# 2004-11-17 rgerhards: work copy of the new syslog.conf # We try to keep things as consisent with existing syslog implementation # as possible. We use "$" to start lines that contain new dirctives. # Set syslogd options #$template Name,"Text %var% Text", # Template options are case-insensitive. Currently defined are: # sql - format the string suitable for a SQL statement. This will replace single # quotes ("'") by two single quotes ("''") inside each field. This option MUST # be specified when a template is used for writing to a database, otherwise SQL # injection might occur. The "sql" option is only used for database-bound # templates. It is ignored for all others. # To escape: # % = \% # \ = \\ # --> '\' is used to escape (as in C) #$template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%\n" # Properties can be accessed by the property replacer. They are accessed # inside the template by putting them between percent signs. Properties # can be modifed by the property replacer. The full syntax is as follows: # # %propname:fromChar:toChar:options% # # propname is the name of the property to access. This IS case-sensitive! # Currently supported are: # msg the MSG part of the message (aka "the message" ;)) # rawmsg the message excactly as it was received from the # socket. Should be useful for debugging. # UxTradMsg will disappear soon - do NOT use! # HOSTNAME hostname from the message # source alias for HOSTNAME # syslogtag TAG from the message # PRI PRI part of the message - undecoded (single value) # IUT the monitorware InfoUnitType - used when talking to a # MonitorWare backend (also for phpLogCon) # syslogfacility the facility from the message - in numerical form # syslogpriority the priority (actully severity!) from the # message - in numerical form # timegenerated timestamp when the message was RECEIVED. Always in high # resolution # timereported timestamp from the message. Resolution depends on what # was provided in the message (in most cases, only seconds) # TIMESTAMP alias for timereported # # FromChar and toChar are used to build substrings. They specify the # offset within the string that should be copied. Offset counting # starts at 1, so if you need to obtain the first 2 characters of the # message text, you can use this syntax: "%msg:1:2%". # If you do not whish to specify from and to, but you want to # specify options, you still need to include the colons. For example, # if you would like to convert the full message text to lower case # only, use "%msg:::lowercase%". # # property options are case-insensitive, currently defined are: # uppercase convert property to lowercase only # lowercase convert property text to uppercase only # drop-last-lf The last LF in the message (if any), is dropped. # Especially useful for PIX. # date-mysql format as mysql date # date-rfc3164 format as RFC 3164 date # date-rfc3339 format as RFC 3339 date # escape-cc NOT yet implemented $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n" $template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,%syslogtag%,%msg%\n",1024 $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%" #$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n",1024 $template usermsg," XXXX%syslogtag%%msg%\n\r" #$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r" $template MySQLInsert,"insert iut, message, receivedat values ('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%') into systemevents\r\n", SQL # the template below emulates winsyslog format, but we need to check the time # stamps used. for now, it is good enough ;) $template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n" #$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated:::date-rfc3339% ...\r\n %syslogtag%%msg%\n\r" # Selector lines are now modified # The "action" (e.g. file logging) can be followed # by a comma and then the name of a template to use. # This is an example: #authpriv.* /var/log/secure,precise *.* rger #*.* *;MySQLInsert *.* /home/rger/proj/rsyslog/logfile;WinSyslogFmt #*.* /home/rger/proj/rsyslog/logfile;UserMsg #*.* /home/rger/proj/rsyslog/tradfile;TraditionalFormat #*.* @172.19.2.16;RFC3164fmt #*.* @172.19.2.16 #*.* >localhost,AdisconDB,root,