mirror of
https://github.com/rsyslog/rsyslog.git
synced 2025-12-13 04:50:41 +01:00
6569133c75
* typo fix: ambigious -> ambiguous * typo fix: aquire -> acquire * typo fix: assgined -> assigned * typo fix: cancelation -> cancellation * typo fix: childs -> children * typo fix: configuraton -> configuration * typo fix: delemiter -> delimiter * typo fix: forwardig -> forwarding * typo fix: initializiation -> initialization * typo fix: intializing -> initializing * typo fix: lengh -> length * typo fix: mesage -> message * typo fix: occured -> occurred * typo fix: occurence -> occurrence * typo fix: paramter -> parameter * typo fix: remaing -> remaining * typo fix: resetted -> reset * typo fix: suppored -> supported * typo fix: Sytem -> System * typo fix: uncommited -> uncommitted * typo fix: depricated -> deprecated * typo fix: stoping -> stopping * type fix: allow to -> allow one to
285 lines
13 KiB
Plaintext
285 lines
13 KiB
Plaintext
# This is a sample configuation file for rsyslogd. See the
|
|
# doc/manual.html for details. If you can not find the
|
|
# manual set, please visit
|
|
#
|
|
# https://www.rsyslog.com/doc/
|
|
#
|
|
# to obtain it online.
|
|
#
|
|
# WARNING: We do NOT keep the comments in this file always
|
|
# up to date. Be sure to consult the doc set that
|
|
# came with your package, especially the file on
|
|
# rsyslog.conf - it probably has some better information
|
|
# than is provided here in comments. The main purpose
|
|
# of sample.conf is to show you some actual directives,
|
|
# not to be the authorative doc source.
|
|
#
|
|
# Please note that rsyslogd by default
|
|
# reads /etc/rsyslogd.conf (and NOT /etc/syslogd.conf!).
|
|
#
|
|
# A commented sample configuration. More a man page than a real
|
|
# sample ;)
|
|
#
|
|
# We try to keep things as consistent with existing syslog implementation
|
|
# as possible. We use "$" to start lines that contain new directives.
|
|
|
|
# We limit who can send us messages:
|
|
$AllowedSender UDP, 192.0.2.0/24, 10.0.0.1 # all machines in 192.0.2 as well as 10.0.0.1
|
|
$AllowedSender TCP, 10.0.0.1 # for TCP, we allow only 10.0.0.1
|
|
# remove the AllowedSender directives if you do not want to limit
|
|
# who can send rsyslogd messages (not recommended)
|
|
|
|
# Templates are a key feature of rsyslog. They allow one to specify any
|
|
# format a user might want. Every output in rsyslog uses templates - this
|
|
# holds true for files, user messages and so on. The database writer
|
|
# expects its template to be a proper SQL statement - so this is highly
|
|
# customizable too. You might ask how does all of this work when no templates
|
|
# at all are specified. Good question ;) The answer is simple, though. Templates
|
|
# compatible with the stock syslogd formats are hardcoded into rsyslog. So if
|
|
# no template is specified, we use one of these hardcoded templates. Search for
|
|
# "template_" in syslogd.c and you will find the hardcoded ones.
|
|
#
|
|
# A template consists of a template directive, a name, the actual template text
|
|
# and optional options. A sample is:
|
|
#
|
|
# $template MyTemplateName,"\7Text %property% some more text\n",<options>
|
|
#
|
|
# The "$template" is the template directive. It tells rsyslog that this
|
|
# line contains a template.
|
|
#
|
|
# "MyTemplateName" is the template name. All other config lines refer to
|
|
# this name.
|
|
#
|
|
# The text within quotes is the actual template text. The backslash is
|
|
# a escape character, much as in C. It does all these "cool" things. For
|
|
# example, \7 rings the bell (this is an ASCII value), \n is a new line.
|
|
# C programmers and perl coders have the advantage of knowing this, but the
|
|
# set in rsyslog is a bit restricted currently. All text in the template
|
|
# is used literally, except for things within percent signs. These are
|
|
# properties and allow you access to the contents of the syslog message.
|
|
# Properties are accessed via the property replacer (nice name, huh) and
|
|
# it can do cool things, too. For example, it can pick a substring or
|
|
# do date-specific formatting. More on this is below, on some lines of the
|
|
# property replacer.
|
|
#
|
|
# The <options> part is optional. It carries options that influence the
|
|
# template as whole. Details are below. Be sure NOT to mistake template
|
|
# options with property options - the later ones are processed by the
|
|
# property replacer and apply to a SINGLE property, only (and not the
|
|
# whole template).
|
|
#
|
|
# Template options are case-insensitive. Currently defined are:
|
|
# sql - format the string suitable for a SQL statement. This will replace single
|
|
# quotes ("'") by two single quotes ("''") inside each field. This option MUST
|
|
# be specified when a template is used for writing to a database, otherwise SQL
|
|
# injection might occur.
|
|
#
|
|
# Please note that the database writer *checks* that the sql option is
|
|
# present in the template. If it is not present, the write database action
|
|
# is disabled. This is to guard you against accidential forgetting it and
|
|
# then becoming vulnerable for SQL injection.
|
|
# The sql option can also be useful with files - especially if you want
|
|
# to run them on another machine for performance reasons. However, do NOT
|
|
# use it if you do not have a real need for it - among others, it takes
|
|
# some toll on the processing time. Not much, but on a really busy system
|
|
# you might notice it ;)
|
|
#
|
|
# To escape:
|
|
# % = \%
|
|
# \ = \\
|
|
# --> '\' is used to escape (as in C)
|
|
#$template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
|
|
#
|
|
# Properties can be accessed by the property replacer. They are accessed
|
|
# inside the template by putting them between percent signs. Properties
|
|
# can be modifed by the property replacer. The full syntax is as follows:
|
|
#
|
|
# %propname:fromChar:toChar:options%
|
|
#
|
|
# propname is the name of the property to access. This IS case-sensitive!
|
|
# Currently supported are:
|
|
# msg the MSG part of the message (aka "the message" ;))
|
|
# rawmsg the message excactly as it was received from the
|
|
# socket. Should be useful for debugging.
|
|
# UxTradMsg will disappear soon - do NOT use!
|
|
# HOSTNAME hostname from the message
|
|
# source alias for HOSTNAME
|
|
# syslogtag TAG from the message
|
|
# PRI PRI part of the message - undecoded (single value)
|
|
# IUT the monitorware InfoUnitType - used when talking to a
|
|
# MonitorWare backend (also for phpLogCon)
|
|
# syslogfacility the facility from the message - in numerical form
|
|
# syslogpriority the priority (actully severity!) from the
|
|
# message - in numerical form
|
|
# timegenerated timestamp when the message was RECEIVED. Always in high
|
|
# resolution
|
|
# timereported timestamp from the message. Resolution depends on what
|
|
# was provided in the message (in most cases, only seconds)
|
|
# TIMESTAMP alias for timereported
|
|
#
|
|
# Other properties might be available at the time you read this. Be sure
|
|
# to consult the property replacer documentation in the doc set for all
|
|
# properties.
|
|
#
|
|
# FromChar and toChar are used to build substrings. They specify the
|
|
# offset within the string that should be copied. Offset counting
|
|
# starts at 1, so if you need to obtain the first 2 characters of the
|
|
# message text, you can use this syntax: "%msg:1:2%".
|
|
# If you do not whish to specify from and to, but you want to
|
|
# specify options, you still need to include the colons. For example,
|
|
# if you would like to convert the full message text to lower case
|
|
# only, use "%msg:::lowercase%".
|
|
#
|
|
# property options are case-insensitive, currently defined are:
|
|
# uppercase convert property to lowercase only
|
|
# lowercase convert property text to uppercase only
|
|
# drop-last-lf The last LF in the message (if any), is dropped.
|
|
# Especially useful for PIX.
|
|
# date-mysql format as mysql date
|
|
# date-rfc3164 format as RFC 3164 date
|
|
# date-rfc3339 format as RFC 3339 date
|
|
# escape-cc NOT yet implemented
|
|
|
|
# Below find some samples of what a template can do. Have a good
|
|
# time finding out what they do [or just tun them] ;)
|
|
|
|
# A template that resambles traditional syslogd file output:
|
|
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
|
|
|
|
# a template useful for debugging format issues
|
|
$template DEBUG,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n"
|
|
#
|
|
# A template that resembles RFC 3164 on-the-wire format:
|
|
# (yes, there is NO space betwen syslogtag and msg! that's important!)
|
|
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
|
|
|
|
# a template resembling traditional wallmessage format:
|
|
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
|
|
|
|
# The template below emulates winsyslog format, but we need to check the time
|
|
# stamps used. for now, it is good enough ;) This format works best with
|
|
# other members of the MonitorWare product family. It is also a good sample
|
|
# where you can see the property replacer in action.
|
|
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
|
|
|
|
# A template used for database writing (notice it *is* an actual
|
|
# sql-statement):
|
|
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
|
|
|
|
# Selector lines are somewhat different from stock syslogd. With
|
|
# rsyslog, you can add a semicolon ";" after the target and then
|
|
# the template name. That will assign this template to the respective
|
|
# action. If no template name is given, a hardcoded template is used.
|
|
# If a template name is given, but the template was not defined, the
|
|
# selector line is DEACTIVATED.
|
|
#
|
|
# #############
|
|
# # IMPORTANT #
|
|
# #############
|
|
# Templates MUST be defined BEFORE they are used! It is OK to
|
|
# intermix template definitions and selector lines within the
|
|
# config file, but each template MUST be defined before it is
|
|
# used the first time!
|
|
#
|
|
|
|
# We have some very rough samples here - This sample file focusses
|
|
# on the new syntax, so we do NOT describe all possible selections.
|
|
# Use the syslog.conf if you are interested to see how to select
|
|
# based on facility and severits (aka priority).
|
|
|
|
*.* /var/log/winsyslog-like.log;WinSyslogFmt
|
|
|
|
# A selector using the traditional format defined above:
|
|
*.* /var/log/traditionalfile.log;TraditionalFormat
|
|
|
|
# And another one using the hardcoded traditional format:
|
|
*.* /var/log/anothertraditionalfile.log
|
|
|
|
# Templates are also fully supportd for forwarding:
|
|
*.* @172.19.2.16;RFC3164fmt
|
|
|
|
# And this finally is a database action
|
|
# The semicolon at the end is not necessary,
|
|
# but some previous versions of rsyslogd had a bug that
|
|
# made them abort if it were missing. As Dennis Olvany
|
|
# pointed out, it would be extremely nice to have this
|
|
# semicolon in the sample conf - so we did in a previous
|
|
# version and it still sticks around ;)
|
|
*.* >hostname,dbname,userid,password;
|
|
# It uses the default schema (MonitorWare format). The parameters
|
|
# should be self-explanatory.
|
|
|
|
# And this one uses the template defined above:
|
|
*.* >hostname,dbname,userid,password;dbFormat
|
|
|
|
|
|
#
|
|
# Rsyslog supports TCP-based syslog. To enable receiving TCP messages,
|
|
# use the -t <port> command line option (where port is the port it
|
|
# shall listen to. To forward messages to the remote host, you must
|
|
# specify a forwarding action and include the host and port. TCP
|
|
# and UDP-based forwarding has basically the same syntax, except that
|
|
# TCP delivery is triggered by specifying a second at-sign (@) in the
|
|
# message.
|
|
# This is UDP forwarding to port 514:
|
|
*.* @172.19.2.16
|
|
# This is UDP forwarding to port 1514:
|
|
*.* @172.19.2.16:1514
|
|
# This is TCP forwarding to port 1514:
|
|
*.* @@172.19.2.16:1514
|
|
# The second @-sign is all you need (except, of course, a tcp-capable
|
|
# syslogd like rsyslogd ;)).
|
|
# Of course, you can also specify a template with TCP:
|
|
*.* @@172.19.2.16:1514;RFC3164Fmt
|
|
# There are also some options you can select. These come between
|
|
# paranthesis. Available are:
|
|
# z<number> - turn on compression, number is compression mode 0 - none, 9 max
|
|
# o - (tcp only) use octet counting for framing EXPERIMENTAL
|
|
#
|
|
# Forward via TCP with maximum compression and octet couting framing:
|
|
*.* @@(z9,o)172.19.2.16:1514;RFC3164Fmt
|
|
# Forward via UDP with maximum compression to port 1514
|
|
*.* @(z9)172.19.2.16:1514
|
|
|
|
# We also support property-based filters, which allow for nice
|
|
# things. Let's for example assume that you receive a lot of
|
|
# nonsense messages with "ID-4711" in the message text. You know
|
|
# that you will never need these messages. So you simply discard them
|
|
:msg, contains, "ID-4711" ~
|
|
|
|
# or you would like to store messages from a specific host to
|
|
# a different file:
|
|
:FROMHOST, isequal,"myhost.example.com" /var/log/myhost.log
|
|
|
|
# everyting that does not contain "error" should also be
|
|
# discarded
|
|
:msg, !contains, "error" ~
|
|
# and the rest go to a seperate file
|
|
*.* /var/log/error
|
|
# (keep in mind that the two directives shown immediately
|
|
# above must be kept in that order to actually work)
|
|
|
|
# you can also execute a script. Let's assume, for example, you need
|
|
# to execute "turn-diesel-generator-on" when "power failed" is contained
|
|
# in a message... ;)
|
|
:msg, contains, "power failed" ^turn-diesel-generator-on
|
|
# (The script is passed the syslog message as first and only parameter.
|
|
# Other parameters can currently not be specified.)
|
|
|
|
# Note that boolean operations (other than not [!]) are not
|
|
# currently supported. As such, you can not filter out different
|
|
# facilities from different machines - hopefully later ;)
|
|
|
|
#
|
|
# A final world. rsyslog is considered a part of Adiscon's MonitorWare product line.
|
|
# As such, you can find current information as well as information on the
|
|
# other product line members on http://www.monitorware.com. Please be warned, there
|
|
# are a number of closed-source commercial Windows applications among these products ;)
|
|
#
|
|
# You might want to check the GPL'ed phpLogCon (http://www.phplogcon.org)
|
|
# as a web-based front-end to a syslog message database.
|
|
#
|
|
# I hope this work is useful.
|
|
# 2005-09-27 Rainer Gerhards <rgerhards@adiscon.com>
|
|
#
|