1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163
|
# A commented quick reference and sample configuration
# WARNING: This is not a manual, the full manual of rsyslog configuration is in
# rsyslog.conf (5) manpage
#
# "$" starts lines that contain new directives. The full list of directives
# can be found in /usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html or online
# at http://www.rsyslog.com/doc if you do not have (or find) a local copy.
#
# Set syslogd options
# Some global directives
# ----------------------
# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd
# --------------
$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
# $UMASK - specifies the rsyslogd processes' umask
# ------
$umask 0000
# $FileGroup - Set the group for dynaFiles newly created
# ----------
$FileGroup loggroup
# $FileOwner - Set the file owner for dynaFiles newly created.
# ----------
$FileOwner loguser
# $IncludeConfig - include other files into the main configuration file
# --------------
$IncludeConfig /etc/some-included-file.conf # one file
$IncludeConfig /etc/rsyslog.d/ # whole directory (must contain the final slash)
# $ModLoad - Dynamically loads a plug-in and activates it
# --------
$ModLoad ommysql # load MySQL functionality
$ModLoad /rsyslog/modules/somemodule.so # load a module via absolute path
# Templates
# ---------
# Templates allow to specify any format a user might want.
# They MUST be defined BEFORE they are used.
# A template consists of a template directive, a name, the actual template text
# and optional options. A sample is:
#
$template MyTemplateName,"\7Text %property% some more text\n",
# where:
# * $template - tells rsyslog that this line contains a template.
# * MyTemplateName - template name. All other config lines refer to this name.
# * "\7Text %property% some more text\n" - templage text
# The backslash is an escape character, i.e. \7 rings the bell, \n is a new line.
# To escape:
# % = \%
# \ = \\
# Template options are case-insensitive. Currently defined are:
# sql format the string suitable for a SQL statement. This will replace single
# quotes ("'") by two single quotes ("''") to prevent the SQL injection
# (NO_BACKSLASH_ESCAPES turned off)
# stdsql - format the string suitable for a SQL statement that is to
# be sent to a standards-compliant sql server.
# (NO_BACKSLASH_ESCAPES turned on)
# Properties inside templates
# ---------------------------
# Properties can be modified by the property replacer. They are accessed
# inside the template by putting them between percent signs. The full syntax is as follows:
# %propname:fromChar:toChar:options%
# FromChar and toChar are used to build substrings.
# If you need to obtain the first 2 characters of the
# message text, you can use this syntax:
"%msg:1:2%".
# If you do not whish to specify from and to, but you want to
# specify options, you still need to include the colons.
# For example, to convert the full message text to lower case only, use
# "%msg:::lowercase%".
# The full list of property options can be found in rsyslog.conf(5) manpage
# Samples of template definitions
# -------------------------------
# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
# A more verbose template:
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"
# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
# The template below emulates winsyslog format, but we need to check the time
# stamps used. It is also a good sampleof the property replacer in action.
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
# A template used for database writing (notice it *is* an actual
# sql-statement):
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
# Samples of rules
# ----------------
# Regular file
# ------------
*.* /var/log/traditionalfile.log;TraditionalFormat # log to a file in the traditional format
# Forwarding to remote machine
# ----------------------------
*.* @172.19.2.16 # udp (standard for syslog)
*.* @@172.19.2.17 # tcp
# Database action
# ---------------
# (you must have rsyslog-mysql package installed)
# !!! Don't forget to set permission of rsyslog.conf to 600 !!!
*.* >hostname,dbname,userid,password # (default Monitorware schema, can be created by /usr/share/doc/rsyslog-mysql-1.19.6/createDB.sql)
# And this one uses the template defined above:
*.* >hostname,dbname,userid,password;dbFormat
# Program to execute
# ------------------
*.* ^alsaunmute # set default volume to soundcard
# Filter using regex
# ------------------
# if the user logges word rulez or rulezz or rulezzz or..., then we will shut down his pc
# (note, that + have to be double backslashed...)
:msg, regex, "rulez\\+" ^poweroff
# A more complex example
# ----------------------
$template bla_logged,"%timegenerated% the BLA was logged"
:msg, contains, "bla" ^logger;bla_logged
# Pipes
# -----
# first we need to create pipe by # mkfifo /a_big_pipe
*.* |/a_big_pipe
# Discarding
# ----------
*.* ~ # discards everything
|