Regularfile¶

Typically messages are logged to real files. The file has to be specified with full pathname,beginning with a slash ('/').

Example:

Note: if you would like to use high-precision timestamps in your log files,just remove the ";RSYSLOG_TraditionalFormat". That will select the defaulttemplate, which, if not changed, uses RFC 3339 timestamps.

Example:

By default, files are not synced after each write. To enable syncingof log files globally, use either the "$ActionFileEnableSync"directive or the "sync" parameter to omfile. Enabling this optiondegrades performance and it is advised not to enable syncing unlessyou know what you are doing.To selectively disable syncing for certain files, you may prefix thefile path with a minus sign ("-").

Namedpipes¶

This version of rsyslogd(8) has support for logging output to named pipes (fifos). A fifo ornamed pipe can be used as a destination for log messages by prepending a pipe symbol ('|')to the name of the file. This is handy for debugging. Note that the fifo must be created withthe mkfifo(1) command before rsyslogd(8) is started.

Terminalandconsole¶

If the file you specified is a tty, special tty-handling is done, same with /dev/console.

Remotemachine¶

There are three ways to forward message: the traditional UDP transport, which is extremelylossy but standard, the plain TCP based transport which loses messages only during certainsituations but is widely available and the RELP transport which does not lose messagesbut is currently available only as part of rsyslogd 3.15.0 and above.

To forward messages to another host via UDP, prepend the hostname with the at sign ("@").To forward it via plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend thestring ":omrelp:" in front of the hostname.

Example:

In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destinationport defaults to 514. Due to the nature of UDP, you will probably lose some messages in transit.If you expect high traffic volume, you can expect to lose a quite noticeable number of messages(the higher the traffic, the more likely and severe is message loss).

Sockets for forwarded messages can be bound to a specific device using the "device" option forthe omfwd module.

Example:

In the example above, messages are forwarded via UDP to the machine 192.168.0.1 at port 514 overthe device eth0. TCP can be used by setting Protocol to "tcp" in the above example.

For Linux with VRF support, the device option is used to specify the VRF to send messages.

If you would like to prevent message loss, use RELP:

Note that a port number was given as there is no standard port for relp.

Keep in mind that you need to load the correct input and output plugins (see "Modules" above).

Please note that rsyslogd offers a variety of options in regarding to remoteforwarding. For full details, please see the HTML documentation.

Listofusers¶

Usually critical messages are also directed to ``root'' on that machine. Youcan specify a listof users that shall get the message by simply writing ":omusrmsg:" followedby the login name. You may specify more than oneuser by separating them with commas (','). If they're logged in theyget the message (for example: ":omusrmsg:root,user1,user2").

Everyoneloggedon¶

Emergency messages often go to all users currently online to notify them that something strangeis happening with the system. To specify this wall(1)-feature use an ":omusrmsg:*".

Databasetable¶

This allows logging of the message to a database table.By default, a MonitorWare-compatible schema is required for this to work. You cancreate that schema with the createDB.SQL file that came with the rsyslog package. You can alsouse any other schema of your liking - you just need to define a proper template and assign thistemplate to the action.

See the HTML documentation for further details on database logging.

Discard¶

If the discard action is carried out, the received message is immediately discarded. Discardcan be highly effective if you want to filter out some annoying messages that otherwise wouldfill your log files. To do that, place the discard actions early in your log files.This often plays well with property-based filters, giving you great freedom in specifyingwhat you do not want.

Discard is just the single 'stop' command with no further parameters.

Example:

Outputchannel¶

Binds an output channel definition (see there for details) to this action. Output channel actionsmust start with a $-sign, e.g. if you would like to bind your output channel definition "mychannel"to the action, use "$mychannel". Output channels support template definitions like all all otheractions.

Shellexecute¶

This executes a program in a subshell. The program is passed the template-generated message as theonly command line parameter. Rsyslog waits until the program terminates and only then continues to run.

Example:

The program-to-execute can be any valid executable. It receives the template string as a single parameter(argv[1]).

Selectors¶

Selectors are the traditional way of filtering syslog messages.They have been kept in rsyslog with their original syntax, because it is well-known, highlyeffective and also needed for compatibility with stock syslogd configuration files. If you justneed to filter based on priority and facility, you should do this with selector lines. They arenot second-class citizens in rsyslog and offer the best performance for this job.

Property-BasedFilters¶

Property-based filters are unique to rsyslogd. They allow one to filter on any property, like HOSTNAME,syslogtag and msg.

A property-based filter must start with a colon in column 0. This tells rsyslogd that it is the newfilter type. The colon must be followed by the property name, a comma, the name of the compareoperation to carry out, another comma and then the value to compare against. This value must be quoted.There can be spaces and tabs between the commas. Property names and compare operations arecase-sensitive, so "msg" works, while "MSG" is an invalid property name. In brief, the syntax is as follows:

The following compare-operations are currently supported:

Expression-BasedFilters¶

See the HTML documentation for this feature.

Templateoptions¶

The <options> part is optional. It carries options influencing the template as whole.See details below. Be sure NOT to mistake template options with property options - thelater ones are processed by the property replacer and apply to a SINGLE property, only(and not the whole template).

Template options are case-insensitive. Currently defined are:

Either thesqlorstdsqloptionMUSTbe specified when a template is used for writing to a database,otherwise injection might occur. Please note that due to the unfortunate factthat several vendors have violated the sql standard and introduced their ownescape methods, it is impossible to have a single option doing all the work.So you yourself must make sure you are using the right format.If you choose the wrong one, you are still vulnerable to sql injection.

Please note that the database writer *checks* that the sql option is presentin the template. If it is not present, the write database action is disabled.This is to guard you against accidental forgetting it and then becomingvulnerable to SQL injection. The sql option can also be useful with files -especially if you want to import them into a database on another machine forperformance reasons. However, do NOT use it if you do not have a real need forit - among others, it takes some toll on the processing time. Not much, but ona really busy system you might notice it ;)

The default template for the write to database action has the sql option set.

Templateexamples¶

Please note that the samples are split across multiple lines. A template MUSTNOT actually be split across multiple lines.

A template that resembles traditional syslogd file output:

A template that tells you a little more about the message:

A template for RFC 3164 format:

A template for the format traditionally used for user messages:

And a template with the traditional wall-message format:

A template that can be used for writing to a database (please note the SQL template option)

AccessingProperties¶

Syslog message properties are used inside templates. They are accessed by putting them betweenpercent signs. Properties can be modified by the property replacer. The full syntax is as follows:

propname is the name of the property to access.It is case-sensitive.

AvailableProperties¶

msg

the MSG part of the message (aka "the message" ;))

rawmsg

the message exactly as it was received from the socket. Should be useful for debugging.

HOSTNAME

hostname from the message

FROMHOST

hostname of the system the message was received from (in a relay chain, this is the system immediatelyin front of us and not necessarily the original sender)

syslogtag

TAG from the message

programname

the "static" part of the tag, as defined by BSD syslogd. For example, when TAG is "named[12345]",programname is "named".

PRI

PRI part of the message - undecoded (single value)

PRI-text

the PRI part of the message in a textual form (e.g. "syslog.info")

IUT

the monitorware InfoUnitType - used when talking to a MonitorWare backend (also for phpLogCon)

syslogfacility

the facility from the message - in numerical form

syslogfacility-text

the facility from the message - in text form

syslogseverity

severity from the message - in numerical form

syslogseverity-text

severity from the message - in text form

timegenerated

timestamp when the message was RECEIVED. Always in high resolution

timereported

timestamp from the message. Resolution depends on what was provided in the message (in most cases, only seconds)

TIMESTAMP

alias for timereported

PROTOCOL-VERSION

The contents of the PROTOCOL-VERSION field from IETF draft draft-ietf-syslog-protocol

STRUCTURED-DATA

The contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocol

APP-NAME

The contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol

PROCID

The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol

MSGID

The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol

$NOW

The current date stamp in the format YYYY-MM-DD

$YEAR

The current year (4-digit)

$MONTH

The current month (2-digit)

$DAY

The current day of the month (2-digit)

$HOUR

The current hour in military (24 hour) time (2-digit)

$MINUTE

The current minute (2-digit)

Properties starting with a $-sign are so-called system properties. These do NOT stem from themessage but are rather internally-generated.

CharacterPositions¶

FromChar and toChar are used to build substrings. They specify the offset within the string thatshould be copied. Offset counting starts at 1, so if you need to obtain the first 2 characters ofthe message text, you can use this syntax: "%msg:1:2%". If you do not wish to specify from and to,but you want to specify options, you still need to include the colons. For example, if you wouldlike to convert the full message text to lower case, use "%msg:::lowercase%". If you would like toextract from a position until the end of the string, you can place a dollar-sign ("$") in toChar(e.g. %msg:10:$%, which will extract from position 10 to the end of the string).

There is also support forregular expressions.To use them, you need to place a "R" into FromChar.This tells rsyslog that a regular expression instead of position-based extraction is desired. Theactual regular expressionmustthen be provided in toChar. The regular expression must be followedby the string "--end". It denotes the end of the regular expression and will not become part of it.If you are using regular expressions, the property replacer will return the part of the property textthat matches the regular expression. An example for a property replacer sequence with a regularexpression is: "%msg:R:.*Sev:. \(.*\) \[.*--end%"

Also, extraction can be done based on so-called "fields". To do so, place a "F" into FromChar. A fieldin its current definition is anything that is delimited by a delimiter character. The delimiter bydefault is TAB (US-ASCII value 9). However, if can be changed to any other US-ASCII character byspecifying a comma and the decimal US-ASCII value of the delimiter immediately after the "F". For example,to use comma (",") as a delimiter, use this field specifier: "F,44". If your syslog data is delimited,this is a quicker way to extract than via regular expressions (actually, a *much* quicker way). Fieldcounting starts at 1. Field zero is accepted, but will always lead to a "field not found" error. The samehappens if a field number higher than the number of fields in the property is requested. The field numbermust be placed in the "ToChar" parameter. An example where the 3rd field (delimited by TAB) from the msgproperty is extracted is as follows: "%msg:F:3%". The same example with semicolon as delimiter is"%msg:F,59:3%".

Please note that the special characters "F" and "R" are case-sensitive. Only upper case works, lower casewill return an error. There are no white spaces permitted inside the sequence (that will lead to errormessages and will NOT provide the intended result).

PropertyOptions¶

Property options are case-insensitive. Currently, the following options are defined:

uppercase

convert property to lowercase only

lowercase

convert property text to uppercase only

drop-last-lf

The last LF in the message (if any), is dropped. Especially useful for PIX.

date-mysql

format as mysql date

date-rfc3164

format as RFC 3164 date

date-rfc3339

format as RFC 3339 date

escape-cc

replace control characters (ASCII value 127 and values less then 32) with an escape sequence. The sequence is "#<charval>" where charval is the 3-digit decimal value of the control character. For example, a tabulator would be replaced by "#009".

space-cc

replace control characters by spaces

drop-cc

drop control characters - the resulting string will neither contain control characters, escape sequences nor any other replacement character like space.