# A commented quick reference and sample configuration
# WARNING: This is not a manual, the full manual of rsyslog configuration is in
# rsyslog.conf (5) manpage
#
# "$" starts lines that contain new directives. The full list of directives
# can be found in /usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html or online
# at http://www.rsyslog.com/doc if you do not have (or find) a local copy.
#
# Set syslogd options
# Some global directives
# ----------------------
# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd
# --------------
$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
# $UMASK - specifies the rsyslogd processes' umask
# ------
$umask 0000
# $FileGroup - Set the group for dynaFiles newly created
# ----------
$FileGroup loggroup
# $FileOwner - Set the file owner for dynaFiles newly created.
# ----------
$FileOwner loguser
# $IncludeConfig - include other files into the main configuration file
# --------------
$IncludeConfig /etc/some-included-file.conf # one file
$IncludeConfig /etc/rsyslog.d/ # whole directory (must contain the final slash)
# $ModLoad - Dynamically loads a plug-in and activates it
# --------
$ModLoad MySQL # load MySQL functionality
$ModLoad /rsyslog/modules/somemodule.so # load a module via absolute path
# Templates
# ---------
# Templates allow to specify any format a user might want.
# They MUST be defined BEFORE they are used.
# A template consists of a template directive, a name, the actual template text
# and optional options. A sample is:
#
$template MyTemplateName,"\7Text %property% some more text\n",
# where:
# * $template - tells rsyslog that this line contains a template.
# * MyTemplateName - template name. All other config lines refer to this name.
# * "\7Text %property% some more text\n" - templage text
# The backslash is an escape character, i.e. \7 rings the bell, \n is a new line.
# To escape:
# % = \%
# \ = \\
# Template options are case-insensitive. Currently defined are:
# sql format the string suitable for a SQL statement. This will replace single
# quotes ("'") by two single quotes ("''") to prevent the SQL injection
# (NO_BACKSLASH_ESCAPES turned off)
# stdsql - format the string suitable for a SQL statement that is to
# be sent to a standards-compliant sql server.
# (NO_BACKSLASH_ESCAPES turned on)
# Properties inside templates
# ---------------------------
# Properties can be modified by the property replacer. They are accessed
# inside the template by putting them between percent signs. The full syntax is as follows:
# %propname:fromChar:toChar:options%
# FromChar and toChar are used to build substrings.
# If you need to obtain the first 2 characters of the
# message text, you can use this syntax:
"%msg:1:2%".
# If you do not whish to specify from and to, but you want to
# specify options, you still need to include the colons.
# For example, to convert the full message text to lower case only, use
# "%msg:::lowercase%".
# The full list of property options can be found in rsyslog.conf(5) manpage
# Samples of template definitions
# -------------------------------
# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
# A more verbose template:
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"
# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
# The template below emulates winsyslog format, but we need to check the time
# stamps used. It is also a good sampleof the property replacer in action.
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
# A template used for database writing (notice it *is* an actual
# sql-statement):
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
# Samples of rules
# ----------------
# Regular file
# ------------
*.* /var/log/traditionalfile.log;TraditionalFormat # log to a file in the traditional format
# Forwarding to remote machine
# ----------------------------
*.* @172.19.2.16 # udp (standard for syslog)
*.* @@172.19.2.17 # tcp
# Database action
# ---------------
# (you must have rsyslog-mysql package installed)
# !!! Don't forget to set permission of rsyslog.conf to 600 !!!
*.* >hostname,dbname,userid,password # (default Monitorware schema, can be created by /usr/share/doc/rsyslog-mysql-1.19.6/createDB.sql)
# And this one uses the template defined above:
*.* >hostname,dbname,userid,password;dbFormat
# Program to execute
# ------------------
*.* ^alsaunmute # set default volume to soundcard
# Filter using regex
# ------------------
# if the user logges word rulez or rulezz or rulezzz or..., then we will shut down his pc
# (note, that + have to be double backslashed...)
:msg, regex, "rulez\\+" ^poweroff
# A more complex example
# ----------------------
$template bla_logged,"%timegenerated% the BLA was logged"
:msg, contains, "bla" ^logger;bla_logged
# Pipes
# -----
# first we need to create pipe by # mkfifo /a_big_pipe
*.* |/a_big_pipe
# Discarding
# ----------
*.* ~ # discards everything