Unix/Linux Go Back    


Linux 2.6 - man page for rsyslogd (linux section 8)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


RSYSLOGD(8)			   Linux System Administration			      RSYSLOGD(8)

NAME
       rsyslogd - reliable and extended syslogd

SYNOPSIS
       rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
       [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
       [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]

DESCRIPTION
       Rsyslogd  is  a	system	utility  providing  support for message logging.  Support of both
       internet and unix domain sockets enables this utility to support  both  local  and  remote
       logging.

       Note that this version of rsyslog ships with extensive documentation in html format.  This
       is provided in the ./doc subdirectory and probably in a separate package if you	installed
       rsyslog	via  a packaging system.  To use rsyslog's advanced features, you need to look at
       the html documentation, because the man pages only cover basic aspects of operation.   For
       details and configuration examples, see the rsyslog.conf (5) man page and the online docu-
       mentation at http://www.rsyslog.com/doc

       Rsyslogd(8) is derived from the sysklogd package which in turn is derived from  the  stock
       BSD sources.

       Rsyslogd  provides  a kind of logging that many modern programs use.  Every logged message
       contains at least a time and a hostname field, normally a program  name	field,	too,  but
       that depends on how trusty the logging program is. The rsyslog package supports free defi-
       nition of output formats via templates. It also supports precise  timestamps  and  writing
       directly to databases. If the database option is used, tools like phpLogCon can be used to
       view the log data.

       While the rsyslogd sources have been heavily modified a couple  of  notes  are  in  order.
       First  of  all  there  has  been  a systematic attempt to ensure that rsyslogd follows its
       default, standard BSD behavior. Of course, some configuration file changes  are	necessary
       in  order  to support the template system. However, rsyslogd should be able to use a stan-
       dard syslog.conf and act like the original syslogd. However, an original syslogd will  not
       work correctly with a rsyslog-enhanced configuration file. At best, it will generate funny
       looking file names.  The second important concept to note is that this version of rsyslogd
       interacts  transparently with the version of syslog found in the standard libraries.  If a
       binary linked to the standard shared libraries fails to function correctly we  would  like
       an example of the anomalous behavior.

       The  main  configuration  file /etc/rsyslog.conf or an alternative file, given with the -f
       option, is read at startup.  Any lines that begin with the hash	mark  (``#'')  and  empty
       lines  are ignored.  If an error occurs during parsing the error element is ignored. It is
       tried to parse the rest of the line.

OPTIONS
       Note that in version 3 of rsyslog a number of command line options  have  been  deprecated
       and  replaced with config file directives. The -c option controls the backward compatibil-
       ity mode in use.

       -A     When sending UDP messages, there are potentially multiple paths to the target  des-
	      tination.  By  default, rsyslogd only sends to the first target it can successfully
	      send to. If -A is given, messages are sent to all targets. This may improve  relia-
	      bility,  but may also cause message duplication. This option should be enabled only
	      if it is fully understood.

       -4     Causes rsyslogd to listen to IPv4 addresses only.  If neither -4 nor -6  is  given,
	      rsyslogd listens to all configured addresses of the system.

       -6     Causes  rsyslogd	to listen to IPv6 addresses only.  If neither -4 nor -6 is given,
	      rsyslogd listens to all configured addresses of the system.

       -c version
	      Selects the desired backward compatibility mode. It must always be the first option
	      on  the  command line, as it influences processing of the other options. To use the
	      rsyslog v3 native interface, specify -c3. To use compatibility mode , either do not
	      use -c at all or use -c<version> where version is the rsyslog version that it shall
	      be compatible with. Using -c0  tells  rsyslog  to  be  command-line  compatible  to
	      sysklogd,  which	is  the  default  if  -c is not given.	Please note that rsyslogd
	      issues warning messages if the -c3 command line option is not given.   This  is  to
	      alert  you  that	your are running in compatibility mode. Compatibility mode inter-
	      feres with your rsyslog.conf commands and may cause some undesired side-effects. It
	      is meant to be used with a plain old rsyslog.conf - if you use new features, things
	      become messy. So the best advice is to work through  this  document,  convert  your
	      options and config file and then use rsyslog in native mode. In order to aid you in
	      this process, rsyslog logs every compatibility-mode config file  directive  it  has
	      generated. So you can simply copy them from your logfile and paste them to the con-
	      fig.

       -d     Turns on debug mode.  Using this the daemon will	not  proceed  a  fork(2)  to  set
	      itself  in  the  background,  but opposite to that stay in the foreground and write
	      much debug information on the current tty.  See  the  DEBUGGING  section	for  more
	      information.

       -f config file
	      Specify  an  alternative	configuration file instead of /etc/rsyslog.conf, which is
	      the default.

       -i pid file
	      Specify an alternative pid file instead of the default one.  This  option  must  be
	      used if multiple instances of rsyslogd should run on a single machine.

       -l hostlist
	      Specify  a hostname that should be logged only with its simple hostname and not the
	      fqdn.  Multiple hosts may be specified using the colon (``:'') separator.

       -n     Avoid auto-backgrounding.  This is needed especially if the rsyslogd is started and
	      controlled by init(8).

       -N  level
	      Do  a  coNfig check. Do NOT run in regular mode, just check configuration file cor-
	      rectness.  This option is meant to verify a config file. To  do  so,  run  rsyslogd
	      interactively  in  foreground, specifying -f <config-file> and -N level.	The level
	      argument modifies behaviour. Currently, 0 is the same  as  not  specifying  the  -N
	      option  at  all  (so  this  makes limited sense) and 1 actually activates the code.
	      Later, higher levels will mean more  verbosity  (this  is  a  forward-compatibility
	      option).	rsyslogd is started and controlled by init(8).

       -q add hostname if DNS fails during ACL processing
	      During  ACL processing, hostnames are resolved to IP addresses for performance rea-
	      sons. If DNS fails during that process, the hostname is  added  as  wildcard  text,
	      which results in proper, but somewhat slower operation once DNS is up again.

       -Q do not resolve hostnames during ACL processing
	      Do not resolve hostnames to IP addresses during ACL processing.

       -s domainlist
	      Specify  a domainname that should be stripped off before logging.  Multiple domains
	      may be specified using the colon (``:'') separator.  Please be advised that no sub-
	      domains  may  be	specified but only entire domains.  For example if -s north.de is
	      specified and the host logging resolves to satu.infodrom.north.de no  domain  would
	      be cut, you will have to specify two domains like: -s north.de:infodrom.north.de.

       -u userlevel
	      This is a "catch all" option for some very seldomly-used user settings.  The "user-
	      level" variable selects multiple things. Add the specific values to  get	the  com-
	      bined  effect  of  them.	A value of 1 prevents rsyslogd from parsing hostnames and
	      tags inside messages.  A value of 2 prevents rsyslogd from  changing  to	the  root
	      directory.  This	is  almost  never  a good idea in production use. This option was
	      introduced in support of the internal testbed.  To combine these two features,  use
	      a  userlevel of 3 (1+2). Whenever you use an -u option, make sure you really under-
	      stand what you do and why you do it.

       -v     Print version and exit.

       -w     Suppress warnings issued when messages are received  from  non-authorized  machines
	      (those, that are in no AllowedSender list).

       -x     Disable DNS for remote messages.

SIGNALS
       Rsyslogd  reacts  to a set of signals.  You may easily send a signal to rsyslogd using the
       following:

	      kill -SIGNAL $(cat /var/run/rsyslogd.pid)

       Note that -SIGNAL must be replaced with the actual signal you are  trying  to  send,  e.g.
       with HUP. So it then becomes:

	      kill -HUP $(cat /var/run/rsyslogd.pid)

       HUP    This  lets  rsyslogd perform close all open files.  Also, in v3 a full restart will
	      be done in order to read changed configuration files.  Note that this means a  full
	      rsyslogd	restart  is  done.  This  has, among others, the consequence that TCP and
	      other connections are torn down. Also, if  any  queues  are  not	running  in  disk
	      assisted	mode or are not set to persist data on shutdown, queue data is lost. HUP-
	      ing rsyslogd is an extremely expensive operation and should only be done when actu-
	      ally  necessary. Actually, it is a rsyslgod stop immediately followed by a restart.
	      Future versions will remove this restart functionality of HUP (it will go  away  in
	      v5). So it is advised to use HUP only for closing files, and a "real restart" (e.g.
	      /etc/rc.d/rsyslogd restart) to activate configuration changes.

       TERM ,  INT ,  QUIT
	      Rsyslogd will die.

       USR1   Switch debugging on/off.	This option can only be used if rsyslogd is started  with
	      the -d debug option.

       CHLD   Wait for childs if some were born, because of wall'ing messages.

SECURITY THREATS
       There  is  the  potential  for the rsyslogd daemon to be used as a conduit for a denial of
       service attack.	A rogue program(mer) could very easily flood  the  rsyslogd  daemon  with
       syslog  messages  resulting  in	the  log  files  consuming all the remaining space on the
       filesystem.  Activating logging over the inet domain sockets will of course expose a  sys-
       tem to risks outside of programs or individuals on the local machine.

       There are a number of methods of protecting a machine:

       1.     Implement  kernel  firewalling  to limit which hosts or networks have access to the
	      514/UDP socket.

       2.     Logging can be directed to an isolated or non-root  filesystem  which,  if  filled,
	      will not impair the machine.

       3.     The ext2 filesystem can be used which can be configured to limit a certain percent-
	      age of a filesystem to usage by root only.  NOTE that this will require rsyslogd to
	      be  run  as  a  non-root process.  ALSO NOTE that this will prevent usage of remote
	      logging on the default port since rsyslogd will be unable to bind  to  the  514/UDP
	      socket.

       4.     Disabling inet domain sockets will limit risk to the local machine.

   Message replay and spoofing
       If  remote  logging  is enabled, messages can easily be spoofed and replayed.  As the mes-
       sages are transmitted in clear-text, an attacker might use the information  obtained  from
       the  packets  for  malicious  things.  Also, an attacker might replay recorded messages or
       spoof a sender's IP address, which could lead to a wrong perception  of	system	activity.
       These  can  be  prevented by using GSS-API authentication and encryption. Be sure to think
       about syslog network security before enabling it.

DEBUGGING
       When debugging is turned on using -d option then rsyslogd will be very verbose by  writing
       much of what it does on stdout.

FILES
       /etc/rsyslog.conf
	      Configuration file for rsyslogd.	See rsyslog.conf(5) for exact information.
       /dev/log
	      The Unix domain socket to from where local syslog messages are read.
       /var/run/rsyslogd.pid
	      The file containing the process id of rsyslogd.
       prefix/lib/rsyslog
	      Default  directory for rsyslogd modules. The prefix is specified during compilation
	      (e.g. /usr/local).
ENVIRONMENT
       RSYSLOG_DEBUG
	      Controls runtime debug support.It contains an  option  string  with  the	following
	      options possible (all are case insensitive):

	      LogFuncFlow
		     Print out the logical flow of functions (entering and exiting them)
	      FileTrace
		     Specifies which files to trace LogFuncFlow. If not set (the default), a Log-
		     FuncFlow trace is provided for all files. Set to limit it to the files spec-
		     ified.FileTrace  may be specified multiple times, one file each (e.g. export
		     RSYSLOG_DEBUG="LogFuncFlow FileTrace=vm.c FileTrace=expr.c"
	      PrintFuncDB
		     Print the content of the debug function database whenever debug  information
		     is printed (e.g. abort case)!
	      PrintAllDebugInfoOnExit
		     Print all debug information immediately before rsyslogd exits (currently not
		     implemented!)
	      PrintMutexAction
		     Print mutex action as it happens. Useful for finding deadlocks and such.
	      NoLogTimeStamp
		     Do not prefix log lines with a timestamp (default is to do that).
	      NoStdOut
		     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG is not  set,  this
		     means no messages will be displayed at all.
	      Help   Display  a very short list of commands - hopefully a life saver if you can't
		     access the documentation...

       RSYSLOG_DEBUGLOG
	      If set, writes (almost) all debug message to the specified log file in addition  to
	      stdout.
       RSYSLOG_MODDIR
	      Provides the default directory in which loadable modules reside.

BUGS
       Please review the file BUGS for up-to-date information on known bugs and annoyances.

Further Information
       Please  visit  http://www.rsyslog.com/doc for additional information, tutorials and a sup-
       port forum.

SEE ALSO
       rsyslog.conf(5), logger(1), syslog(2), syslog(3), services(5), savelog(8)

COLLABORATORS
       rsyslogd is derived from sysklogd sources, which in turn was taken from the  BSD  sources.
       Special	 thanks   to   Greg   Wettstein   (greg@wind.enjellic.com)   and  Martin  Schulze
       (joey@linux.de) for the fine sysklogd package.

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld, Germany
       rgerhards@adiscon.com

Version 3.21.1				   29 July 2008 			      RSYSLOGD(8)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 06:39 PM.