NAMErsyslog.conf – rsyslogd(8) configuration fileDESCRIPTIONThe rsyslog.conf file is the main configuration file for thersyslogd(8) which logs system messages on *nix systems. This filespecifies rules for logging. For special features see the rsyslogd(8)manpage. Ryslog.conf is backward-compatible with sysklogd’s syslog.conffile. So if you migrate from syklogd you can rename it and it shouldwork.BASIC STRUCTURELines starting with a hash mark (’#’) and empty lines are ignored.Rsyslog.conf should contain following sections (sorted by recommendedorder in file):Global directivesGlobal directives set some global properties of whole rsyslogdaemon, for example size of main message queue($MainMessageQueueSize), loading external modules ($ModLoad) andso on. All global directives need to be specified on a line bytheir own and must start with a dollar-sign. The complete listof global directives can be found in html documentation in docdirectory or online on web pages.TemplatesTemplates allow you to specify format of the logged message.They are also used for dynamic file name generation. They haveto be defined before they are used in rules. For more info abouttemplates see TEMPLATES section of this manpage.Output channelsOutput channels provide an umbrella for any type of output thatthe user might want. They have to be defined before they areused in rules. For more info about output channels see OUTPUTCHANNELS section of this manpage.Rules (selector + action)Every rule line consists of two fields, a selector field and anaction field. These two fields are separated by one or morespaces or tabs. The selector field specifies a pattern offacilities and priorities belonging to the specified action.ACTIONSThe action field of a rule describes what to do with the message. Ingeneral, message content is written to a kind of “logfile”. But alsoother actions might be done, like writing to a database table orforwarding to another host.Regular fileTypically messages are logged to real files. The file has to bespecified with full pathname, beginning with a slash (’/’).Example:*.*/var/log/traditionalfile.log;TraditionalFormat#log to a file in the traditional formatNamed pipesThis version of rsyslogd(8) has support for logging output to namedpipes (fifos). A fifo or named pipe can be used as a destination forlog messages by prepending a pipe symbol (’|’) to the name of the file.This is handy for debugging. Note that the fifo must be created withthe mkfifo(1) command before rsyslogd(8) is started.Terminal and consoleIf the file you specified is a tty, special tty-handling is done, samewith /dev/console.Remote machineTo forward messages to another host, prepend the hostname with the atsign (“@”). A single at sign means that messages will be forwarded viaUDP protocol (the standard for syslog). If you prepend two at signs(“@@”), the messages will be transmitted via TCP.Please note that this version of rsyslogd by default does NOT forwardmessages it has received from the network to another host. Specify the”-h” option to enable this.Example:*.* @192.168.0.1In the example above, messages are forwarded via UDP to the machine192.168.0.1, the destination port defaults to 514.List of usersUsually critical messages are also directed to ‘‘root’’ on thatmachine. You can specify a list of users that shall get the message bysimply writing the login. You may specify more than one user byseparating them with commas (’,’). If they’re logged in they get themessage. Don’t think a mail would be sent, that might be too late.Everyone logged onEmergency messages often go to all users currently online to notifythem that something strange is happening with the system. To specifythis wall(1)-feature use an asterisk (’*’).Database tableThis allows logging of the message to a database table. Currently, onlyMySQL databases are supported. By default, a MonitorWare-compatibleschema is required for this to work. You can create that schema withthe createDB.SQL file that came with the rsyslog package. You can alsouse any other schema of your liking – you just need to define a propertemplate and assign this template to the action.The database writer is called by specifying a greater-then sign (’>’)in front of the database connect information. Immediately after thatsign the database host name must be given, a comma, the database name,another comma, the database user, a comma and then the user’s password.If a specific template is to be used, a semicolon followed by thetemplate name can follow the connect information.Example:>dbhost,dbname,dbuser,dbpassword;dbtemplateImportant: to use the database functionality, the MySQL output modulemust be loaded in the config file BEFORE the first database tableaction is used. This is done by placing the $ModLoad MySQL directivesome place above the first use of the database write (we recommenddoing at the the beginning of the config file). You have to installthe rsyslog-mysql package to get this module.DiscardIf the discard action is carried out, the received message isimmediately discarded. Discard can be highly effective if you want tofilter out some annoying messages that otherwise would fill your logfiles. To do that, place the discard actions early in your log files.This often plays well with property-based filters, giving you greatfreedom in specifying what you do not want.Discard is just the single tilde character with no further parameters.Example:*.* ~# discards everything.Output channelBinds an output channel definition (see there for details) to thisaction. Output channel actions must start with a $-sign, e.g. if youwould like to bind your output channel definition “mychannel” to theaction, use “$mychannel”. Output channels support template definitionslike all all other actions.Shell executeThis executes a program in a subshell. The program is passed thetemplate-generated message as the only command line parameter. Rsyslogwaits until the program terminates and only then continues to run.Example:^program-to-execute;templateThe program-to-execute can be any valid executable. It receives thetemplate string as a single parameter (argv[1]).FILTER CONDITIONSRsyslog offers two different types “filter conditions”:* “traditional” severity and facility based selectors* property-based filtersBlocksRsyslogd supports BSD-style blocks inside rsyslog.conf. Each block oflines is separated from the previous block by a program or hostnamespecification. A block will only log messages corresponding to the mostrecent program and hostname specifications given. Thus, a block whichselects “ppp” as the program, directly followed by a block that selectsmessages from the hostname “dialhost”, then the second block will onlylog messages from the ppp program on dialhost.SelectorsSelectors are the traditional way of filtering syslog messages. Theyhave been kept in rsyslog with their original syntax, because it iswell-known, highly effective and also needed for compatibility withstock syslogd configuration files. If you just need to filter based onpriority and facility, you should do this with selector lines. They arenot second-class citizens in rsyslog and offer the best performance forthis job.Property-Based FiltersProperty-based filters are unique to rsyslogd. They allow to filter onany property, like HOSTNAME, syslogtag and msg.A property-based filter must start with a colon in column 0. This tellsrsyslogd that it is the new filter type. The colon must be followed bythe property name, a comma, the name of the compare operation to carryout, another comma and then the value to compare against. This valuemust be quoted. There can be spaces and tabs between the commas.Property names and compare operations are case-sensitive, so “msg”works, while “MSG” is an invalid property name. In brief, the syntax isas follows::property, [!]compare-operation, “value”The following compare-operations are currently supported:containsChecks if the string provided in value is contained inthe propertyisequalCompares the “value” string provided and the propertycontents. These two values must be exactly equal tomatch.startswithChecks if the value is found exactly at the beginning ofthe property valueregexCompares the property against the provided regularexpression.TEMPLATESEvery output in rsyslog uses templates – this holds true for files,user messages and so on. Templates compatible with the stock syslogdformats are hardcoded into rsyslogd. If no template is specified, weuse one of these hardcoded templates. Search for “template_” insyslogd.c and you will find the hardcoded ones.A template consists of a template directive, a name, the actualtemplate text and optional options. A sample is:$template MyTemplateName,”\7Text %property% some moretext\n”,<options>The “$template” is the template directive. It tells rsyslog that thisline contains a template. The backslash is an escape character. Forexample, \7 rings the bell (this is an ASCII value), \n is a new line.The set in rsyslog is a bit restricted currently.All text in the template is used literally, except for things withinpercent signs. These are properties and allow you access to thecontents of the syslog message. Properties are accessed via theproperty replacer and it can for example pick a substring or do date-specific formatting. More on this is the PROPERTY REPLACER section ofthis manpage.To escape:% = \%\ = \\ –> ’\&; is used to escape (as in C)$templateTraditionalFormat,%timegenerated%%HOSTNAME%%syslogtag%%msg%0Properties can be accessed by the property replacer (see there fordetails).Please note that as of 1.15.0, templates can also by used to generateselector lines with dynamic file names. For example, if you would liketo split syslog messages from different hosts to different files (oneper host), you can define the following template:$template DynFile,”/var/log/system-%HOSTNAME%.log”This template can then be used when defining an output selector line.It will result in something like “/var/log/system-localhost.log”Template optionsThe <options> part is optional. It carries options influencing thetemplate as whole. See details below. Be sure NOT to mistake templateoptions with property options – the later ones are processed by theproperty replacer and apply to a SINGLE property, only (and not thewhole template).Template options are case-insensitive. Currently defined are:sql format the string suitable for a SQL statement in MySQLformat. This will replace single quotes (“’”) and thebackslash character by their backslash-escapedcounterpart (“´” and “\”) inside each field. Please notethat in MySQL configuration, the NO_BACKSLASH_ESCAPESmode must be turned off for this format to work (this isthe default).stdsql format the string suitable for a SQL statement that is tobe sent to a standards-compliant sql server. This willreplace single quotes (“’”) by two single quotes (“’’”)inside each field. You must use stdsql together withMySQL if in MySQL configuration the NO_BACKSLASH_ESCAPESis turned on.Either the sql or stdsql option MUST be specified when a template isused for writing to a database, otherwise injection might occur. Pleasenote that due to the unfortunate fact that several vendors haveviolated the sql standard and introduced their own escape methods, itis impossible to have a single option doing all the work. So youyourself must make sure you are using the right format. If you choosethe wrong one, you are still vulnerable to sql injection.Please note that the database writer *checks* that the sql option ispresent in the template. If it is not present, the write databaseaction is disabled. This is to guard you against accidental forgettingit and then becoming vulnerable to SQL injection. The sql option canalso be useful with files – especially if you want to import them intoa database on another machine for performance reasons. However, do NOTuse it if you do not have a real need for it – among others, it takessome toll on the processing time. Not much, but on a really busy systemyou might notice it ;)The default template for the write to database action has the sqloption set. As we currently support only MySQL and the sql optionmatches the default MySQL configuration, this is a good choice.However, if you have turned on NO_BACKSLASH_ESCAPES in your MySQLconfig, you need to supply a template with the stdsql option. Otherwiseyou will become vulnerable to SQL injection.Template examplesPlease note that the samples are split across multiple lines. Atemplate MUST NOT actually be split across multiple lines.A template that resembles traditional syslogd file output:$template TraditionalFormat,”%timegenerated% %HOSTNAME%%syslogtag%%msg:::drop-last-lf%0A template that tells you a little more about the message:$templateprecise,”%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,%syslogtag%,%msg%0A template for RFC 3164 format:$templateRFC3164fmt,”<%PRI%>%TIMESTAMP%%HOSTNAME%%syslogtag%%msg%”A template for the format traditionally used for user messages:$template usermsg,” XXXX%syslogtag%%msg%0r”And a template with the traditional wall-message format:$template wallmsg,”\r\n\7Message from syslogd@%HOSTNAME% at%timegenerated%”A template that can be used for writing to a database (please note theSQL template option)$template MySQLInsert,”insert iut, message, receivedat values(’%iut%’, ’%msg:::UPPERCASE%’, ’%timegenerated:::date-mysql%’)into systemevents\r\n”, SQLNOTE 1: This template is embedded into core application undername StdDBFmt , so you don’t need to define it.NOTE 2: You have to have MySQL module installed to use thistemplate.OUTPUT CHANNELSOutput Channels are a new concept first introduced in rsyslog 0.9.0. Asof this writing, it is most likely that they will be replaced bysomething different in the future.So if you use them, be prepared to change you configuration filesyntax when you upgrade to a later release.Output channels are defined via an $outchannel directive. It’s syntaxis as follows:$outchannel name,file-name,max-size,action-on-max-sizename is the name of the output channel (not the file), file-name is thefile name to be written to, max-size the maximum allowed size andaction-on-max-size a command to be issued when the max size is reached.This command always has exactly one parameter. The binary is that partof action-on-max-size before the first space, its parameter iseverything behind that space.Keep in mind that $outchannel just defines a channel with “name”. Itdoes not activate it. To do so, you must use a selector line (seebelow). That selector line includes the channel name plus an $ sign infront of it. A sample might be:*.* $mychannelPROPERTY REPLACERThe property replacer is a core component in rsyslogd’s output system.A syslog message has a number of well-defined properties (see below).Each of this properties can be accessed and manipulated by the propertyreplacer. With it, it is easy to use only part of a property value ormanipulate the value, e.g. by converting all characters to lower case.Accessing PropertiesSyslog message properties are used inside templates. They are accessedby putting them between percent signs. Properties can be modified bythe property replacer. The full syntax is as follows:%propname:fromChar:toChar:options%propname is the name of the property to access. It is case-sensitive.Available Propertiesmsg the MSG part of the message (aka “the message” ;))rawmsg the message exactly as it was received from the socket. Shouldbe useful for debugging.HOSTNAMEhostname from the messageFROMHOSThostname of the system the message was received from (in a relaychain, this is the system immediately in front of us and notnecessarily the original sender)syslogtagTAG from the messageprogramnamethe “static” part of the tag, as defined by BSD syslogd. Forexample, when TAG is “named[12345]”, programname is “named”.PRI PRI part of the message – undecoded (single value)PRI-textthe PRI part of the message in a textual form (e.g.”syslog.info”)IUT the monitorware InfoUnitType – used when talking to aMonitorWare backend (also for phpLogCon)syslogfacilitythe facility from the message – in numerical formsyslogfacility-textthe facility from the message – in text formsyslogseverityseverity from the message – in numerical formsyslogseverity-textseverity from the message – in text formtimegeneratedtimestamp when the message was RECEIVED. Always in highresolutiontimereportedtimestamp from the message. Resolution depends on what wasprovided in the message (in most cases, only seconds)TIMESTAMPalias for timereportedPROTOCOL-VERSIONThe contents of the PROTOCOL-VERSION field from IETF draftdraft-ietf-syslog-protocolSTRUCTURED-DATAThe contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocolAPP-NAMEThe contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocolPROCID The contents of the PROCID field from IETF draft draft-ietf-syslog-protocolMSGID The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol$NOW The current date stamp in the format YYYY-MM-DD$YEAR The current year (4-digit)$MONTH The current month (2-digit)$DAY The current day of the month (2-digit)$HOUR The current hour in military (24 hour) time (2-digit)$MINUTEThe current minute (2-digit)Properties starting with a $-sign are so-called system properties.These do NOT stem from the message but are rather internally-generated.Character PositionsFromChar and toChar are used to build substrings. They specify theoffset within the string that should be copied. Offset counting startsat 1, so if you need to obtain the first 2 characters of the messagetext, you can use this syntax: “%msg:1:2%”. If you do not wish tospecify from and to, but you want to specify options, you still need toinclude the colons. For example, if you would like to convert the fullmessage text to lower case, use “%msg:::lowercase%”. If you would liketo extract from a position until the end of the string, you can place adollar-sign (“$”) in toChar (e.g. %msg:10:$%, which will extract fromposition 10 to the end of the string).There is also support for To use them, you need to place a “R” intoFromChar. This tells rsyslog that a regular expression instead ofposition-based extraction is desired. The actual regular expressionmust then be provided in toChar. The regular expression must befollowed by the string “–end”. It denotes the end of the regularexpression and will not become part of it. If you are using regularexpressions, the property replacer will return the part of the propertytext that matches the regular expression. An example for a propertyreplacer sequence with a regular expression is: “%msg:R:.*Sev:. \(.*\)\[.*–end%”Also, extraction can be done based on so-called “fields”. To do so,place a “F” into FromChar. A field in its current definition isanything that is delimited by a delimiter character. The delimiter bydefault is TAB (US-ASCII value 9). However, if can be changed to anyother US-ASCII character by specifying a comma and the decimal US-ASCIIvalue of the delimiter immediately after the “F”. For example, to usecomma (“,”) as a delimiter, use this field specifier: “F,44”. If yoursyslog data is delimited, this is a quicker way to extract than viaregular expressions (actually, a *much* quicker way). Field countingstarts at 1. Field zero is accepted, but will always lead to a “fieldnot found” error. The same happens if a field number higher than thenumber of fields in the property is requested. The field number must beplaced in the “ToChar” parameter. An example where the 3rd field(delimited by TAB) from the msg property is extracted is as follows:”%msg:F:3%”. The same example with semicolon as delimiter is”%msg:F,59:3%”.Please note that the special characters “F” and “R” are case-sensitive.Only upper case works, lower case will return an error. There are nowhite spaces permitted inside the sequence (that will lead to errormessages and will NOT provide the intended result).Property OptionsProperty options are case-insensitive. Currently, the following optionsare defined:uppercaseconvert property to lowercase onlylowercaseconvert property text to uppercase onlydrop-last-lfThe last LF in the message (if any), is dropped. Especiallyuseful for PIX.date-mysqlformat as mysql datedate-rfc3164format as RFC 3164 datedate-rfc3339format as RFC 3339 dateescape-ccreplace control characters (ASCII value 127 and values less then32) with an escape sequence. The sequence is “#<charval>” wherecharval is the 3-digit decimal value of the control character.For example, a tabulator would be replaced by “#009”.space-ccreplace control characters by spacesdrop-ccdrop control characters – the resulting string will neithercontain control characters, escape sequences nor any otherreplacement character like space.FILES/etc/rsyslog.confConfiguration file for rsyslogdSEE ALSOrsyslogd(8), logger(1), syslog(3)The complete documentation can be found in the doc folder of thersyslog distribution or online at————————–You can use Webmin to view rsyslogd files. You will have to configure the System Logs module to use rsyslog rather than the defaults which search for the non-existent ‘syslog’.
接受失败也等于给了自己从零开始的机会,接受失败更是一种智者的宣言和呐喊;
