File: index.rst

package info (click to toggle)
rsyslog-doc 8.2302.0%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 4,464 kB
  • sloc: python: 178; makefile: 8
file content (163 lines) | stat: -rw-r--r-- 8,940 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
 
Legacy Global Configuration Statements
======================================
Global configuration statements, as their name implies, usually affect
some global features. However, some also affect main queues, which
are "global" to a ruleset.

True Global Directives
----------------------

.. toctree::
   :glob:

   options/rsconf1_abortonuncleanconfig
   options/rsconf1_debugprintcfsyslinehandlerlist
   options/rsconf1_debugprintmodulelist
   options/rsconf1_debugprinttemplatelist
   options/rsconf1_failonchownfailure
   options/rsconf1_generateconfiggraph
   options/rsconf1_includeconfig
   options/rsconf1_mainmsgqueuesize
   options/rsconf1_maxopenfiles
   options/rsconf1_moddir
   options/rsconf1_modload
   options/rsconf1_umask
   options/rsconf1_resetconfigvariables

-  **$MaxMessageSize** <size\_nbr>, default 8k - allows to specify
   maximum supported message size (both for sending and receiving). The
   default should be sufficient for almost all cases. Do not set this
   below 1k, as it would cause interoperability problems with other
   syslog implementations.

   **Important:** In order for this directive to work correctly,
   it **must** be placed right at the top of ``rsyslog.conf``
   (before any input is defined).

   Change the setting to e.g. 32768 if you would like to support large
   message sizes for IHE (32k is the current maximum needed for IHE). I
   was initially tempted to set the default to 32k, but there is a some
   memory footprint with the current implementation in rsyslog.
   If you intend to receive Windows Event Log data (e.g. via
   `EventReporter <http://www.eventreporter.com/>`_), you might want to
   increase this number to an even higher value, as event log messages
   can be very lengthy ("$MaxMessageSize 64k" is not a bad idea). Note:
   testing showed that 4k seems to be the typical maximum for **UDP**
   based syslog. This is an IP stack restriction. Not always ... but
   very often. If you go beyond that value, be sure to test that
   rsyslogd actually does what you think it should do ;) It is highly
   suggested to use a TCP based transport instead of UDP (plain TCP
   syslog, RELP). This resolves the UDP stack size restrictions.
   Note that 2k, is the smallest size that must be
   supported in order to be compliant to the upcoming new syslog RFC
   series.
-  **$LocalHostName** [name] - this directive permits to overwrite the
   system hostname with the one specified in the directive. If the
   directive is given multiple times, all but the last one will be
   ignored. Please note that startup error messages may be issued with
   the real hostname. This is by design and not a bug (but one may argue
   if the design should be changed ;)). Available since 4.7.4+, 5.7.3+,
   6.1.3+.
-  **$LogRSyslogStatusMessages** [**on**/off] - If set to on (the
   default), rsyslog emits message on startup and shutdown as well as
   when it is HUPed. This information might be needed by some log
   analyzers. If set to off, no such status messages are logged, what
   may be useful for other scenarios. [available since 4.7.0 and 5.3.0]
-  **$DefaultRuleset** [name] - changes the default ruleset for unbound
   inputs to the provided *name* (the default default ruleset is named
   "RSYSLOG\_DefaultRuleset"). It is advised to also read our paper on
   :doc:`using multiple rule sets in rsyslog <../../concepts/multi_ruleset>`.
- **$DefaultNetstreamDriver** <drivername>, the default
  :doc:`network stream driver <../../concepts/netstrm_drvr>` to use.
  Defaults to ptcp.
-  **$DefaultNetstreamDriverCAFile** </path/to/cafile.pem>
-  **$DefaultNetstreamDriverCertFile** </path/to/certfile.pem>
-  **$DefaultNetstreamDriverKeyFile** </path/to/keyfile.pem>
-  **$NetstreamDriverCaExtraFiles** </path/to/extracafile.pem> - This
   directive allows to configure multiple additional extra CA files.
   This is intended for SSL certificate chains to work appropriately,
   as the different CA files in the chain need to be specified.
   It must be remarked that this directive only works with the OpenSSL driver.
-  **$RepeatedMsgContainsOriginalMsg** [on/**off**] - "last message
   repeated n times" messages, if generated, have a different format
   that contains the message that is being repeated. Note that only the
   first "n" characters are included, with n to be at least 80
   characters, most probably more (this may change from version to
   version, thus no specific limit is given). The bottom line is that n
   is large enough to get a good idea which message was repeated but it
   is not necessarily large enough for the whole message. (Introduced
   with 4.1.5). Once set, it affects all following actions.
-  **$OptimizeForUniprocessor** - This directive is no longer supported.
   While present in versions prior to 8.32.0, the directive had no effect
   for many years. Attempts to use the directive now results in a warning.
-  **$PreserveFQDN** [on/**off**) - if set to off (legacy default to remain
   compatible to sysklogd), the domain part from a name that is within
   the same domain as the receiving system is stripped. If set to on,
   full names are always used.
-  **$WorkDirectory** <name> (directory for spool and other work files. Do
   **not** use trailing slashes)
-  `$PrivDropToGroup <droppriv.html>`_
-  `$PrivDropToGroupID <droppriv.html>`_
-  `$PrivDropToUser <droppriv.html>`_
-  `$PrivDropToUserID <droppriv.html>`_
-  **$Sleep** <seconds> - puts the rsyslog main thread to sleep for the
   specified number of seconds immediately when the directive is
   encountered. You should have a good reason for using this directive!
-  **$LocalHostIPIF** <interface name> - (available since 5.9.6) - if
   provided, the IP of the specified interface (e.g. "eth0") shall be
   used as fromhost-ip for local-originating messages. If this
   directive is not given OR the interface cannot be found (or has no IP
   address), the default of "127.0.0.1" is used. Note that this
   directive can be given only once. Trying to reset will result in an
   error message and the new value will be ignored. Please note that
   modules must have support for obtaining the local IP address set via
   this directive. While this is the case for rsyslog-provided modules,
   it may not always be the case for contributed plugins.
   **Important:** This directive shall be placed **right at the top of
   rsyslog.conf**. Otherwise, if error messages are triggered before
   this directive is processed, rsyslog will fix the local host IP to
   "127.0.0.1", what than can not be reset.
-  **$ErrorMessagesToStderr** [**on**\ \|off] - direct rsyslogd error
   message to stderr (in addition to other targets)
-  **$SpaceLFOnReceive** [on/**off**] - instructs rsyslogd to replace LF
   with spaces during message reception (sysklogd compatibility aid).
   This is applied at the beginning of the parser stage and cannot
   be overridden (neither at the input nor parser level). Consequently,
   it affects all inputs and parsers.

main queue specific Directives
------------------------------
Note that these directives modify ruleset main message queues.
This includes the default ruleset's main message queue, the one
that is always present. To do this, specify directives outside of
a ruleset definition.

To understand queue parameters, read
:doc:`queues in rsyslog <../../concepts/queues>`.

-  **$MainMsgQueueCheckpointInterval** <number>
-  **$MainMsgQueueDequeueBatchSize** <number> [default 32]
-  **$MainMsgQueueDequeueSlowdown** <number> [number is timeout in
   *micro*\ seconds (1000000us is 1sec!), default 0 (no delay). Simple
   rate-limiting!]
-  **$MainMsgQueueDiscardMark** <number> [default 98% of queue size]
-  **$MainMsgQueueDiscardSeverity** <severity> [either a textual or
   numerical severity! default 4 (warning)]
-  **$MainMsgQueueFileName** <name>
-  **$MainMsgQueueHighWaterMark** <number> [default 90% of queue size]
-  **$MainMsgQueueImmediateShutdown** [on/**off**]
-  **$MainMsgQueueLowWaterMark** <number> [default 70% of queue size]
-  **$MainMsgQueueMaxFileSize** <size\_nbr>, default 1m
-  **$MainMsgQueueTimeoutActionCompletion** <number> [number is timeout in
   ms (1000ms is 1sec!), default 1000, 0 means immediate!]
-  **$MainMsgQueueTimeoutEnqueue** <number> [number is timeout in ms (1000ms
   is 1sec!), default 2000, 0 means discard immediately]
-  **$MainMsgQueueTimeoutShutdown** <number> [number is timeout in ms
   (1000ms is 1sec!), default 0 (indefinite)]
-  **$MainMsgQueueWorkerTimeoutThreadShutdown** <number> [number is timeout
   in ms (1000ms is 1sec!), default 60000 (1 minute)]
-  **$MainMsgQueueType** [**FixedArray**/LinkedList/Direct/Disk]
-  **$MainMsgQueueSaveOnShutdown**  [on/**off**]
-  **$MainMsgQueueWorkerThreads** <number>, num worker threads, default 2,
   recommended 1
-  **$MainMsgQueueWorkerThreadMinumumMessages** <number>, default queue size/number of workers