mirror of
https://github.com/rsyslog/rsyslog.git
synced 2025-12-19 09:10:42 +01:00
164 lines
6.0 KiB
Plaintext
164 lines
6.0 KiB
Plaintext
# A commented quick reference and sample configuration
|
|
# WARNING: This is not a manual, the full manual of rsyslog configuration is in
|
|
# rsyslog.conf (5) manpage
|
|
#
|
|
# "$" starts lines that contain new directives. The full list of directives
|
|
# can be found in /usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html or online
|
|
# at http://www.rsyslog.com/doc if you do not have (or find) a local copy.
|
|
#
|
|
# Set syslogd options
|
|
|
|
# Some global directives
|
|
# ----------------------
|
|
|
|
# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd
|
|
# --------------
|
|
$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
|
|
|
|
# $UMASK - specifies the rsyslogd processes' umask
|
|
# ------
|
|
$umask 0000
|
|
|
|
# $FileGroup - Set the group for dynaFiles newly created
|
|
# ----------
|
|
$FileGroup loggroup
|
|
|
|
# $FileOwner - Set the file owner for dynaFiles newly created.
|
|
# ----------
|
|
$FileOwner loguser
|
|
|
|
# $IncludeConfig - include other files into the main configuration file
|
|
# --------------
|
|
$IncludeConfig /etc/some-included-file.conf # one file
|
|
$IncludeConfig /etc/rsyslog.d/ # whole directory (must contain the final slash)
|
|
|
|
# $ModLoad - Dynamically loads a plug-in and activates it
|
|
# --------
|
|
$ModLoad MySQL # load MySQL functionality
|
|
$ModLoad /rsyslog/modules/somemodule.so # load a module via absolute path
|
|
|
|
|
|
|
|
# Templates
|
|
# ---------
|
|
|
|
# Templates allow to specify any format a user might want.
|
|
# They MUST be defined BEFORE they are used.
|
|
|
|
# A template consists of a template directive, a name, the actual template text
|
|
# and optional options. A sample is:
|
|
#
|
|
$template MyTemplateName,"\7Text %property% some more text\n",
|
|
|
|
# where:
|
|
# * $template - tells rsyslog that this line contains a template.
|
|
# * MyTemplateName - template name. All other config lines refer to this name.
|
|
# * "\7Text %property% some more text\n" - templage text
|
|
|
|
# The backslash is an escape character, i.e. \7 rings the bell, \n is a new line.
|
|
# To escape:
|
|
# % = \%
|
|
# \ = \\
|
|
|
|
# Template options are case-insensitive. Currently defined are:
|
|
# sql format the string suitable for a SQL statement. This will replace single
|
|
# quotes ("'") by two single quotes ("''") to prevent the SQL injection
|
|
# (NO_BACKSLASH_ESCAPES turned off)
|
|
# stdsql - format the string suitable for a SQL statement that is to
|
|
# be sent to a standards-compliant sql server.
|
|
# (NO_BACKSLASH_ESCAPES turned on)
|
|
|
|
|
|
|
|
# Properties inside templates
|
|
# ---------------------------
|
|
|
|
# Properties can be modified by the property replacer. They are accessed
|
|
# inside the template by putting them between percent signs. The full syntax is as follows:
|
|
|
|
# %propname:fromChar:toChar:options%
|
|
|
|
# FromChar and toChar are used to build substrings.
|
|
# If you need to obtain the first 2 characters of the
|
|
# message text, you can use this syntax:
|
|
"%msg:1:2%".
|
|
# If you do not whish to specify from and to, but you want to
|
|
# specify options, you still need to include the colons.
|
|
|
|
# For example, to convert the full message text to lower case only, use
|
|
# "%msg:::lowercase%".
|
|
|
|
# The full list of property options can be found in rsyslog.conf(5) manpage
|
|
|
|
|
|
|
|
# Samples of template definitions
|
|
# -------------------------------
|
|
|
|
# A template that resambles traditional syslogd file output:
|
|
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
|
|
|
|
# A more verbose template:
|
|
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"
|
|
|
|
# A template that resembles RFC 3164 on-the-wire format:
|
|
# (yes, there is NO space betwen syslogtag and msg! that's important!)
|
|
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
|
|
|
|
# a template resembling traditional wallmessage format:
|
|
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
|
|
|
|
# The template below emulates winsyslog format, but we need to check the time
|
|
# stamps used. It is also a good sampleof the property replacer in action.
|
|
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
|
|
|
|
# A template used for database writing (notice it *is* an actual
|
|
# sql-statement):
|
|
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
|
|
|
|
|
|
|
|
# Samples of rules
|
|
# ----------------
|
|
# Regular file
|
|
# ------------
|
|
*.* /var/log/traditionalfile.log;TraditionalFormat # log to a file in the traditional format
|
|
|
|
# Forwarding to remote machine
|
|
# ----------------------------
|
|
*.* @172.19.2.16 # udp (standard for syslog)
|
|
*.* @@172.19.2.17 # tcp
|
|
|
|
# Database action
|
|
# ---------------
|
|
# (you must have rsyslog-mysql package installed)
|
|
# !!! Don't forget to set permission of rsyslog.conf to 600 !!!
|
|
*.* >hostname,dbname,userid,password # (default Monitorware schema, can be created by /usr/share/doc/rsyslog-mysql-1.19.6/createDB.sql)
|
|
|
|
# And this one uses the template defined above:
|
|
*.* >hostname,dbname,userid,password;dbFormat
|
|
|
|
# Program to execute
|
|
# ------------------
|
|
*.* ^alsaunmute # set default volume to soundcard
|
|
|
|
# Filter using regex
|
|
# ------------------
|
|
# if the user logges word rulez or rulezz or rulezzz or..., then we will shut down his pc
|
|
# (note, that + have to be double backslashed...)
|
|
:msg, regex, "rulez\\+" ^poweroff
|
|
|
|
# A more complex example
|
|
# ----------------------
|
|
$template bla_logged,"%timegenerated% the BLA was logged"
|
|
:msg, contains, "bla" ^logger;bla_logged
|
|
|
|
# Pipes
|
|
# -----
|
|
# first we need to create pipe by # mkfifo /a_big_pipe
|
|
*.* |/a_big_pipe
|
|
|
|
# Discarding
|
|
# ----------
|
|
*.* ~ # discards everything
|