summaryrefslogtreecommitdiffstats
path: root/test.conf
blob: 14b8c75d97b9cdceb96a9529f19cfb23c3548249 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# 2004-11-17 rgerhards: work copy of the new syslog.conf
# We try to keep things as consistent with existing syslog implementation
# as possible. We use "$" to start lines that contain new dirctives.
# Set syslogd options

# Templates are a key feature of rsyslog. They allow to specify any
# format a user might want. Every output in rsyslog uses templates - this
# holds true for files, user messages and so on. The database writer
# expects its template to be a proper SQL statement - so this is highly
# customizable too. You might ask how does all of this work when no templates
# at all are specified. Good question ;) The answer is simple, though. Templates
# compatible with the stock syslogd formats are hardcoded into rsyslog. So if
# no template is specified, we use one of these hardcoded templates. Search for
# "template_" in syslogd.c and you will find the hardcoded ones.
#
# A template consists of a template directive, a name, the actual template text
# and optional options. A sample is:
#
# $template MyTemplateName,"\7Text %property% some more text\n",<options>
#
# The "$template" is the template directive. It tells rsyslog that this
# line contains a template.
#
# "MyTemplateName" is the template name. All other config lines refer to
# this name.
#
# The text within quotes is the actual template text. The backslash is 
# a escape character, much as in C. It does all these "cool" things. For
# example, \7 rings the bell (this is an ASCII value), \n is a new line.
# C programmers and perl coders have the advantage of knowing this, but the
# set in rsyslog is a bit restricted currently. All text in the template
# is used literally, except for things within percent signs. These are 
# properties and allow you access to the contents of the syslog message.
# Properties are accessed via the property replacer (nice name, huh) and
# it can do cool things, too. For example, it can pick a substring or
# do date-specific formatting. More on this is below, on some lines of the
# property replacer.
#
# The <options> part is optional. It carries options that influence the
# template as whole. Details are below. Be sure NOT to mistake template
# options with property options - the later ones are processed by the
# property replacer and apply to a SINGLE property, only (and not the
# whole template).
#
# Template options are case-insensitive. Currently defined are:
# sql - format the string suitable for a SQL statement. This will replace single
#       quotes ("'") by two single quotes ("''") inside each field. This option MUST
#       be specified when a template is used for writing to a database, otherwise SQL
#       injection might occur.
#
# 	Please note that the database writer *checks* that the sql option is
#	present in the template. If it is not present, the write database action
#	is disabled. This is to guard you against accidential forgetting it and
#	then becoming vulnerable for SQL injection.
#	The sql option can also be useful with files - especially if you want
#	to run them on another machine for performance reasons. However, do NOT
#	use it if you do not have a real need for it - among others, it takes
#	some toll on the processing time. Not much, but on a really busy system
#	you might notice it ;)
#
# To escape:
# % = \%
# \ = \\
# --> '\' is used to escape (as in C)
#$template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
#
# Properties can be accessed by the property replacer. They are accessed
# inside the template by putting them between percent signs. Properties
# can be modifed by the property replacer. The full syntax is as follows:
#
# %propname:fromChar:toChar:options%
#
# propname is the name of the property to access. This IS case-sensitive!
# Currently supported are:
# msg		the MSG part of the message (aka "the message" ;))
# rawmsg	the message excactly as it was received from the
#		socket. Should be useful for debugging.
# UxTradMsg	will disappear soon - do NOT use!
# HOSTNAME	hostname from the message
# source	alias for HOSTNAME
# syslogtag	TAG from the message
# PRI		PRI part of the message - undecoded (single value)
# IUT		the monitorware InfoUnitType - used when talking to a
#		MonitorWare backend (also for phpLogCon)
# syslogfacility	the facility from the message - in numerical form
# syslogpriority	the priority (actully severity!) from the
#			message - in numerical form
# timegenerated	timestamp when the message was RECEIVED. Always in high
#		resolution
# timereported	timestamp from the message. Resolution depends on what
#		was provided in the message (in most cases, only seconds)
# TIMESTAMP	alias for timereported
#
# FromChar and toChar are used to build substrings. They specify the
# offset within the string that should be copied. Offset counting
# starts at 1, so if you need to obtain the first 2 characters of the
# message text, you can use this syntax: "%msg:1:2%".
# If you do not whish to specify from and to, but you want to
# specify options, you still need to include the colons. For example,
# if you would like to convert the full message text to lower case
# only, use "%msg:::lowercase%".
#
# property options are case-insensitive, currently defined are:
# uppercase	convert property to lowercase only
# lowercase	convert property text to uppercase only
# drop-last-lf	The last LF in the message (if any), is dropped. 
#		Especially useful for PIX.
# date-mysql	format as mysql date
# date-rfc3164	format as RFC 3164 date
# date-rfc3339	format as RFC 3339 date
# escape-cc	NOT yet implemented

# Below find some samples of what a template can do. Have a good
# time finding out what they do ;)

# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"

# A template that tells you a little more about the message:
 $template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,%syslogtag%,%msg%\n"
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
#$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n",1024
$template usermsg," XXXX%syslogtag%%msg%\n\r"
#$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
$template MySQLInsert,"insert iut, message, receivedat values ('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%') into systemevents\r\n", SQL

# the template below emulates winsyslog format, but we need to check the time
# stamps used. for now, it is good enough ;)
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
#$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated:::date-rfc3339% ...\r\n %syslogtag%%msg%\n\r"

# Selector lines are now modified
# The "action" (e.g. file logging) can be followed
# by a comma and then the name of a template to use.
# This is an example:
#authpriv.*						/var/log/secure,precise
#*.*		rger
#*.*		*;MySQLInsert
*.*		-/home/rger/proj/rsyslog/logfile;WinSyslogFmt
#*.*		/home/rger/proj/rsyslog/logfile;UserMsg
#*.*		/home/rger/proj/rsyslog/tradfile;TraditionalFormat
#*.*		@172.19.2.16;RFC3164fmt
#*.*		@172.19.2.16
#*.*		>localhost,AdisconDB,root,