From 08beb9f3e2988429bf02a63ece3efe996a152459 Mon Sep 17 00:00:00 2001 From: Satoru SATOH Date: Tue, 19 Aug 2008 18:38:35 +0900 Subject: [PATCH] man-i18n: add docbook xml sources for man files --- man/C/rsyslog.conf.5.xml | 1020 +++++++++++++++++++++++++++++++++++++++++++++ man/C/rsyslogd.8.xml | 667 +++++++++++++++++++++++++++++ man/ja/rsyslog.conf.5.xml | 1020 +++++++++++++++++++++++++++++++++++++++++++++ man/ja/rsyslogd.8.xml | 667 +++++++++++++++++++++++++++++ 4 files changed, 3374 insertions(+), 0 deletions(-) create mode 100644 man/C/rsyslog.conf.5.xml create mode 100644 man/C/rsyslogd.8.xml create mode 100644 man/ja/rsyslog.conf.5.xml create mode 100644 man/ja/rsyslogd.8.xml diff --git a/man/C/rsyslog.conf.5.xml b/man/C/rsyslog.conf.5.xml new file mode 100644 index 0000000..78aece6 --- /dev/null +++ b/man/C/rsyslog.conf.5.xml @@ -0,0 +1,1020 @@ + + + + + + + + + + + + + + + + + + + + + + + + 11 July 2008 + + + RSYSLOG.CONF + 5 + 11 July 2008 + Version 3.18.0 + Linux System Administration + + + rsyslog.conf + rsyslogd(8) configuration file + + + + DESCRIPTION + The +rsyslog.conf +file is the main configuration file for the +rsyslogd8 +which logs system messages on *nix systems. This file specifies rules +for logging. For special features see the +rsyslogd8 +manpage. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf file. So if you migrate +from sysklogd you can rename it and it should work. + Note that this version of rsyslog ships with extensive documentation in html format. +This is provided in the ./doc subdirectory and probably +in a separate package if you installed rsyslog via a packaging system. +To use rsyslog's advanced features, you +need +to look at the html documentation, because the man pages only cover +basic aspects of operation. + + + MODULES + Rsyslog has a modular design. Consequently, there is a growing number +of modules. See the html documentation for their full description. + + + + omsnmp + + + SNMP trap output module + + + + + omgssapi + + + Output module for GSS-enabled syslog + + + + + ommysql + + + Output module for MySQL + + + + + omrelp + + + Output module for the reliable RELP protocol (prevents message loss). +For details, see below at imrelp and the html documentation. +It can be used like this: + + + + *.* :omrelp:server:port + *.* :omrelp:192.168.0.1:2514 # actual sample + + + + ompgsql + + + Output module for PostgreSQL + + + + + omlibdbi + + + Generic database output module (Firebird/Interbase, MS SQL, Sybase, +SQLite, Ingres, Oracle, mSQL) + + + + + imfile + + + Input module for text files + + + + + imudp + + + Input plugin for UDP syslog. Replaces the deprecated -r option. Can be +used like this: + + + + $ModLoad imudp + $InputUDPServerRun 514 + + + + imtcp + + + Input plugin for plain TCP syslog. Replaces the deprecated -t +option. Can be used like this: + + + + $ModLoad imtcp + $InputTCPServerRun 514 + + + + imtcp + + + Input plugin for the RELP protocol. RELP can be used instead +of UDP or plain TCP syslog to provide reliable delivery of +syslog messages. Please note that plain TCP syslog does NOT +provide truly reliable delivery, with it messages may be lost +when there is a connection problem or the server shuts down. +RELP prevents message loss in those cases. +It can be used like this: + + + + $ModLoad imrelp + $InputRELPServerRun 2514 + + + + imgssapi + + + Input plugin for plain TCP and GSS-enable syslog + + + + + immark + + + Support for mark messages + + + + + imklog + + + Kernel logging. To include kernel log messages, you need to do + + + + $ModLoad imklog + Please note that the klogd daemon is no longer necessary and consequently +no longer provided by the rsyslog package. + + + + imuxsock + + + Unix sockets, including the system log socket. You need to specify + + + + $ModLoad imudp + in order to receive log messages from local system processes. This +config directive should only left out if you know exactly what you +are doing. + + + BASIC STRUCTURE + Lines starting with a hash mark ('#') and empty lines are ignored. +Rsyslog.conf should contain following sections (sorted by recommended order in file): + + + Global directives + + Global directives set some global properties of whole rsyslog daemon, for example size of main +message queue ($MainMessageQueueSize), loading external modules ($ModLoad) and so on. +All global directives need to be specified on a line by their own and must start with +a dollar-sign. The complete list of global directives can be found in html documentation in doc +directory or online on web pages. + + + + Templates + + Templates allow you to specify format of the logged message. They are also used for dynamic +file name generation. They have to be defined before they are used in rules. For more info +about templates see TEMPLATES section of this manpage. + + + + Output channels + + Output channels provide an umbrella for any type of output that the user might want. +They have to be defined before they are used in rules. For more info about output channels +see OUTPUT CHANNELS section of this manpage. + + + + Rules (selector + action) + + Every rule line consists of two fields, a selector field and an action field. These +two fields are separated by one or more spaces or tabs. The selector field specifies +a pattern of facilities and priorities belonging to the specified action. + + + + + + ACTIONS + The action field of a rule describes what to do with the message. In general, message content +is written to a kind of "logfile". But also other actions might be done, like writing to a +database table or forwarding to another host. + + Regular file + Typically messages are logged to real files. The file has to be specified with full pathname, +beginning with a slash ('/'). + + Example: + + +*.* /var/log/traditionalfile.log;RSYSLOG_TraditionalFormat # log to a file in the traditional format + + + Note: if you would like to use high-precision timestamps in your log files, +just remove the ";RSYSLOG_TraditionalFormat". That will select the default +template, which, if not changed, uses RFC 3339 timestamps. + + Example: + + +*.* /var/log/file.log # log to a file with RFC3339 timestamps + + + + + Named pipes + This version of rsyslogd(8) has support for logging output to named pipes (fifos). A fifo or +named pipe can be used as a destination for log messages by prepending a pipe symbol ('|') +to the name of the file. This is handy for debugging. Note that the fifo must be created with +the mkfifo(1) command before rsyslogd(8) is started. + + + Terminal and console + If the file you specified is a tty, special tty-handling is done, same with /dev/console. + + + Remote machine + There are three ways to forward message: the traditional UDP transport, which is extremely +lossy but standard, the plain TCP based transport which loses messages only during certain +situations but is widely available and the RELP transport which does not lose messages +but is currently available only as part of rsyslogd 3.15.0 and above. + To forward messages to another host via UDP, prepend the hostname with the at sign ("@"). +To forward it via plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend the +string ":omrelp:" in front of the hostname. + + Example: + + +*.* @192.168.0.1 + + + In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destination +port defaults to 514. Due to the nature of UDP, you will probably lose some messages in transit. +If you expect high traffic volume, you can expect to lose a quite noticeable number of messages +(the higher the traffic, the more likely and severe is message loss). + + If you would like to prevent message loss, use RELP: + + +*.* :omrelp:192.168.0.1:2514 + + + Note that a port number was given as there is no standard port for relp. + Keep in mind that you need to load the correct input and output plugins (see "Modules" above). + Please note that rsyslogd offers a variety of options in regarding to remote +forwarding. For full details, please see the html documentation. + + + List of users + Usually critical messages are also directed to “root” on that machine. You can specify a list +of users that shall get the message by simply writing the login. You may specify more than one +user by separating them with commas (','). If they're logged in they get the message. Don't +think a mail would be sent, that might be too late. + + + Everyone logged on + Emergency messages often go to all users currently online to notify them that something strange +is happening with the system. To specify this wall(1)-feature use an asterisk ('*'). + + + Database table + This allows logging of the message to a database table. +By default, a MonitorWare-compatible schema is required for this to work. You can +create that schema with the createDB.SQL file that came with the rsyslog package. You can also +use any other schema of your liking - you just need to define a proper template and assign this +template to the action. + See the html documentation for further details on database logging. + + + Discard + If the discard action is carried out, the received message is immediately discarded. Discard +can be highly effective if you want to filter out some annoying messages that otherwise would +fill your log files. To do that, place the discard actions early in your log files. +This often plays well with property-based filters, giving you great freedom in specifying +what you do not want. + Discard is just the single tilde character with no further parameters. + + Example: + + +*.* ~ # discards everything. + + + + + Output channel + Binds an output channel definition (see there for details) to this action. Output channel actions +must start with a $-sign, e.g. if you would like to bind your output channel definition "mychannel" +to the action, use "$mychannel". Output channels support template definitions like all all other +actions. + + + Shell execute + This executes a program in a subshell. The program is passed the template-generated message as the +only command line parameter. Rsyslog waits until the program terminates and only then continues to run. + + Example: + + +^program-to-execute;template + + + The program-to-execute can be any valid executable. It receives the template string as a single parameter +(argv[1]). + + + + FILTER CONDITIONS + Rsyslog offers three different types "filter conditions": + * "traditional" severity and facility based selectors + * property-based filters + * expression-based filters + + Blocks + Rsyslogd supports BSD-style blocks inside rsyslog.conf. Each block of lines is separated from +the previous block by a program or hostname specification. A block will only log messages +corresponding to the most recent program and hostname specifications given. Thus, a block which +selects "ppp" as the program, directly followed by a block that selects messages from the +hostname "dialhost", then the second block will only log messages from the ppp program on dialhost. + + + Selectors + Selectors are the traditional way of filtering syslog messages. +They have been kept in rsyslog with their original syntax, because it is well-known, highly +effective and also needed for compatibility with stock syslogd configuration files. If you just +need to filter based on priority and facility, you should do this with selector lines. They are +not second-class citizens in rsyslog and offer the best performance for this job. + + + Property-Based Filters + Property-based filters are unique to rsyslogd. They allow to filter on any property, like HOSTNAME, +syslogtag and msg. + A property-based filter must start with a colon in column 0. This tells rsyslogd that it is the new +filter type. The colon must be followed by the property name, a comma, the name of the compare +operation to carry out, another comma and then the value to compare against. This value must be quoted. +There can be spaces and tabs between the commas. Property names and compare operations are +case-sensitive, so "msg" works, while "MSG" is an invalid property name. In brief, the syntax is as follows: + +:property, [!]compare-operation, "value" + + + The following compare-operations are currently supported: +
+ + contains + +
+ Checks if the string provided in value is contained in the property + +
+ + + isequal + +
+ Compares the "value" string provided and the property contents. These two values must be exactly equal to match. + +
+ + + startswith + +
+ Checks if the value is found exactly at the beginning of the property value + +
+ + + regex + +
+ Compares the property against the provided regular expression. + +
+ +
+ + + + Expression-Based Filters + See the html documentation for this feature. + + + + TEMPLATES + Every output in rsyslog uses templates - this holds true for files, user +messages and so on. Templates compatible with the stock syslogd +formats are hardcoded into rsyslogd. If no template is specified, we use +one of these hardcoded templates. Search for "template_" in syslogd.c and +you will find the hardcoded ones. + A template consists of a template directive, a name, the actual template text +and optional options. A sample is: +
+ $template MyTemplateName,"\\7Text %property% some more text\\n",<options> + +
+ + The "$template" is the template directive. It tells rsyslog that this line +contains a template. The backslash is an escape character. For example, \7 rings the +bell (this is an ASCII value), \n is a new line. The set in rsyslog is a bit restricted +currently. + All text in the template is used literally, except for things within percent +signs. These are properties and allow you access to the contents of the syslog +message. Properties are accessed via the property replacer and it can for example +pick a substring or do date-specific formatting. More on this is the PROPERTY REPLACER +section of this manpage. + To escape: + % = \­ + \ = \\  '\´ is used to escape (as in C) + $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg%\n" + Properties can be accessed by the property replacer (see there for details). + Please note that templates can also by used to generate selector lines with dynamic file names. +For example, if you would like to split syslog messages from different hosts +to different files (one per host), you can define the following template: +
+ $template DynFile,"/var/log/system-%HOSTNAME%.log + +
+ + +This template can then be used when defining an output selector line. It will +result in something like "/var/log/system-localhost.log" + + Template options + The <options> part is optional. It carries options influencing the template as whole. +See details below. Be sure NOT to mistake template options with property options - the +later ones are processed by the property replacer and apply to a SINGLE property, only +(and not the whole template). + Template options are case-insensitive. Currently defined are: +
+ + + sql + + format the string suitable for a SQL statement in MySQL format. This will replace single +quotes ("'") and the backslash character by their backslash-escaped counterpart +("´" and "\") inside each field. Please note that in MySQL configuration, the NO_BACKSLASH_ESCAPES +mode must be turned off for this format to work (this is the default). + + + + stdsql + + format the string suitable for a SQL statement that is to be sent to a standards-compliant +sql server. This will replace single quotes ("'") by two single quotes ("''") inside each field. +You must use stdsql together with MySQL if in MySQL configuration the NO_BACKSLASH_ESCAPES +is turned on. + + + +
+ + Either the +sql +or +stdsql +option +MUST +be specified when a template is used for writing to a database, +otherwise injection might occur. Please note that due to the unfortunate fact +that several vendors have violated the sql standard and introduced their own +escape methods, it is impossible to have a single option doing all the work. +So you yourself must make sure you are using the right format. +If you choose the wrong one, you are still vulnerable to sql injection. + Please note that the database writer *checks* that the sql option is present +in the template. If it is not present, the write database action is disabled. +This is to guard you against accidental forgetting it and then becoming +vulnerable to SQL injection. The sql option can also be useful with files - +especially if you want to import them into a database on another machine for +performance reasons. However, do NOT use it if you do not have a real need for +it - among others, it takes some toll on the processing time. Not much, but on +a really busy system you might notice it ;) + The default template for the write to database action has the sql option set. + + + Template examples + Please note that the samples are split across multiple lines. A template MUST +NOT actually be split across multiple lines. + A template that resembles traditional syslogd file output: +
+ $template TraditionalFormat,"%timegenerated% %HOSTNAME% + %syslogtag%%msg:::drop-last-lf%\n" + +
+ + A template that tells you a little more about the message: +
+ $template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%, + %syslogtag%,%msg%\n" + +
+ + A template for RFC 3164 format: + + +$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%" + + + + A template for the format traditionally used for user messages: + + +$template usermsg," XXXX%syslogtag%%msg%\n\r" + + + + And a template with the traditional wall-message format: + + +$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%" + + + + + A template that can be used for writing to a database (please note the SQL template option) + +
+ + $template MySQLInsert,"insert iut, message, receivedat values +('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%') +into systemevents\r\n", SQL + NOTE 1: This template is embedded into core application under name +StdDBFmt +, so you don't need to define it. + NOTE 2: You have to have MySQL module installed to use this template. + + +
+ + + + + OUTPUT CHANNELS + Output Channels are a new concept first introduced in rsyslog 0.9.0. As of this writing, +it is most likely that they will be replaced by something different in the future. +So if you use them, be prepared to change you configuration file syntax when you upgrade +to a later release. + Output channels are defined via an $outchannel directive. It's syntax is as follows: +
+ $outchannel name,file-name,max-size,action-on-max-size + +
+ + name is the name of the output channel (not the file), file-name is the file name to be +written to, max-size the maximum allowed size and action-on-max-size a command to be issued +when the max size is reached. This command always has exactly one parameter. The binary is +that part of action-on-max-size before the first space, its parameter is everything behind +that space. + Keep in mind that $outchannel just defines a channel with "name". It does not activate it. +To do so, you must use a selector line (see below). That selector line includes the channel +name plus an $ sign in front of it. A sample might be: + + +*.* $mychannel + + + + + + PROPERTY REPLACER + The property replacer is a core component in rsyslogd's output system. A syslog message has +a number of well-defined properties (see below). Each of this properties can be accessed and +manipulated by the property replacer. With it, it is easy to use only part of a property value +or manipulate the value, e.g. by converting all characters to lower case. + + Accessing Properties + Syslog message properties are used inside templates. They are accessed by putting them between +percent signs. Properties can be modified by the property replacer. The full syntax is as follows: +
+ %propname:fromChar:toChar:options% + +
+ + propname is the name of the property to access. +It is case-sensitive. + + + Available Properties + + + + msg + + + the MSG part of the message (aka "the message" ;)) + + + + + rawmsg + + + the message exactly as it was received from the socket. Should be useful for debugging. + + + + + HOSTNAME + + + hostname from the message + + + + + FROMHOST + + + hostname of the system the message was received from (in a relay chain, this is the system immediately +in front of us and not necessarily the original sender) + + + + + syslogtag + + + TAG from the message + + + + + programname + + + the "static" part of the tag, as defined by BSD syslogd. For example, when TAG is "named[12345]", +programname is "named". + + + + + PRI + + + PRI part of the message - undecoded (single value) + + + + + PRI-text + + + the PRI part of the message in a textual form (e.g. "syslog.info") + + + + + IUT + + + the monitorware InfoUnitType - used when talking to a MonitorWare backend (also for phpLogCon) + + + + + syslogfacility + + + the facility from the message - in numerical form + + + + + syslogfacility-text + + + the facility from the message - in text form + + + + + syslogseverity + + + severity from the message - in numerical form + + + + + syslogseverity-text + + + severity from the message - in text form + + + + + timegenerated + + + timestamp when the message was RECEIVED. Always in high resolution + + + + + timereported + + + timestamp from the message. Resolution depends on what was provided in the message (in most cases, only seconds) + + + + + TIMESTAMP + + + alias for timereported + + + + + PROTOCOL-VERSION + + + The contents of the PROTOCOL-VERSION field from IETF draft draft-ietf-syslog-protocol + + + + + STRUCTURED-DATA + + + The contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocol + + + + + APP-NAME + + + The contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol + + + + + PROCID + + + The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol + + + + + MSGID + + + The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol + + + + + $NOW + + + The current date stamp in the format YYYY-MM-DD + + + + + $YEAR + + + The current year (4-digit) + + + + + $MONTH + + + The current month (2-digit) + + + + + $DAY + + + The current day of the month (2-digit) + + + + + $HOUR + + + The current hour in military (24 hour) time (2-digit) + + + + + $MINUTE + + + The current minute (2-digit) + + + + Properties starting with a $-sign are so-called system properties. These do NOT stem from the +message but are rather internally-generated. + + + Character Positions + FromChar and toChar are used to build substrings. They specify the offset within the string that +should be copied. Offset counting starts at 1, so if you need to obtain the first 2 characters of +the message text, you can use this syntax: "%msg:1:2%". If you do not wish to specify from and to, +but you want to specify options, you still need to include the colons. For example, if you would +like to convert the full message text to lower case, use "%msg:::lowercase%". If you would like to +extract from a position until the end of the string, you can place a dollar-sign ("$") in toChar +(e.g. %msg:10:$%, which will extract from position 10 to the end of the string). + There is also support for +regular expressions. +To use them, you need to place a "R" into FromChar. +This tells rsyslog that a regular expression instead of position-based extraction is desired. The +actual regular expression +must +then be provided in toChar. The regular expression must be followed +by the string "--end". It denotes the end of the regular expression and will not become part of it. +If you are using regular expressions, the property replacer will return the part of the property text +that matches the regular expression. An example for a property replacer sequence with a regular +expression is: "%msg:R:.*Sev:. \(.*\) \[.*--end%" + Also, extraction can be done based on so-called "fields". To do so, place a "F" into FromChar. A field +in its current definition is anything that is delimited by a delimiter character. The delimiter by +default is TAB (US-ASCII value 9). However, if can be changed to any other US-ASCII character by +specifying a comma and the decimal US-ASCII value of the delimiter immediately after the "F". For example, +to use comma (",") as a delimiter, use this field specifier: "F,44". If your syslog data is delimited, +this is a quicker way to extract than via regular expressions (actually, a *much* quicker way). Field +counting starts at 1. Field zero is accepted, but will always lead to a "field not found" error. The same +happens if a field number higher than the number of fields in the property is requested. The field number +must be placed in the "ToChar" parameter. An example where the 3rd field (delimited by TAB) from the msg +property is extracted is as follows: "%msg:F:3%". The same example with semicolon as delimiter is +"%msg:F,59:3%". + Please note that the special characters "F" and "R" are case-sensitive. Only upper case works, lower case +will return an error. There are no white spaces permitted inside the sequence (that will lead to error +messages and will NOT provide the intended result). + + + Property Options + Property options are case-insensitive. Currently, the following options are defined: + + + uppercase + + convert property to lowercase only + + + + lowercase + + convert property text to uppercase only + + + + drop-last-lf + + The last LF in the message (if any), is dropped. Especially useful for PIX. + + + + date-mysql + + format as mysql date + + + + date-rfc3164 + + format as RFC 3164 date + + + + date-rfc3339 + + format as RFC 3339 date + + + + escape-cc + + replace control characters (ASCII value 127 and values less then 32) with an escape sequence. The sequence is "#<charval>" where charval is the 3-digit decimal value of the control character. For example, a tabulator would be replaced by "#009". + + + + space-cc + + replace control characters by spaces + + + + drop-cc + + drop control characters - the resulting string will neither contain control characters, escape sequences nor any other replacement character like space. + + + + + + + QUEUED OPERATIONS + Rsyslogd supports queued operations to handle offline outputs +(like remote syslogd's or database servers being down). When running in +queued mode, rsyslogd buffers messages to memory and optionally to disk +(on an as-needed basis). Queues survive rsyslogd restarts. + It is highly suggested to use remote forwarding and database writing +in queued mode, only. + To learn more about queued operations, see the html documentation. + + + FILES + + + + + /etc/rsyslog.conf + + + Configuration file for +rsyslogd + + + + + + SEE ALSO + rsyslogd8, +logger1, +syslog3 + The complete documentation can be found in the doc folder of the rsyslog distribution or online at +
+ http://www.rsyslog.com/doc + + +
+ + Please note that the man page reflects only a subset of the configuration options. Be sure to read +the html documentation for all features and details. This is especially vital if you plan to set +up a more-then-extremely-simple system. + + + AUTHORS + rsyslogd +is taken from sysklogd sources, which have been heavily modified +by Rainer Gerhards (rgerhards@adiscon.com) and others. + + diff --git a/man/C/rsyslogd.8.xml b/man/C/rsyslogd.8.xml new file mode 100644 index 0000000..6a6d286 --- /dev/null +++ b/man/C/rsyslogd.8.xml @@ -0,0 +1,667 @@ + + + + + + + + 29 July 2008 + + + RSYSLOGD + 8 + 29 July 2008 + Version 3.21.1 + Linux System Administration + + + rsyslogd + reliable and extended syslogd + + + + + rsyslogd + -4 + -6 + -A + -d + + -f + + config + + + file + + + + + -i + + pid + + + file + + + + -l + + hostlist + + + -n + + -N + + level + + + + -q + -Q + + -s + + domainlist + + + + -u + + userlevel + + + -v + -w + -x + + + + + DESCRIPTION + Rsyslogd +is a system utility providing support for message logging. +Support of both internet and +unix domain sockets enables this utility to support both local +and remote logging. + Note that this version of rsyslog ships with extensive documentation in html format. +This is provided in the ./doc subdirectory and probably +in a separate package if you installed rsyslog via a packaging system. +To use rsyslog's advanced features, you +need +to look at the html documentation, because the man pages only cover +basic aspects of operation. +For details and configuration examples, see the rsyslog.conf (5) +man page and the online documentation at http://www.rsyslog.com/doc + Rsyslogd8 +is derived from the sysklogd package which in turn is derived from the +stock BSD sources. + Rsyslogd +provides a kind of logging that many modern programs use. Every logged +message contains at least a time and a hostname field, normally a +program name field, too, but that depends on how trusty the logging +program is. The rsyslog package supports free definition of output formats +via templates. It also supports precise timestamps and writing directly +to databases. If the database option is used, tools like phpLogCon can +be used to view the log data. + While the +rsyslogd +sources have been heavily modified a couple of notes +are in order. First of all there has been a systematic attempt to +ensure that rsyslogd follows its default, standard BSD behavior. Of course, +some configuration file changes are necessary in order to support the +template system. However, rsyslogd should be able to use a standard +syslog.conf and act like the orginal syslogd. However, an original syslogd +will not work correctly with a rsyslog-enhanced configuration file. At +best, it will generate funny looking file names. +The second important concept to note is that this version of rsyslogd +interacts transparently with the version of syslog found in the +standard libraries. If a binary linked to the standard shared +libraries fails to function correctly we would like an example of the +anomalous behavior. + The main configuration file +/etc/rsyslog.conf +or an alternative file, given with the + +option, is read at startup. Any lines that begin with the hash mark +(“#”) and empty lines are ignored. If an error occurs during parsing +the error element is ignored. It is tried to parse the rest of the line. + + + OPTIONS + Note that in version 3 of rsyslog a number of command line options +have been deprecated and replaced with config file directives. The + + + + + + + + When sending UDP messages, there are potentially multiple pathes to +the target destination. By default, +rsyslogd +only sends to the first target it can successfully send to. If -A +is given, messages are sent to all targets. This may improve +reliability, but may also cause message duplicaton. This option +should enabled only if it is fully understood. + + + + + + + + Causes +rsyslogd +to listen to IPv4 addresses only. +If neither -4 nor -6 is given, +rsyslogd +listens to all configured addresses of the system. + + + + + + + + Causes +rsyslogd +to listen to IPv6 addresses only. +If neither -4 nor -6 is given, +rsyslogd +listens to all configured addresses of the system. + + + + + + version + + + Selects the desired backward compatibility mode. It must always be the +first option on the command line, as it influences processing of the +other options. To use the rsyslog v3 native interface, specify -c3. To +use compatibility mode , either do not use -c at all or use +-c<version> where +version +is the rsyslog version that it shall be +compatible with. Using -c0 tells rsyslog to be command-line compatible +to sysklogd, which is the default if -c is not given. +Please note that rsyslogd issues warning messages if the -c3 +command line option is not given. +This is to alert you that your are running in compatibility +mode. Compatibility mode interfers with you rsyslog.conf commands and +may cause some undesired side-effects. It is meant to be used with a +plain old rsyslog.conf - if you use new features, things become +messy. So the best advice is to work through this document, convert +your options and config file and then use rsyslog in native mode. In +order to aid you in this process, rsyslog logs every +compatibility-mode config file directive it has generated. So you can +simply copy them from your logfile and paste them to the config. + + + + + + + + Turns on debug mode. Using this the daemon will not proceed a +fork2 +to set itself in the background, but opposite to that stay in the +foreground and write much debug information on the current tty. See the +DEBUGGING section for more information. + + + + + + config file + + + Specify an alternative configuration file instead of +/etc/rsyslog.conf, +which is the default. + + + + + + pid file + + + Specify an alternative pid file instead of the default one. +This option must be used if multiple instances of rsyslogd should +run on a single machine. + + + + + + hostlist + + + Specify a hostname that should be logged only with its simple hostname +and not the fqdn. Multiple hosts may be specified using the colon +(“:”) separator. + + + + + + + + Avoid auto-backgrounding. This is needed especially if the +rsyslogd +is started and controlled by +init8. + + + + + + + + Do a coNfig check. Do NOT run in regular mode, just check configuration +file correctness. +This option is meant to verify a config file. To do so, run rsyslogd +interactively in foreground, specifying -f <config-file> and -N level. +The level argument modifies behaviour. Currently, 0 is the same as +not specifying the -N option at all (so this makes limited sense) and +1 actually activates the code. Later, higher levels will mean more +verbosity (this is a forward-compatibility option). +rsyslogd +is started and controlled by +init8. + + + + + + add hostname if DNS fails during ACL processing + + + During ACL processing, hostnames are resolved to IP addreses for +performance reasons. If DNS fails during that process, the hostname +is added as wildcard text, which results in proper, but somewhat +slower operation once DNS is up again. + + + + + + do not resolve hostnames during ACL processing + + + Do not resolve hostnames to IP addresses during ACL processing. + + + + + + domainlist + + + Specify a domainname that should be stripped off before +logging. Multiple domains may be specified using the colon (“:”) +separator. +Please be advised that no sub-domains may be specified but only entire +domains. For example if + +is specified and the host logging resolves to satu.infodrom.north.de +no domain would be cut, you will have to specify two domains like: +. + + + + + + userlevel + + + This is a "catch all" option for some very seldomly-used user settings. +The "userlevel" variable selects multiple things. Add the specific values +to get the combined effect of them. +A value of 1 prevents rsyslogd from parsing hostnames and tags inside +messages. +A value of 2 prevents rsyslogd from changing to the root directory. This +is almost never a good idea in production use. This option was introduced +in support of the internal testbed. +To combine these two features, use a userlevel of 3 (1+2). Whenever you use +an -u option, make sure you really understand what you do and why you do it. + + + + + + + + Print version and exit. + + + + + + + + Supress warnings issued when messages are received from non-authorized +machines (those, that are in no AllowedSender list). + + + + + + + + Disable DNS for remote messages. + + + + + + SIGNALS + Rsyslogd +reacts to a set of signals. You may easily send a signal to +rsyslogd +using the following: + +kill -SIGNAL $(cat /var/run/syslogd.pid) + + + Note that -SIGNAL must be replaced with the actual signal +you are trying to send, e.g. with HUP. So it then becomes: + +kill -HUP $(cat /var/run/syslogd.pid) + + + + + + HUP + + + This lets +rsyslogd +perform a re-initialization. All open files are closed, the +configuration file (default is +/etc/rsyslog.conf) +will be reread and the +rsyslog3 +facility is started again. + + + + + TERM , INT , QUIT + + + Rsyslogd +will die. + + + + + USR1 + + + Switch debugging on/off. This option can only be used if +rsyslogd +is started with the + +debug option. + + + + + CHLD + + + Wait for childs if some were born, because of wall'ing messages. + + + + + + SECURITY THREATS + There is the potential for the rsyslogd daemon to be +used as a conduit for a denial of service attack. +A rogue program(mer) could very easily flood the rsyslogd daemon with +syslog messages resulting in the log files consuming all the remaining +space on the filesystem. Activating logging over the inet domain +sockets will of course expose a system to risks outside of programs or +individuals on the local machine. + There are a number of methods of protecting a machine: + + + 1. + + Implement kernel firewalling to limit which hosts or networks have +access to the 514/UDP socket. + + + + 2. + + Logging can be directed to an isolated or non-root filesystem which, +if filled, will not impair the machine. + + + + 3. + + The ext2 filesystem can be used which can be configured to limit a +certain percentage of a filesystem to usage by root only. NOTE +that this will require rsyslogd to be run as a non-root process. +ALSO NOTE that this will prevent usage of remote logging on the default port since +rsyslogd will be unable to bind to the 514/UDP socket. + + + + 4. + + Disabling inet domain sockets will limit risk to the local machine. + + + + + Message replay and spoofing + If remote logging is enabled, messages can easily be spoofed and replayed. +As the messages are transmitted in clear-text, an attacker might use +the information obtained from the packets for malicious things. Also, an +attacker might replay recorded messages or spoof a sender's IP address, +which could lead to a wrong perception of system activity. These can +be prevented by using GSS-API authentication and encryption. Be sure +to think about syslog network security before enabling it. + + + + DEBUGGING + When debugging is turned on using + +option then +rsyslogd +will be very verbose by writing much of what it does on stdout. + + + FILES + + + + + /etc/rsyslog.conf + + + Configuration file for +rsyslogd. +See +rsyslog.conf5 +for exact information. + + + + + /dev/log + + + The Unix domain socket to from where local syslog messages are read. + + + + + /var/run/rsyslogd.pid + + + The file containing the process id of +rsyslogd. + + + + + prefix/lib/rsyslog + + + Default directory for +rsyslogd +modules. The +prefix +is specified during compilation (e.g. /usr/local). + + + + + + ENVIRONMENT + + + + RSYSLOG_DEBUG + + + Controls runtime debug support.It contains an option string with the +following options possible (all are case insensitive): + + + + + + LogFuncFlow + + Print out the logical flow of functions (entering and exiting them) + + + + FileTrace + + Specifies which files to trace LogFuncFlow. If not set (the +default), a LogFuncFlow trace is provided for all files. Set to +limit it to the files specified.FileTrace may be specified multiple +times, one file each (e.g. export RSYSLOG_DEBUG="LogFuncFlow +FileTrace=vm.c FileTrace=expr.c" + + + + PrintFuncDB + + Print the content of the debug function database whenever debug +information is printed (e.g. abort case)! + + + + PrintAllDebugInfoOnExit + + Print all debug information immediately before rsyslogd exits +(currently not implemented!) + + + + PrintMutexAction + + Print mutex action as it happens. Useful for finding deadlocks and +such. + + + + NoLogTimeStamp + + Do not prefix log lines with a timestamp (default is to do that). + + + + NoStdOut + + Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG is not +set, this means no messages will be displayed at all. + + + + Help + + Display a very short list of commands - hopefully a life saver if +you can't access the documentation... + + + + + + + RSYSLOG_DEBUGLOG + + + If set, writes (allmost) all debug message to the specified log file +in addition to stdout. + + + + + RSYSLOG_MODDIR + + + Provides the default directory in which loadable modules reside. + + + + + + BUGS + Please review the file BUGS for up-to-date information on known +bugs and annouyances. + + + Further Information + Please visit +http://www.rsyslog.com/doc +for additional information, tutorials and a support forum. + + + SEE ALSO + rsyslog.conf5, +logger1, +syslog2, +syslog3, +services5, +savelog8 + + + COLLABORATORS + rsyslogd +is derived from sysklogd sources, which in turn was taken from +the BSD sources. Special thanks to Greg Wettstein (greg@wind.enjellic.com) +and Martin Schulze (joey@linux.de) for the fine sysklogd package. + + + + Rainer Gerhards + Adiscon GmbH + Grossrinderfeld, Germany + rgerhards@adiscon.com + + + + + + + + + diff --git a/man/ja/rsyslog.conf.5.xml b/man/ja/rsyslog.conf.5.xml new file mode 100644 index 0000000..78aece6 --- /dev/null +++ b/man/ja/rsyslog.conf.5.xml @@ -0,0 +1,1020 @@ + + + + + + + + + + + + + + + + + + + + + + + + 11 July 2008 + + + RSYSLOG.CONF + 5 + 11 July 2008 + Version 3.18.0 + Linux System Administration + + + rsyslog.conf + rsyslogd(8) configuration file + + + + DESCRIPTION + The +rsyslog.conf +file is the main configuration file for the +rsyslogd8 +which logs system messages on *nix systems. This file specifies rules +for logging. For special features see the +rsyslogd8 +manpage. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf file. So if you migrate +from sysklogd you can rename it and it should work. + Note that this version of rsyslog ships with extensive documentation in html format. +This is provided in the ./doc subdirectory and probably +in a separate package if you installed rsyslog via a packaging system. +To use rsyslog's advanced features, you +need +to look at the html documentation, because the man pages only cover +basic aspects of operation. + + + MODULES + Rsyslog has a modular design. Consequently, there is a growing number +of modules. See the html documentation for their full description. + + + + omsnmp + + + SNMP trap output module + + + + + omgssapi + + + Output module for GSS-enabled syslog + + + + + ommysql + + + Output module for MySQL + + + + + omrelp + + + Output module for the reliable RELP protocol (prevents message loss). +For details, see below at imrelp and the html documentation. +It can be used like this: + + + + *.* :omrelp:server:port + *.* :omrelp:192.168.0.1:2514 # actual sample + + + + ompgsql + + + Output module for PostgreSQL + + + + + omlibdbi + + + Generic database output module (Firebird/Interbase, MS SQL, Sybase, +SQLite, Ingres, Oracle, mSQL) + + + + + imfile + + + Input module for text files + + + + + imudp + + + Input plugin for UDP syslog. Replaces the deprecated -r option. Can be +used like this: + + + + $ModLoad imudp + $InputUDPServerRun 514 + + + + imtcp + + + Input plugin for plain TCP syslog. Replaces the deprecated -t +option. Can be used like this: + + + + $ModLoad imtcp + $InputTCPServerRun 514 + + + + imtcp + + + Input plugin for the RELP protocol. RELP can be used instead +of UDP or plain TCP syslog to provide reliable delivery of +syslog messages. Please note that plain TCP syslog does NOT +provide truly reliable delivery, with it messages may be lost +when there is a connection problem or the server shuts down. +RELP prevents message loss in those cases. +It can be used like this: + + + + $ModLoad imrelp + $InputRELPServerRun 2514 + + + + imgssapi + + + Input plugin for plain TCP and GSS-enable syslog + + + + + immark + + + Support for mark messages + + + + + imklog + + + Kernel logging. To include kernel log messages, you need to do + + + + $ModLoad imklog + Please note that the klogd daemon is no longer necessary and consequently +no longer provided by the rsyslog package. + + + + imuxsock + + + Unix sockets, including the system log socket. You need to specify + + + + $ModLoad imudp + in order to receive log messages from local system processes. This +config directive should only left out if you know exactly what you +are doing. + + + BASIC STRUCTURE + Lines starting with a hash mark ('#') and empty lines are ignored. +Rsyslog.conf should contain following sections (sorted by recommended order in file): + + + Global directives + + Global directives set some global properties of whole rsyslog daemon, for example size of main +message queue ($MainMessageQueueSize), loading external modules ($ModLoad) and so on. +All global directives need to be specified on a line by their own and must start with +a dollar-sign. The complete list of global directives can be found in html documentation in doc +directory or online on web pages. + + + + Templates + + Templates allow you to specify format of the logged message. They are also used for dynamic +file name generation. They have to be defined before they are used in rules. For more info +about templates see TEMPLATES section of this manpage. + + + + Output channels + + Output channels provide an umbrella for any type of output that the user might want. +They have to be defined before they are used in rules. For more info about output channels +see OUTPUT CHANNELS section of this manpage. + + + + Rules (selector + action) + + Every rule line consists of two fields, a selector field and an action field. These +two fields are separated by one or more spaces or tabs. The selector field specifies +a pattern of facilities and priorities belonging to the specified action. + + + + + + ACTIONS + The action field of a rule describes what to do with the message. In general, message content +is written to a kind of "logfile". But also other actions might be done, like writing to a +database table or forwarding to another host. + + Regular file + Typically messages are logged to real files. The file has to be specified with full pathname, +beginning with a slash ('/'). + + Example: + + +*.* /var/log/traditionalfile.log;RSYSLOG_TraditionalFormat # log to a file in the traditional format + + + Note: if you would like to use high-precision timestamps in your log files, +just remove the ";RSYSLOG_TraditionalFormat". That will select the default +template, which, if not changed, uses RFC 3339 timestamps. + + Example: + + +*.* /var/log/file.log # log to a file with RFC3339 timestamps + + + + + Named pipes + This version of rsyslogd(8) has support for logging output to named pipes (fifos). A fifo or +named pipe can be used as a destination for log messages by prepending a pipe symbol ('|') +to the name of the file. This is handy for debugging. Note that the fifo must be created with +the mkfifo(1) command before rsyslogd(8) is started. + + + Terminal and console + If the file you specified is a tty, special tty-handling is done, same with /dev/console. + + + Remote machine + There are three ways to forward message: the traditional UDP transport, which is extremely +lossy but standard, the plain TCP based transport which loses messages only during certain +situations but is widely available and the RELP transport which does not lose messages +but is currently available only as part of rsyslogd 3.15.0 and above. + To forward messages to another host via UDP, prepend the hostname with the at sign ("@"). +To forward it via plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend the +string ":omrelp:" in front of the hostname. + + Example: + + +*.* @192.168.0.1 + + + In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destination +port defaults to 514. Due to the nature of UDP, you will probably lose some messages in transit. +If you expect high traffic volume, you can expect to lose a quite noticeable number of messages +(the higher the traffic, the more likely and severe is message loss). + + If you would like to prevent message loss, use RELP: + + +*.* :omrelp:192.168.0.1:2514 + + + Note that a port number was given as there is no standard port for relp. + Keep in mind that you need to load the correct input and output plugins (see "Modules" above). + Please note that rsyslogd offers a variety of options in regarding to remote +forwarding. For full details, please see the html documentation. + + + List of users + Usually critical messages are also directed to “root” on that machine. You can specify a list +of users that shall get the message by simply writing the login. You may specify more than one +user by separating them with commas (','). If they're logged in they get the message. Don't +think a mail would be sent, that might be too late. + + + Everyone logged on + Emergency messages often go to all users currently online to notify them that something strange +is happening with the system. To specify this wall(1)-feature use an asterisk ('*'). + + + Database table + This allows logging of the message to a database table. +By default, a MonitorWare-compatible schema is required for this to work. You can +create that schema with the createDB.SQL file that came with the rsyslog package. You can also +use any other schema of your liking - you just need to define a proper template and assign this +template to the action. + See the html documentation for further details on database logging. + + + Discard + If the discard action is carried out, the received message is immediately discarded. Discard +can be highly effective if you want to filter out some annoying messages that otherwise would +fill your log files. To do that, place the discard actions early in your log files. +This often plays well with property-based filters, giving you great freedom in specifying +what you do not want. + Discard is just the single tilde character with no further parameters. + + Example: + + +*.* ~ # discards everything. + + + + + Output channel + Binds an output channel definition (see there for details) to this action. Output channel actions +must start with a $-sign, e.g. if you would like to bind your output channel definition "mychannel" +to the action, use "$mychannel". Output channels support template definitions like all all other +actions. + + + Shell execute + This executes a program in a subshell. The program is passed the template-generated message as the +only command line parameter. Rsyslog waits until the program terminates and only then continues to run. + + Example: + + +^program-to-execute;template + + + The program-to-execute can be any valid executable. It receives the template string as a single parameter +(argv[1]). + + + + FILTER CONDITIONS + Rsyslog offers three different types "filter conditions": + * "traditional" severity and facility based selectors + * property-based filters + * expression-based filters + + Blocks + Rsyslogd supports BSD-style blocks inside rsyslog.conf. Each block of lines is separated from +the previous block by a program or hostname specification. A block will only log messages +corresponding to the most recent program and hostname specifications given. Thus, a block which +selects "ppp" as the program, directly followed by a block that selects messages from the +hostname "dialhost", then the second block will only log messages from the ppp program on dialhost. + + + Selectors + Selectors are the traditional way of filtering syslog messages. +They have been kept in rsyslog with their original syntax, because it is well-known, highly +effective and also needed for compatibility with stock syslogd configuration files. If you just +need to filter based on priority and facility, you should do this with selector lines. They are +not second-class citizens in rsyslog and offer the best performance for this job. + + + Property-Based Filters + Property-based filters are unique to rsyslogd. They allow to filter on any property, like HOSTNAME, +syslogtag and msg. + A property-based filter must start with a colon in column 0. This tells rsyslogd that it is the new +filter type. The colon must be followed by the property name, a comma, the name of the compare +operation to carry out, another comma and then the value to compare against. This value must be quoted. +There can be spaces and tabs between the commas. Property names and compare operations are +case-sensitive, so "msg" works, while "MSG" is an invalid property name. In brief, the syntax is as follows: + +:property, [!]compare-operation, "value" + + + The following compare-operations are currently supported: +
+ + contains + +
+ Checks if the string provided in value is contained in the property + +
+ + + isequal + +
+ Compares the "value" string provided and the property contents. These two values must be exactly equal to match. + +
+ + + startswith + +
+ Checks if the value is found exactly at the beginning of the property value + +
+ + + regex + +
+ Compares the property against the provided regular expression. + +
+ +
+ + + + Expression-Based Filters + See the html documentation for this feature. + + + + TEMPLATES + Every output in rsyslog uses templates - this holds true for files, user +messages and so on. Templates compatible with the stock syslogd +formats are hardcoded into rsyslogd. If no template is specified, we use +one of these hardcoded templates. Search for "template_" in syslogd.c and +you will find the hardcoded ones. + A template consists of a template directive, a name, the actual template text +and optional options. A sample is: +
+ $template MyTemplateName,"\\7Text %property% some more text\\n",<options> + +
+ + The "$template" is the template directive. It tells rsyslog that this line +contains a template. The backslash is an escape character. For example, \7 rings the +bell (this is an ASCII value), \n is a new line. The set in rsyslog is a bit restricted +currently. + All text in the template is used literally, except for things within percent +signs. These are properties and allow you access to the contents of the syslog +message. Properties are accessed via the property replacer and it can for example +pick a substring or do date-specific formatting. More on this is the PROPERTY REPLACER +section of this manpage. + To escape: + % = \­ + \ = \\  '\´ is used to escape (as in C) + $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg%\n" + Properties can be accessed by the property replacer (see there for details). + Please note that templates can also by used to generate selector lines with dynamic file names. +For example, if you would like to split syslog messages from different hosts +to different files (one per host), you can define the following template: +
+ $template DynFile,"/var/log/system-%HOSTNAME%.log + +
+ + +This template can then be used when defining an output selector line. It will +result in something like "/var/log/system-localhost.log" + + Template options + The <options> part is optional. It carries options influencing the template as whole. +See details below. Be sure NOT to mistake template options with property options - the +later ones are processed by the property replacer and apply to a SINGLE property, only +(and not the whole template). + Template options are case-insensitive. Currently defined are: +
+ + + sql + + format the string suitable for a SQL statement in MySQL format. This will replace single +quotes ("'") and the backslash character by their backslash-escaped counterpart +("´" and "\") inside each field. Please note that in MySQL configuration, the NO_BACKSLASH_ESCAPES +mode must be turned off for this format to work (this is the default). + + + + stdsql + + format the string suitable for a SQL statement that is to be sent to a standards-compliant +sql server. This will replace single quotes ("'") by two single quotes ("''") inside each field. +You must use stdsql together with MySQL if in MySQL configuration the NO_BACKSLASH_ESCAPES +is turned on. + + + +
+ + Either the +sql +or +stdsql +option +MUST +be specified when a template is used for writing to a database, +otherwise injection might occur. Please note that due to the unfortunate fact +that several vendors have violated the sql standard and introduced their own +escape methods, it is impossible to have a single option doing all the work. +So you yourself must make sure you are using the right format. +If you choose the wrong one, you are still vulnerable to sql injection. + Please note that the database writer *checks* that the sql option is present +in the template. If it is not present, the write database action is disabled. +This is to guard you against accidental forgetting it and then becoming +vulnerable to SQL injection. The sql option can also be useful with files - +especially if you want to import them into a database on another machine for +performance reasons. However, do NOT use it if you do not have a real need for +it - among others, it takes some toll on the processing time. Not much, but on +a really busy system you might notice it ;) + The default template for the write to database action has the sql option set. + + + Template examples + Please note that the samples are split across multiple lines. A template MUST +NOT actually be split across multiple lines. + A template that resembles traditional syslogd file output: +
+ $template TraditionalFormat,"%timegenerated% %HOSTNAME% + %syslogtag%%msg:::drop-last-lf%\n" + +
+ + A template that tells you a little more about the message: +
+ $template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%, + %syslogtag%,%msg%\n" + +
+ + A template for RFC 3164 format: + + +$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%" + + + + A template for the format traditionally used for user messages: + + +$template usermsg," XXXX%syslogtag%%msg%\n\r" + + + + And a template with the traditional wall-message format: + + +$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%" + + + + + A template that can be used for writing to a database (please note the SQL template option) + +
+ + $template MySQLInsert,"insert iut, message, receivedat values +('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%') +into systemevents\r\n", SQL + NOTE 1: This template is embedded into core application under name +StdDBFmt +, so you don't need to define it. + NOTE 2: You have to have MySQL module installed to use this template. + + +
+ + + + + OUTPUT CHANNELS + Output Channels are a new concept first introduced in rsyslog 0.9.0. As of this writing, +it is most likely that they will be replaced by something different in the future. +So if you use them, be prepared to change you configuration file syntax when you upgrade +to a later release. + Output channels are defined via an $outchannel directive. It's syntax is as follows: +
+ $outchannel name,file-name,max-size,action-on-max-size + +
+ + name is the name of the output channel (not the file), file-name is the file name to be +written to, max-size the maximum allowed size and action-on-max-size a command to be issued +when the max size is reached. This command always has exactly one parameter. The binary is +that part of action-on-max-size before the first space, its parameter is everything behind +that space. + Keep in mind that $outchannel just defines a channel with "name". It does not activate it. +To do so, you must use a selector line (see below). That selector line includes the channel +name plus an $ sign in front of it. A sample might be: + + +*.* $mychannel + + + + + + PROPERTY REPLACER + The property replacer is a core component in rsyslogd's output system. A syslog message has +a number of well-defined properties (see below). Each of this properties can be accessed and +manipulated by the property replacer. With it, it is easy to use only part of a property value +or manipulate the value, e.g. by converting all characters to lower case. + + Accessing Properties + Syslog message properties are used inside templates. They are accessed by putting them between +percent signs. Properties can be modified by the property replacer. The full syntax is as follows: +
+ %propname:fromChar:toChar:options% + +
+ + propname is the name of the property to access. +It is case-sensitive. + + + Available Properties + + + + msg + + + the MSG part of the message (aka "the message" ;)) + + + + + rawmsg + + + the message exactly as it was received from the socket. Should be useful for debugging. + + + + + HOSTNAME + + + hostname from the message + + + + + FROMHOST + + + hostname of the system the message was received from (in a relay chain, this is the system immediately +in front of us and not necessarily the original sender) + + + + + syslogtag + + + TAG from the message + + + + + programname + + + the "static" part of the tag, as defined by BSD syslogd. For example, when TAG is "named[12345]", +programname is "named". + + + + + PRI + + + PRI part of the message - undecoded (single value) + + + + + PRI-text + + + the PRI part of the message in a textual form (e.g. "syslog.info") + + + + + IUT + + + the monitorware InfoUnitType - used when talking to a MonitorWare backend (also for phpLogCon) + + + + + syslogfacility + + + the facility from the message - in numerical form + + + + + syslogfacility-text + + + the facility from the message - in text form + + + + + syslogseverity + + + severity from the message - in numerical form + + + + + syslogseverity-text + + + severity from the message - in text form + + + + + timegenerated + + + timestamp when the message was RECEIVED. Always in high resolution + + + + + timereported + + + timestamp from the message. Resolution depends on what was provided in the message (in most cases, only seconds) + + + + + TIMESTAMP + + + alias for timereported + + + + + PROTOCOL-VERSION + + + The contents of the PROTOCOL-VERSION field from IETF draft draft-ietf-syslog-protocol + + + + + STRUCTURED-DATA + + + The contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocol + + + + + APP-NAME + + + The contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol + + + + + PROCID + + + The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol + + + + + MSGID + + + The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol + + + + + $NOW + + + The current date stamp in the format YYYY-MM-DD + + + + + $YEAR + + + The current year (4-digit) + + + + + $MONTH + + + The current month (2-digit) + + + + + $DAY + + + The current day of the month (2-digit) + + + + + $HOUR + + + The current hour in military (24 hour) time (2-digit) + + + + + $MINUTE + + + The current minute (2-digit) + + + + Properties starting with a $-sign are so-called system properties. These do NOT stem from the +message but are rather internally-generated. + + + Character Positions + FromChar and toChar are used to build substrings. They specify the offset within the string that +should be copied. Offset counting starts at 1, so if you need to obtain the first 2 characters of +the message text, you can use this syntax: "%msg:1:2%". If you do not wish to specify from and to, +but you want to specify options, you still need to include the colons. For example, if you would +like to convert the full message text to lower case, use "%msg:::lowercase%". If you would like to +extract from a position until the end of the string, you can place a dollar-sign ("$") in toChar +(e.g. %msg:10:$%, which will extract from position 10 to the end of the string). + There is also support for +regular expressions. +To use them, you need to place a "R" into FromChar. +This tells rsyslog that a regular expression instead of position-based extraction is desired. The +actual regular expression +must +then be provided in toChar. The regular expression must be followed +by the string "--end". It denotes the end of the regular expression and will not become part of it. +If you are using regular expressions, the property replacer will return the part of the property text +that matches the regular expression. An example for a property replacer sequence with a regular +expression is: "%msg:R:.*Sev:. \(.*\) \[.*--end%" + Also, extraction can be done based on so-called "fields". To do so, place a "F" into FromChar. A field +in its current definition is anything that is delimited by a delimiter character. The delimiter by +default is TAB (US-ASCII value 9). However, if can be changed to any other US-ASCII character by +specifying a comma and the decimal US-ASCII value of the delimiter immediately after the "F". For example, +to use comma (",") as a delimiter, use this field specifier: "F,44". If your syslog data is delimited, +this is a quicker way to extract than via regular expressions (actually, a *much* quicker way). Field +counting starts at 1. Field zero is accepted, but will always lead to a "field not found" error. The same +happens if a field number higher than the number of fields in the property is requested. The field number +must be placed in the "ToChar" parameter. An example where the 3rd field (delimited by TAB) from the msg +property is extracted is as follows: "%msg:F:3%". The same example with semicolon as delimiter is +"%msg:F,59:3%". + Please note that the special characters "F" and "R" are case-sensitive. Only upper case works, lower case +will return an error. There are no white spaces permitted inside the sequence (that will lead to error +messages and will NOT provide the intended result). + + + Property Options + Property options are case-insensitive. Currently, the following options are defined: + + + uppercase + + convert property to lowercase only + + + + lowercase + + convert property text to uppercase only + + + + drop-last-lf + + The last LF in the message (if any), is dropped. Especially useful for PIX. + + + + date-mysql + + format as mysql date + + + + date-rfc3164 + + format as RFC 3164 date + + + + date-rfc3339 + + format as RFC 3339 date + + + + escape-cc + + replace control characters (ASCII value 127 and values less then 32) with an escape sequence. The sequence is "#<charval>" where charval is the 3-digit decimal value of the control character. For example, a tabulator would be replaced by "#009". + + + + space-cc + + replace control characters by spaces + + + + drop-cc + + drop control characters - the resulting string will neither contain control characters, escape sequences nor any other replacement character like space. + + + + + + + QUEUED OPERATIONS + Rsyslogd supports queued operations to handle offline outputs +(like remote syslogd's or database servers being down). When running in +queued mode, rsyslogd buffers messages to memory and optionally to disk +(on an as-needed basis). Queues survive rsyslogd restarts. + It is highly suggested to use remote forwarding and database writing +in queued mode, only. + To learn more about queued operations, see the html documentation. + + + FILES + + + + + /etc/rsyslog.conf + + + Configuration file for +rsyslogd + + + + + + SEE ALSO + rsyslogd8, +logger1, +syslog3 + The complete documentation can be found in the doc folder of the rsyslog distribution or online at +
+ http://www.rsyslog.com/doc + + +
+ + Please note that the man page reflects only a subset of the configuration options. Be sure to read +the html documentation for all features and details. This is especially vital if you plan to set +up a more-then-extremely-simple system. + + + AUTHORS + rsyslogd +is taken from sysklogd sources, which have been heavily modified +by Rainer Gerhards (rgerhards@adiscon.com) and others. + + diff --git a/man/ja/rsyslogd.8.xml b/man/ja/rsyslogd.8.xml new file mode 100644 index 0000000..6a6d286 --- /dev/null +++ b/man/ja/rsyslogd.8.xml @@ -0,0 +1,667 @@ + + + + + + + + 29 July 2008 + + + RSYSLOGD + 8 + 29 July 2008 + Version 3.21.1 + Linux System Administration + + + rsyslogd + reliable and extended syslogd + + + + + rsyslogd + -4 + -6 + -A + -d + + -f + + config + + + file + + + + + -i + + pid + + + file + + + + -l + + hostlist + + + -n + + -N + + level + + + + -q + -Q + + -s + + domainlist + + + + -u + + userlevel + + + -v + -w + -x + + + + + DESCRIPTION + Rsyslogd +is a system utility providing support for message logging. +Support of both internet and +unix domain sockets enables this utility to support both local +and remote logging. + Note that this version of rsyslog ships with extensive documentation in html format. +This is provided in the ./doc subdirectory and probably +in a separate package if you installed rsyslog via a packaging system. +To use rsyslog's advanced features, you +need +to look at the html documentation, because the man pages only cover +basic aspects of operation. +For details and configuration examples, see the rsyslog.conf (5) +man page and the online documentation at http://www.rsyslog.com/doc + Rsyslogd8 +is derived from the sysklogd package which in turn is derived from the +stock BSD sources. + Rsyslogd +provides a kind of logging that many modern programs use. Every logged +message contains at least a time and a hostname field, normally a +program name field, too, but that depends on how trusty the logging +program is. The rsyslog package supports free definition of output formats +via templates. It also supports precise timestamps and writing directly +to databases. If the database option is used, tools like phpLogCon can +be used to view the log data. + While the +rsyslogd +sources have been heavily modified a couple of notes +are in order. First of all there has been a systematic attempt to +ensure that rsyslogd follows its default, standard BSD behavior. Of course, +some configuration file changes are necessary in order to support the +template system. However, rsyslogd should be able to use a standard +syslog.conf and act like the orginal syslogd. However, an original syslogd +will not work correctly with a rsyslog-enhanced configuration file. At +best, it will generate funny looking file names. +The second important concept to note is that this version of rsyslogd +interacts transparently with the version of syslog found in the +standard libraries. If a binary linked to the standard shared +libraries fails to function correctly we would like an example of the +anomalous behavior. + The main configuration file +/etc/rsyslog.conf +or an alternative file, given with the + +option, is read at startup. Any lines that begin with the hash mark +(“#”) and empty lines are ignored. If an error occurs during parsing +the error element is ignored. It is tried to parse the rest of the line. + + + OPTIONS + Note that in version 3 of rsyslog a number of command line options +have been deprecated and replaced with config file directives. The + + + + + + + + When sending UDP messages, there are potentially multiple pathes to +the target destination. By default, +rsyslogd +only sends to the first target it can successfully send to. If -A +is given, messages are sent to all targets. This may improve +reliability, but may also cause message duplicaton. This option +should enabled only if it is fully understood. + + + + + + + + Causes +rsyslogd +to listen to IPv4 addresses only. +If neither -4 nor -6 is given, +rsyslogd +listens to all configured addresses of the system. + + + + + + + + Causes +rsyslogd +to listen to IPv6 addresses only. +If neither -4 nor -6 is given, +rsyslogd +listens to all configured addresses of the system. + + + + + + version + + + Selects the desired backward compatibility mode. It must always be the +first option on the command line, as it influences processing of the +other options. To use the rsyslog v3 native interface, specify -c3. To +use compatibility mode , either do not use -c at all or use +-c<version> where +version +is the rsyslog version that it shall be +compatible with. Using -c0 tells rsyslog to be command-line compatible +to sysklogd, which is the default if -c is not given. +Please note that rsyslogd issues warning messages if the -c3 +command line option is not given. +This is to alert you that your are running in compatibility +mode. Compatibility mode interfers with you rsyslog.conf commands and +may cause some undesired side-effects. It is meant to be used with a +plain old rsyslog.conf - if you use new features, things become +messy. So the best advice is to work through this document, convert +your options and config file and then use rsyslog in native mode. In +order to aid you in this process, rsyslog logs every +compatibility-mode config file directive it has generated. So you can +simply copy them from your logfile and paste them to the config. + + + + + + + + Turns on debug mode. Using this the daemon will not proceed a +fork2 +to set itself in the background, but opposite to that stay in the +foreground and write much debug information on the current tty. See the +DEBUGGING section for more information. + + + + + + config file + + + Specify an alternative configuration file instead of +/etc/rsyslog.conf, +which is the default. + + + + + + pid file + + + Specify an alternative pid file instead of the default one. +This option must be used if multiple instances of rsyslogd should +run on a single machine. + + + + + + hostlist + + + Specify a hostname that should be logged only with its simple hostname +and not the fqdn. Multiple hosts may be specified using the colon +(“:”) separator. + + + + + + + + Avoid auto-backgrounding. This is needed especially if the +rsyslogd +is started and controlled by +init8. + + + + + + + + Do a coNfig check. Do NOT run in regular mode, just check configuration +file correctness. +This option is meant to verify a config file. To do so, run rsyslogd +interactively in foreground, specifying -f <config-file> and -N level. +The level argument modifies behaviour. Currently, 0 is the same as +not specifying the -N option at all (so this makes limited sense) and +1 actually activates the code. Later, higher levels will mean more +verbosity (this is a forward-compatibility option). +rsyslogd +is started and controlled by +init8. + + + + + + add hostname if DNS fails during ACL processing + + + During ACL processing, hostnames are resolved to IP addreses for +performance reasons. If DNS fails during that process, the hostname +is added as wildcard text, which results in proper, but somewhat +slower operation once DNS is up again. + + + + + + do not resolve hostnames during ACL processing + + + Do not resolve hostnames to IP addresses during ACL processing. + + + + + + domainlist + + + Specify a domainname that should be stripped off before +logging. Multiple domains may be specified using the colon (“:”) +separator. +Please be advised that no sub-domains may be specified but only entire +domains. For example if + +is specified and the host logging resolves to satu.infodrom.north.de +no domain would be cut, you will have to specify two domains like: +. + + + + + + userlevel + + + This is a "catch all" option for some very seldomly-used user settings. +The "userlevel" variable selects multiple things. Add the specific values +to get the combined effect of them. +A value of 1 prevents rsyslogd from parsing hostnames and tags inside +messages. +A value of 2 prevents rsyslogd from changing to the root directory. This +is almost never a good idea in production use. This option was introduced +in support of the internal testbed. +To combine these two features, use a userlevel of 3 (1+2). Whenever you use +an -u option, make sure you really understand what you do and why you do it. + + + + + + + + Print version and exit. + + + + + + + + Supress warnings issued when messages are received from non-authorized +machines (those, that are in no AllowedSender list). + + + + + + + + Disable DNS for remote messages. + + + + + + SIGNALS + Rsyslogd +reacts to a set of signals. You may easily send a signal to +rsyslogd +using the following: + +kill -SIGNAL $(cat /var/run/syslogd.pid) + + + Note that -SIGNAL must be replaced with the actual signal +you are trying to send, e.g. with HUP. So it then becomes: + +kill -HUP $(cat /var/run/syslogd.pid) + + + + + + HUP + + + This lets +rsyslogd +perform a re-initialization. All open files are closed, the +configuration file (default is +/etc/rsyslog.conf) +will be reread and the +rsyslog3 +facility is started again. + + + + + TERM , INT , QUIT + + + Rsyslogd +will die. + + + + + USR1 + + + Switch debugging on/off. This option can only be used if +rsyslogd +is started with the + +debug option. + + + + + CHLD + + + Wait for childs if some were born, because of wall'ing messages. + + + + + + SECURITY THREATS + There is the potential for the rsyslogd daemon to be +used as a conduit for a denial of service attack. +A rogue program(mer) could very easily flood the rsyslogd daemon with +syslog messages resulting in the log files consuming all the remaining +space on the filesystem. Activating logging over the inet domain +sockets will of course expose a system to risks outside of programs or +individuals on the local machine. + There are a number of methods of protecting a machine: + + + 1. + + Implement kernel firewalling to limit which hosts or networks have +access to the 514/UDP socket. + + + + 2. + + Logging can be directed to an isolated or non-root filesystem which, +if filled, will not impair the machine. + + + + 3. + + The ext2 filesystem can be used which can be configured to limit a +certain percentage of a filesystem to usage by root only. NOTE +that this will require rsyslogd to be run as a non-root process. +ALSO NOTE that this will prevent usage of remote logging on the default port since +rsyslogd will be unable to bind to the 514/UDP socket. + + + + 4. + + Disabling inet domain sockets will limit risk to the local machine. + + + + + Message replay and spoofing + If remote logging is enabled, messages can easily be spoofed and replayed. +As the messages are transmitted in clear-text, an attacker might use +the information obtained from the packets for malicious things. Also, an +attacker might replay recorded messages or spoof a sender's IP address, +which could lead to a wrong perception of system activity. These can +be prevented by using GSS-API authentication and encryption. Be sure +to think about syslog network security before enabling it. + + + + DEBUGGING + When debugging is turned on using + +option then +rsyslogd +will be very verbose by writing much of what it does on stdout. + + + FILES + + + + + /etc/rsyslog.conf + + + Configuration file for +rsyslogd. +See +rsyslog.conf5 +for exact information. + + + + + /dev/log + + + The Unix domain socket to from where local syslog messages are read. + + + + + /var/run/rsyslogd.pid + + + The file containing the process id of +rsyslogd. + + + + + prefix/lib/rsyslog + + + Default directory for +rsyslogd +modules. The +prefix +is specified during compilation (e.g. /usr/local). + + + + + + ENVIRONMENT + + + + RSYSLOG_DEBUG + + + Controls runtime debug support.It contains an option string with the +following options possible (all are case insensitive): + + + + + + LogFuncFlow + + Print out the logical flow of functions (entering and exiting them) + + + + FileTrace + + Specifies which files to trace LogFuncFlow. If not set (the +default), a LogFuncFlow trace is provided for all files. Set to +limit it to the files specified.FileTrace may be specified multiple +times, one file each (e.g. export RSYSLOG_DEBUG="LogFuncFlow +FileTrace=vm.c FileTrace=expr.c" + + + + PrintFuncDB + + Print the content of the debug function database whenever debug +information is printed (e.g. abort case)! + + + + PrintAllDebugInfoOnExit + + Print all debug information immediately before rsyslogd exits +(currently not implemented!) + + + + PrintMutexAction + + Print mutex action as it happens. Useful for finding deadlocks and +such. + + + + NoLogTimeStamp + + Do not prefix log lines with a timestamp (default is to do that). + + + + NoStdOut + + Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG is not +set, this means no messages will be displayed at all. + + + + Help + + Display a very short list of commands - hopefully a life saver if +you can't access the documentation... + + + + + + + RSYSLOG_DEBUGLOG + + + If set, writes (allmost) all debug message to the specified log file +in addition to stdout. + + + + + RSYSLOG_MODDIR + + + Provides the default directory in which loadable modules reside. + + + + + + BUGS + Please review the file BUGS for up-to-date information on known +bugs and annouyances. + + + Further Information + Please visit +http://www.rsyslog.com/doc +for additional information, tutorials and a support forum. + + + SEE ALSO + rsyslog.conf5, +logger1, +syslog2, +syslog3, +services5, +savelog8 + + + COLLABORATORS + rsyslogd +is derived from sysklogd sources, which in turn was taken from +the BSD sources. Special thanks to Greg Wettstein (greg@wind.enjellic.com) +and Martin Schulze (joey@linux.de) for the fine sysklogd package. + + + + Rainer Gerhards + Adiscon GmbH + Grossrinderfeld, Germany + rgerhards@adiscon.com + + + + + + + + + -- 1.5.6.4