1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
# 2004-11-17 rgerhards: work copy of the new syslog.conf
# We try to keep things as consisent with existing syslog implementation
# as possible. We use "$" to start lines that contain new dirctives.
# Set syslogd options
#$template Name,"Text %var% Text",<options>
# Template options are case-insensitive. Currently defined are:
# sql - format the string suitable for a SQL statement. This will replace single
# quotes ("'") by two single quotes ("''") inside each field. This option MUST
# be specified when a template is used for writing to a database, otherwise SQL
# injection might occur. The "sql" option is only used for database-bound
# templates. It is ignored for all others.
# To escape:
# % = \%
# \ = \\
# --> '\' is used to escape (as in C)
#$template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
# Properties can be accessed by the property replacer. They are accessed
# inside the template by putting them between percent signs. Properties
# can be modifed by the property replacer. The full syntax is as follows:
#
# %propname:fromChar:toChar:options%
#
# propname is the name of the property to access. This IS case-sensitive!
# Currently supported are:
# msg the MSG part of the message (aka "the message" ;))
# rawmsg the message excactly as it was received from the
# socket. Should be useful for debugging.
# UxTradMsg will disappear soon - do NOT use!
# HOSTNAME hostname from the message
# source alias for HOSTNAME
# syslogtag TAG from the message
# PRI PRI part of the message - undecoded (single value)
# IUT the monitorware InfoUnitType - used when talking to a
# MonitorWare backend (also for phpLogCon)
# syslogfacility the facility from the message - in numerical form
# syslogpriority the priority (actully severity!) from the
# message - in numerical form
# timegenerated timestamp when the message was RECEIVED. Always in high
# resolution
# timereported timestamp from the message. Resolution depends on what
# was provided in the message (in most cases, only seconds)
# TIMESTAMP alias for timereported
#
# FromChar and toChar are used to build substrings. They specify the
# offset within the string that should be copied. Offset counting
# starts at 1, so if you need to obtain the first 2 characters of the
# message text, you can use this syntax: "%msg:1:2%".
# If you do not whish to specify from and to, but you want to
# specify options, you still need to include the colons. For example,
# if you would like to convert the full message text to lower case
# only, use "%msg:::lowercase%".
#
# property options are case-insensitive, currently defined are:
# uppercase convert property to lowercase only
# lowercase convert property text to uppercase only
# drop-last-lf The last LF in the message (if any), is dropped.
# Especially useful for PIX.
# date-mysql format as mysql date
# date-rfc3164 format as RFC 3164 date
# date-rfc3339 format as RFC 3339 date
# escape-cc NOT yet implemented
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,%syslogtag%,%msg%\n",1024
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
#$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n",1024
$template usermsg," XXXX%syslogtag%%msg%\n\r"
#$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
$template MySQLInsert,"insert iut, message, receivedat values ('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%') into systemevents\r\n", SQL
# the template below emulates winsyslog format, but we need to check the time
# stamps used. for now, it is good enough ;)
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
#$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated:::date-rfc3339% ...\r\n %syslogtag%%msg%\n\r"
# Selector lines are now modified
# The "action" (e.g. file logging) can be followed
# by a comma and then the name of a template to use.
# This is an example:
#authpriv.* /var/log/secure,precise
*.* rger
#*.* *;MySQLInsert
*.* /home/rger/proj/rsyslog/logfile;WinSyslogFmt
#*.* /home/rger/proj/rsyslog/logfile;UserMsg
#*.* /home/rger/proj/rsyslog/tradfile;TraditionalFormat
#*.* @172.19.2.16;RFC3164fmt
#*.* @172.19.2.16
#*.* >localhost,AdisconDB,root,
|