# A commented quick reference and sample configuration # WARNING: This is not a manual, the full manual of rsyslog configuration is in # rsyslog.conf (5) manpage # # "$" starts lines that contain new directives. The full list of directives # can be found in /usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html or online # at http://www.rsyslog.com/doc if you do not have (or find) a local copy. # # Set syslogd options # Some global directives # ---------------------- # $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd # -------------- $AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com # $UMASK - specifies the rsyslogd processes' umask # ------ $umask 0000 # $FileGroup - Set the group for dynaFiles newly created # ---------- $FileGroup loggroup # $FileOwner - Set the file owner for dynaFiles newly created. # ---------- $FileOwner loguser # $IncludeConfig - include other files into the main configuration file # -------------- $IncludeConfig /etc/some-included-file.conf # one file $IncludeConfig /etc/rsyslog.d/ # whole directory (must contain the final slash) # $ModLoad - Dynamically loads a plug-in and activates it # -------- $ModLoad MySQL # load MySQL functionality $ModLoad /rsyslog/modules/somemodule.so # load a module via absolute path # Templates # --------- # Templates allow to specify any format a user might want. # They MUST be defined BEFORE they are used. # A template consists of a template directive, a name, the actual template text # and optional options. A sample is: # $template MyTemplateName,"\7Text %property% some more text\n", # where: # * $template - tells rsyslog that this line contains a template. # * MyTemplateName - template name. All other config lines refer to this name. # * "\7Text %property% some more text\n" - templage text # The backslash is an escape character, i.e. \7 rings the bell, \n is a new line. # To escape: # % = \% # \ = \\ # Template options are case-insensitive. Currently defined are: # sql format the string suitable for a SQL statement. This will replace single # quotes ("'") by two single quotes ("''") to prevent the SQL injection # (NO_BACKSLASH_ESCAPES turned off) # stdsql - format the string suitable for a SQL statement that is to # be sent to a standards-compliant sql server. # (NO_BACKSLASH_ESCAPES turned on) # Properties inside templates # --------------------------- # Properties can be modified by the property replacer. They are accessed # inside the template by putting them between percent signs. The full syntax is as follows: # %propname:fromChar:toChar:options% # FromChar and toChar are used to build substrings. # If you need to obtain the first 2 characters of the # message text, you can use this syntax: "%msg:1:2%". # If you do not whish to specify from and to, but you want to # specify options, you still need to include the colons. # For example, to convert the full message text to lower case only, use # "%msg:::lowercase%". # The full list of property options can be found in rsyslog.conf(5) manpage # Samples of template definitions # ------------------------------- # A template that resambles traditional syslogd file output: $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n" # A more verbose template: $template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n" # A template that resembles RFC 3164 on-the-wire format: # (yes, there is NO space betwen syslogtag and msg! that's important!) $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%" # a template resembling traditional wallmessage format: $template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r" # The template below emulates winsyslog format, but we need to check the time # stamps used. It is also a good sampleof the property replacer in action. $template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n" # A template used for database writing (notice it *is* an actual # sql-statement): $template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql # Samples of rules # ---------------- # Regular file # ------------ *.* /var/log/traditionalfile.log;TraditionalFormat # log to a file in the traditional format # Forwarding to remote machine # ---------------------------- *.* @172.19.2.16 # udp (standard for syslog) *.* @@172.19.2.17 # tcp # Database action # --------------- # (you must have rsyslog-mysql package installed) # !!! Don't forget to set permission of rsyslog.conf to 600 !!! *.* >hostname,dbname,userid,password # (default Monitorware schema, can be created by /usr/share/doc/rsyslog-mysql-1.19.6/createDB.sql) # And this one uses the template defined above: *.* >hostname,dbname,userid,password;dbFormat # Program to execute # ------------------ *.* ^alsaunmute # set default volume to soundcard # Filter using regex # ------------------ # if the user logges word rulez or rulezz or rulezzz or..., then we will shut down his pc # (note, that + have to be double backslashed...) :msg, regex, "rulez\\+" ^poweroff # A more complex example # ---------------------- $template bla_logged,"%timegenerated% the BLA was logged" :msg, contains, "bla" ^logger;bla_logged # Pipes # ----- # first we need to create pipe by # mkfifo /a_big_pipe *.* |/a_big_pipe # Discarding # ---------- *.* ~ # discards everything