1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
# A commented quick reference and sample configuration
# WARNING: This is not a manual, the full manual of rsyslog configuration is in
# rsyslog.conf (5) manpage
#
# "$" starts lines that contain new directives. The full list of directives
# can be found in /usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html or online
# at http://www.rsyslog.com/doc if you do not have (or find) a local copy.
#
# Set syslogd options
# Some global directives
# ----------------------
# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd
# --------------
$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
# $UMASK - specifies the rsyslogd processes' umask
# ------
$umask 0000
# $FileGroup - Set the group for dynaFiles newly created
# ----------
$FileGroup loggroup
# $FileOwner - Set the file owner for dynaFiles newly created.
# ----------
$FileOwner loguser
# $IncludeConfig - include other files into the main configuration file
# --------------
$IncludeConfig /etc/some-included-file.conf # one file
$IncludeConfig /etc/rsyslog.d/ # whole directory (must contain the final slash)
# $ModLoad - Dynamically loads a plug-in and activates it
# --------
$ModLoad MySQL # load MySQL functionality
$ModLoad /rsyslog/modules/somemodule.so # load a module via absolute path
# Templates
# ---------
# Templates allow to specify any format a user might want.
# They MUST be defined BEFORE they are used.
# A template consists of a template directive, a name, the actual template text
# and optional options. A sample is:
#
$template MyTemplateName,"\7Text %property% some more text\n",
# where:
# * $template - tells rsyslog that this line contains a template.
# * MyTemplateName - template name. All other config lines refer to this name.
# * "\7Text %property% some more text\n" - templage text
# The backslash is an escape character, i.e. \7 rings the bell, \n is a new line.
# To escape:
# % = \%
# \ = \\
# Template options are case-insensitive. Currently defined are:
# sql format the string suitable for a SQL statement. This will replace single
# quotes ("'") by two single quotes ("''") to prevent the SQL injection
# (NO_BACKSLASH_ESCAPES turned off)
# stdsql - format the string suitable for a SQL statement that is to
# be sent to a standards-compliant sql server.
# (NO_BACKSLASH_ESCAPES turned on)
# Properties inside templates
# ---------------------------
# Properties can be modified by the property replacer. They are accessed
# inside the template by putting them between percent signs. The full syntax is as follows:
# %propname:fromChar:toChar:options%
# FromChar and toChar are used to build substrings.
# If you need to obtain the first 2 characters of the
# message text, you can use this syntax:
"%msg:1:2%".
# If you do not whish to specify from and to, but you want to
# specify options, you still need to include the colons.
# For example, to convert the full message text to lower case only, use
# "%msg:::lowercase%".
# The full list of property options can be found in rsyslog.conf(5) manpage
# Samples of template definitions
# -------------------------------
# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
# A more verbose template:
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"
# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
# The template below emulates winsyslog format, but we need to check the time
# stamps used. It is also a good sampleof the property replacer in action.
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
# A template used for database writing (notice it *is* an actual
# sql-statement):
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
# Samples of rules
# ----------------
# Regular file
# ------------
*.* /var/log/traditionalfile.log;TraditionalFormat # log to a file in the traditional format
# Forwarding to remote machine
# ----------------------------
*.* @172.19.2.16 # udp (standard for syslog)
*.* @@172.19.2.17 # tcp
# Database action
# ---------------
# (you must have rsyslog-mysql package installed)
# !!! Don't forget to set permission of rsyslog.conf to 600 !!!
*.* >hostname,dbname,userid,password # (default Monitorware schema, can be created by /usr/share/doc/rsyslog-mysql-1.19.6/createDB.sql)
# And this one uses the template defined above:
*.* >hostname,dbname,userid,password;dbFormat
# Program to execute
# ------------------
*.* ^alsaunmute # set default volume to soundcard
# Filter using regex
# ------------------
# if the user logges word rulez or rulezz or rulezzz or..., then we will shut down his pc
# (note, that + have to be double backslashed...)
:msg, regex, "rulez\\+" ^poweroff
# A more complex example
# ----------------------
$template bla_logged,"%timegenerated% the BLA was logged"
:msg, contains, "bla" ^logger;bla_logged
# Pipes
# -----
# first we need to create pipe by # mkfifo /a_big_pipe
*.* |/a_big_pipe
# Discarding
# ----------
*.* ~ # discards everything
|