [on/off]
+CURRENTLY DISABLED
+instructs imptcp to emit a message if the remote peer closes a connection.
+Important: This directive is global to all listeners and must be given right +after loading imptcp, otherwise it may have no effect.
+
$InputPTCPServerRun <port>
+Starts a TCP server on selected port
+
$InputPTCPServerInputName <name>
+Sets a name for the inputname property. If no name is set "imptcp" is used by default. Setting a +name is not strictly necessary, but can be useful to apply filtering based on which input +the message was received from. +
$InputPTCPServerBindRuleset <name>
+Binds specified ruleset to next server defined. +
$InputPTCPServerListenIP <name>
+On multi-homed machines, specifies to which local address the next listerner should +be bound. +
+Caveats/Known Bugs: +
+
module always binds to all interfaces
+
+
Sample:
+
This sets up a TCP server on port 514:
+
+$ModLoad imptcp # +needs to be done just once +$InputPTCPServerRun 514 + +
[rsyslog.conf overview] +[manual index] [rsyslog site]
+
This documentation is part of the +rsyslog +project.
+Copyright © 2010 by Rainer +Gerhards and +Adiscon. +Released under the GNU GPL version 3 or higher.
+ diff --git a/doc/rsyslog_conf_modules.html b/doc/rsyslog_conf_modules.html index 675b8bb3..19f69da6 100644 --- a/doc/rsyslog_conf_modules.html +++ b/doc/rsyslog_conf_modules.html @@ -27,7 +27,8 @@ to message generators.
imfile - input module for text files

imrelp - RELP input module

imudp - udp syslog message input
-
imtcp - input plugin for plain tcp syslog
+
imtcp - input plugin for tcp syslog
+
imptcp - input plugin for plain tcp syslog (no TLS but faster)

imgssapi - input plugin for plain tcp and GSS-enabled syslog

immark - support for mark messages

imklog - kernel logging
-- cgit From e7d4ec890b42ceb0ab9bb4ee5ecc9a9e489c7388 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Wed, 11 Aug 2010 14:38:21 +0200 Subject: imptcp: added $InputPTCPServerNotifyOnConnectionClose directive plus some minor cleanup --- doc/imptcp.html | 3 --- 1 file changed, 3 deletions(-) (limited to 'doc') diff --git a/doc/imptcp.html b/doc/imptcp.html index 913563a5..c63ddc34 100644 --- a/doc/imptcp.html +++ b/doc/imptcp.html @@ -45,10 +45,7 @@ That would require much more code changes, which I was unable to do so far. Full can be found at the Cisco tcp syslog anomaly page.
$InputPTCPServerNotifyOnConnectionClose [on/off]
-CURRENTLY DISABLED
instructs imptcp to emit a message if the remote peer closes a connection.
-Important: This directive is global to all listeners and must be given right -after loading imptcp, otherwise it may have no effect.

$InputPTCPServerRun <port>
Starts a TCP server on selected port

$InputPTCPServerInputName <name>
-- cgit From 809ed1768b83bc0c5392f943f4820523494e8285 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Wed, 11 Aug 2010 15:06:50 +0200 Subject: imptcp: added $InputPTCPServerAddtlFrameDelimiter directive also improved testbench --- doc/imptcp.html | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/imptcp.html b/doc/imptcp.html index c63ddc34..d4228185 100644 --- a/doc/imptcp.html +++ b/doc/imptcp.html @@ -7,7 +7,7 @@
Plain TCP Syslog Input Module

Module Name: imptcp
-
Available since: 4.7.3+, 5.5.8+? +
Available since: 4.7.3+, 5.5.8+
Author: Rainer Gerhards <rgerhards@adiscon.com>

Description:
@@ -24,7 +24,6 @@ specifying $InputPTCPServerRun multiple times. their name instead of just TCP. Note that only a subset of the parameters are supported.

$InputPTCPServerAddtlFrameDelimiter <Delimiter>
-CURRENTLY DISABLED
This directive permits to specify an additional frame delimiter for plain tcp syslog. The industry-standard specifies using the LF character as frame delimiter. Some vendors, notable Juniper in their NetScreen products, use an invalid frame delimiter, in Juniper's -- cgit From ffd08f2a6caaaddb86ccbec4206bf560d34fcfd7 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Sun, 24 Oct 2010 14:31:12 +0200 Subject: imfile improvements - added the $InputFilePersistStateInterval config directive to imfile - changed imfile so that the state file is never deleted (makes imfile more robust in regard to fatal failures) --- doc/imfile.html | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'doc') diff --git a/doc/imfile.html b/doc/imfile.html index af0413dd..3687302b 100644 --- a/doc/imfile.html +++ b/doc/imfile.html @@ -86,6 +86,16 @@ level may be needed. Even if you need quick response, 1 seconds should be well enough. Please note that imfile keeps reading files as long as there is any data in them. So a "polling sleep" will only happen when nothing is left to be processed.
+

$InputFilePollInterval [lines]
+Available in 4.7.3+
+Specifies how often the state file shall be written when processing the input +file. The default value is 0, which means a new state file is only written when +the monitored files is being closed (end of rsyslogd execution). Any other +value n means that the state file is written every time n file lines have +been processed. This setting can be used to guard against message duplication due +to fatal errors (like power fail). Note that this setting affects imfile +performance, especially when set to a low value. Frequently writing the state +file is very time consuming.

Caveats/Known Bugs:

So far, only 100 files can be monitored. If more are needed, -- cgit From ab6e674b0bae88d3a91a30f4e32fbb857096964f Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Wed, 20 Oct 2010 16:32:33 +0200 Subject: doc/imfile: fixed small but important typo --- doc/imfile.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/imfile.html b/doc/imfile.html index 3687302b..89be3292 100644 --- a/doc/imfile.html +++ b/doc/imfile.html @@ -86,7 +86,7 @@ level may be needed. Even if you need quick response, 1 seconds should be well enough. Please note that imfile keeps reading files as long as there is any data in them. So a "polling sleep" will only happen when nothing is left to be processed.

$InputFilePollInterval [lines]
+

$InputFilePersistStateInterval [lines]
Available in 4.7.3+
Specifies how often the state file shall be written when processing the input file. The default value is 0, which means a new state file is only written when -- cgit From 9e6ab1494d95da61095867db209674975b1b1a2b Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 25 Nov 2010 13:56:53 +0100 Subject: preparing for 4.7.3 --- doc/manual.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/manual.html b/doc/manual.html index 0e4166d0..a95e8eec 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -19,7 +19,7 @@ rsyslog support available directly from the source!

Please visit the rsyslog sponsor's page to honor the project sponsors or become one yourself! We are very grateful for any help towards the project goals.

This documentation is for version 4.7.2 (v4-devel branch) of rsyslog. +

This documentation is for version 4.7.3 (v4-devel branch) of rsyslog. Visit the rsyslog status page to obtain current version information and project status.

If you like rsyslog, you might -- cgit From 699d0d933ab64941d40df17c69b2c377231924cf Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 16 Dec 2010 15:29:20 +0100 Subject: added $LocalHostName config directive & some bugfixing - added $LocalHostName config directive - bugfix: local hostname was pulled too-early, so that some config directives (namely FQDN settings) did not have any effect --- doc/rsyslog_conf_global.html | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'doc') diff --git a/doc/rsyslog_conf_global.html b/doc/rsyslog_conf_global.html index 8c1cc9a7..b58ae9c2 100644 --- a/doc/rsyslog_conf_global.html +++ b/doc/rsyslog_conf_global.html @@ -150,6 +150,12 @@ Usually that should not be a big issue, as the restart-type HUP can easily be re something along the lines of "/etc/init.d/rsyslog restart".

$IncludeConfig
MainMsgQueueCheckpointInterval <number>
+
$LocalHostName [name] - this directive permits to overwrite the system +hostname with the one specified in the directive. If the directive is given +multiple times, all but the last one will be ignored. Please note that startup +error messages may be issued with the real hostname. This is by design and not +a bug (but one may argue if the design should be changed ;)). Available since +4.7.4+, 5.7.3+, 6.1.3+.

$LogRSyslogStatusMessages [on/off] - If set to on (the default), rsyslog emits message on startup and shutdown as well as when it is HUPed. This information might be needed by some log analyzers. If set to off, no such -- cgit From f55eee74a3fca58f747857c9b7ec5040178a6f8b Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 11 Jul 2011 09:34:26 +0200 Subject: issue a warning message for old-style dynafile action --- doc/v4compatibility.html | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'doc') diff --git a/doc/v4compatibility.html b/doc/v4compatibility.html index 5d877af1..72b0f5a9 100644 --- a/doc/v4compatibility.html +++ b/doc/v4compatibility.html @@ -74,4 +74,23 @@ So it is a good idea to become ready for the new version now and also enjoy some benefits of the "real restart", like the better error-reporting capability.
Note that code complexity reduction (and thus performance improvement) needs the restart-type HUP code to be removed, so these changes can (and will) only happen in version 5. +
outchannels
+Note: as always documented, outchannels are an experimental feature that may be +removed and/or changed in the future. +There is one concrete change done starting with 4.6.7: let's assume an +outchannel "mychannel" was defined. Then, this channel could be used inside an ++*.* $mychannel + +This is still supported and will remain to be supported in v4. However, there is +a new variant which explicitely tells this is to be handled by omfile. This new +syntax is as follows: ++*.* :omfile:$mychannel + +Note that future versions, specifically starting with v6, the older syntax is no +longer supported. So users are strongly advised to switch to the new syntax. As an +aid to the conversion process, rsyslog 4.7.4 and above issue a warning message +if the old-style directive is seen -- but still accept the old syntax without +any problems. -- cgit From f285420d1731555eb9eb6717fc9c875651ab7c91 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 11 Jul 2011 09:47:28 +0200 Subject: preparing for 4.7.4 --- doc/manual.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/manual.html b/doc/manual.html index a95e8eec..8c95cca4 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -19,7 +19,7 @@ rsyslog support available directly from the source!

Please visit the rsyslog sponsor's page to honor the project sponsors or become one yourself! We are very grateful for any help towards the project goals.
-
This documentation is for version 4.7.3 (v4-devel branch) of rsyslog. +

This documentation is for version 4.7.4 (v4-devel branch) of rsyslog. Visit the rsyslog status page to obtain current version information and project status.

If you like rsyslog, you might -- cgit From 156d3f64e7ce50a570c1f8f95f51406c4853aad8 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Wed, 31 Aug 2011 12:27:32 +0200 Subject: preparing for 4.7.5 release --- doc/manual.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/manual.html b/doc/manual.html index 8c95cca4..ff94b5bd 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -19,7 +19,7 @@ rsyslog support available directly from the source!

Please visit the rsyslog sponsor's page to honor the project sponsors or become one yourself! We are very grateful for any help towards the project goals.
-
This documentation is for version 4.7.4 (v4-devel branch) of rsyslog. +

This documentation is for version 4.7.5 (v4-devel branch) of rsyslog. Visit the rsyslog status page to obtain current version information and project status.

If you like rsyslog, you might -- cgit