1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
|
# This is a sample configuation file for rsyslogd. See the
# doc/manual.html for details. If you can not find the
# manual set, please visit
#
# http://www.rsyslog.com/doc/
#
# to obtain it online.
#
# WARNING: We do NOT keep the comments in this file always
# up to date. Be sure to consult the doc set that
# came with your package, especially the file on
# rsyslog.conf - it probably has some better information
# than is provided here in comments. The main purpose
# of sample.conf is to show you some actual directives,
# not to be the authorative doc source.
#
# Please note that rsyslogd by default
# reads /etc/rsyslogd.conf (and NOT /etc/syslogd.conf!).
#
# A commented sample configuration. More a man page than a real
# sample ;)
#
# We try to keep things as consistent with existing syslog implementation
# as possible. We use "$" to start lines that contain new directives.
# We limit who can send us messages:
$AllowedSender UDP, 192.0.2.0/24, 10.0.0.1 # all machines in 192.0.2 as well as 10.0.0.1
$AllowedSender TCP, 10.0.0.1 # for TCP, we allow only 10.0.0.1
# remove the AllowedSender directives if you do not want to limit
# who can send rsyslogd messages (not recommended)
# Templates are a key feature of rsyslog. They allow to specify any
# format a user might want. Every output in rsyslog uses templates - this
# holds true for files, user messages and so on. The database writer
# expects its template to be a proper SQL statement - so this is highly
# customizable too. You might ask how does all of this work when no templates
# at all are specified. Good question ;) The answer is simple, though. Templates
# compatible with the stock syslogd formats are hardcoded into rsyslog. So if
# no template is specified, we use one of these hardcoded templates. Search for
# "template_" in syslogd.c and you will find the hardcoded ones.
#
# A template consists of a template directive, a name, the actual template text
# and optional options. A sample is:
#
# $template MyTemplateName,"\7Text %property% some more text\n",<options>
#
# The "$template" is the template directive. It tells rsyslog that this
# line contains a template.
#
# "MyTemplateName" is the template name. All other config lines refer to
# this name.
#
# The text within quotes is the actual template text. The backslash is
# a escape character, much as in C. It does all these "cool" things. For
# example, \7 rings the bell (this is an ASCII value), \n is a new line.
# C programmers and perl coders have the advantage of knowing this, but the
# set in rsyslog is a bit restricted currently. All text in the template
# is used literally, except for things within percent signs. These are
# properties and allow you access to the contents of the syslog message.
# Properties are accessed via the property replacer (nice name, huh) and
# it can do cool things, too. For example, it can pick a substring or
# do date-specific formatting. More on this is below, on some lines of the
# property replacer.
#
# The <options> part is optional. It carries options that influence the
# template as whole. Details are below. Be sure NOT to mistake template
# options with property options - the later ones are processed by the
# property replacer and apply to a SINGLE property, only (and not the
# whole template).
#
# Template options are case-insensitive. Currently defined are:
# sql - format the string suitable for a SQL statement. This will replace single
# quotes ("'") by two single quotes ("''") inside each field. This option MUST
# be specified when a template is used for writing to a database, otherwise SQL
# injection might occur.
#
# Please note that the database writer *checks* that the sql option is
# present in the template. If it is not present, the write database action
# is disabled. This is to guard you against accidential forgetting it and
# then becoming vulnerable for SQL injection.
# The sql option can also be useful with files - especially if you want
# to run them on another machine for performance reasons. However, do NOT
# use it if you do not have a real need for it - among others, it takes
# some toll on the processing time. Not much, but on a really busy system
# you might notice it ;)
#
# To escape:
# % = \%
# \ = \\
# --> '\' is used to escape (as in C)
#$template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
#
# Properties can be accessed by the property replacer. They are accessed
# inside the template by putting them between percent signs. Properties
# can be modifed by the property replacer. The full syntax is as follows:
#
# %propname:fromChar:toChar:options%
#
# propname is the name of the property to access. This IS case-sensitive!
# Currently supported are:
# msg the MSG part of the message (aka "the message" ;))
# rawmsg the message excactly as it was received from the
# socket. Should be useful for debugging.
# UxTradMsg will disappear soon - do NOT use!
# HOSTNAME hostname from the message
# source alias for HOSTNAME
# syslogtag TAG from the message
# PRI PRI part of the message - undecoded (single value)
# IUT the monitorware InfoUnitType - used when talking to a
# MonitorWare backend (also for phpLogCon)
# syslogfacility the facility from the message - in numerical form
# syslogpriority the priority (actully severity!) from the
# message - in numerical form
# timegenerated timestamp when the message was RECEIVED. Always in high
# resolution
# timereported timestamp from the message. Resolution depends on what
# was provided in the message (in most cases, only seconds)
# TIMESTAMP alias for timereported
#
# Other properties might be available at the time you read this. Be sure
# to consult the property replacer documentation in the doc set for all
# properties.
#
# FromChar and toChar are used to build substrings. They specify the
# offset within the string that should be copied. Offset counting
# starts at 1, so if you need to obtain the first 2 characters of the
# message text, you can use this syntax: "%msg:1:2%".
# If you do not whish to specify from and to, but you want to
# specify options, you still need to include the colons. For example,
# if you would like to convert the full message text to lower case
# only, use "%msg:::lowercase%".
#
# property options are case-insensitive, currently defined are:
# uppercase convert property to lowercase only
# lowercase convert property text to uppercase only
# drop-last-lf The last LF in the message (if any), is dropped.
# Especially useful for PIX.
# date-mysql format as mysql date
# date-rfc3164 format as RFC 3164 date
# date-rfc3339 format as RFC 3339 date
# escape-cc NOT yet implemented
# Below find some samples of what a template can do. Have a good
# time finding out what they do [or just tun them] ;)
# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
# a template useful for debugging format issues
$template DEBUG,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n"
#
# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
# The template below emulates winsyslog format, but we need to check the time
# stamps used. for now, it is good enough ;) This format works best with
# other members of the MonitorWare product family. It is also a good sample
# where you can see the property replacer in action.
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
# A template used for database writing (notice it *is* an actual
# sql-statement):
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
# Selector lines are somewhat different from stock syslogd. With
# rsyslog, you can add a semicolon ";" after the target and then
# the template name. That will assign this template to the respective
# action. If no template name is given, a hardcoded template is used.
# If a template name is given, but the template was not defined, the
# selector line is DEACTIVATED.
#
# #############
# # IMPORTANT #
# #############
# Templates MUST be defined BEFORE they are used! It is OK to
# intermix template definitions and selector lines within the
# config file, but each template MUST be defined before it is
# used the first time!
#
# We have some very rough samples here - This sample file focusses
# on the new syntax, so we do NOT describe all possible selections.
# Use the syslog.conf if you are interested to see how to select
# based on facility and severits (aka priority).
*.* /var/log/winsyslog-like.log;WinSyslogFmt
# A selector using the traditional format defined above:
*.* /var/log/traditionalfile.log;TraditionalFormat
# And another one using the hardcoded traditional format:
*.* /var/log/anothertraditionalfile.log
# Templates are also fully supportd for forwarding:
*.* @172.19.2.16;RFC3164fmt
# And this finally is a database action
# The semicolon at the end is not necessary,
# but some previous versions of rsyslogd had a bug that
# made them abort if it were missing. As Dennis Olvany
# pointed out, it would be extremely nice to have this
# semicolon in the sample conf - so we did in a previous
# version and it still sticks around ;)
*.* >hostname,dbname,userid,password;
# It uses the default schema (MonitorWare format). The parameters
# should be self-explanatory.
# And this one uses the template defined above:
*.* >hostname,dbname,userid,password;dbFormat
#
# Rsyslog supports TCP-based syslog. To enable receiving TCP messages,
# use the -t <port> command line option (where port is the port it
# shall listen to. To forward messages to the remote host, you must
# specify a forwarding action and include the host and port. TCP
# and UDP-based forwarding has basically the same syntax, except that
# TCP delivery is triggered by specifying a second at-sign (@) in the
# message.
# This is UDP forwarding to port 514:
*.* @172.19.2.16
# This is UDP forwarding to port 1514:
*.* @172.19.2.16:1514
# This is TCP forwarding to port 1514:
*.* @@172.19.2.16:1514
# The second @-sign is all you need (except, of course, a tcp-capable
# syslogd like rsyslogd ;)).
# Of course, you can also specify a template with TCP:
*.* @@172.19.2.16:1514;RFC3164Fmt
# There are also some options you can select. These come between
# paranthesis. Available are:
# z<number> - turn on compression, number is compression mode 0 - none, 9 max
# o - (tcp only) use octet counting for framing EXPERIMENTAL
#
# Forward via TCP with maximum compression and octet couting framing:
*.* @@(z9,o)172.19.2.16:1514;RFC3164Fmt
# Forward via UDP with maximum compression to port 1514
*.* @(z9)172.19.2.16:1514
# We also support property-based filters, which allow for nice
# things. Let's for example assume that you receive a lot of
# nonsense messages with "ID-4711" in the message text. You know
# that you will never need these messages. So you simply discard them
:msg, contains, "ID-4711" ~
# or you would like to store messages from a specific host to
# a different file:
:FROMHOST, isequal,"myhost.example.com" /var/log/myhost.log
# everyting that does not contain "error" should also be
# discarded
:msg, !contains, "error" ~
# and the rest go to a seperate file
*.* /var/log/error
# (keep in mind that the two directives shown immediately
# above must be kept in that order to actually work)
# you can also execute a script. Let's assume, for example, you need
# to execute "turn-diesel-generator-on" when "power failed" is contained
# in a message... ;)
:msg, contains, "power failed" ^turn-diesel-generator-on
# (The script is passed the syslog message as first and only parameter.
# Other parameters can currently not be specified.)
# Note that boolean operations (other than not [!]) are not
# currently supported. As such, you can not filter out different
# facilities from different machines - hopefully later ;)
#
# A final world. rsyslog is considered a part of Adiscon's MonitorWare product line.
# As such, you can find current information as well as information on the
# other product line members on http://www.monitorware.com. Please be warned, there
# are a number of closed-source commercial Windows applications among these products ;)
#
# You might want to check the GPL'ed phpLogCon (http://www.phplogcon.org)
# as a web-based front-end to a syslog message database.
#
# I hope this work is useful.
# 2005-09-27 Rainer Gerhards <rgerhards@adiscon.com>
#
|