Linux Man Page Viewer
The following form allows you to view linux man pages.
The rsyslog.conf file is the main configuration file for the rsys-
logd(8) which logs system messages on *nix systems. This file speci-
fies rules for logging. For special features see the rsyslogd(8) man-
page. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf
file. So if you migrate from sysklogd you can rename it and it should
Note that this version of rsyslog ships with extensive documentation in
html format. This is provided in the ./doc subdirectory and probably
in a separate package if you installed rsyslog via a packaging system.
To use rsyslog's advanced features, you need to look at the html docu-
mentation, because the man pages only cover basic aspects of operation.
Rsyslog has a modular design. Consequently, there is a growing number
of modules. See the html documentation for their full description.
omsnmp SNMP trap output module
Output module for GSS-enabled syslog
Output module for MySQL
omrelp Output module for the reliable RELP protocol (prevents message
loss). For details, see below at imrelp and the html documenta-
tion. It can be used like this:
*.* :omrelp:192.168.0.1:2514 # actual sample
Output module for PostgreSQL
Generic database output module (Firebird/Interbase, MS SQL,
Sybase, SQLite, Ingres, Oracle, mSQL)
imfile Input module for text files
imudp Input plugin for UDP syslog. Replaces the deprecated -r option.
Can be used like this:
or the server shuts down. RELP prevents message loss in
those cases. It can be used like this:
Input plugin for plain TCP and GSS-enable syslog
immark Support for mark messages
imklog Kernel logging. To include kernel log messages, you need
Please note that the klogd daemon is no longer necessary
and consequently no longer provided by the rsyslog pack-
Unix sockets, including the system log socket. You need
in order to receive log messages from local system pro-
cesses. This config directive should only left out if you
know exactly what you are doing.
Lines starting with a hash mark ('#') and empty lines are
ignored. Rsyslog.conf should contain following sections (sorted
by recommended order in file):
Global directives set some global properties of whole
rsyslog daemon, for example size of main message queue
($MainMessageQueueSize), loading external modules ($Mod-
Load) and so on. All global directives need to be speci-
fied on a line by their own and must start with a dollar-
sign. The complete list of global directives can be found
in html documentation in doc directory or online on web
Templates allow you to specify format of the logged mes-
Every rule line consists of two fields, a selector field
and an action field. These two fields are separated by
one or more spaces or tabs. The selector field specifies
a pattern of facilities and priorities belonging to the
The selector field itself again consists of two parts, a facil-
ity and a priority, separated by a period ('.'). Both parts are
case insensitive and can also be specified as decimal numbers,
but don't do that, you have been warned. Both facilities and
priorities are described in syslog(3). The names mentioned below
correspond to the similar LOG_-values in /usr/include/syslog.h.
The facility is one of the following keywords: auth, authpriv,
cron, daemon, kern, lpr, mail, mark, news, security (same as
auth), syslog, user, uucp and local0 through local7. The keyword
security should not be used anymore and mark is only for inter-
nal use and therefore should not be used in applications. Any-
way, you may want to specify and redirect these messages here.
The facility specifies the subsystem that produced the message,
i.e. all mail programs log with the mail facility (LOG_MAIL) if
they log using syslog.
The priority is one of the following keywords, in ascending
order: debug, info, notice, warning, warn (same as warning),
err, error (same as err), crit, alert, emerg, panic (same as
emerg). The keywords error, warn and panic are deprecated and
should not be used anymore. The priority defines the severity of
The behavior of the original BSD syslogd is that all messages of
the specified priority and higher are logged according to the
given action. Rsyslogd behaves the same, but has some exten-
In addition to the above mentioned names the rsyslogd(8) under-
stands the following extensions: An asterisk ('*') stands for
all facilities or all priorities, depending on where it is used
(before or after the period). The keyword none stands for no
priority of the given facility.
You can specify multiple facilities with the same priority pat-
tern in one statement using the comma (',') operator. You may
specify as much facilities as you want. Remember that only the
facility part from such a statement is taken, a priority part
would be skipped.
Multiple selectors may be specified for a single action using
the semicolon (';') separator. Remember that each selector in
the selector field is capable to overwrite the preceding ones.
The action field of a rule describes what to do with the mes-
sage. In general, message content is written to a kind of "log-
file". But also other actions might be done, like writing to a
database table or forwarding to another host.
Typically messages are logged to real files. The file has to be
specified with full pathname, beginning with a slash ('/').
Format # log to a file in the traditional format
Note: if you would like to use high-precision timestamps in your
log files, just remove the ";RSYSLOG_TraditionalFormat". That
will select the default template, which, if not changed, uses
RFC 3339 timestamps.
*.* /var/log/file.log # log to a file with RFC3339
This version of rsyslogd(8) has support for logging output to
named pipes (fifos). A fifo or named pipe can be used as a des-
tination for log messages by prepending a pipe symbol ('|') to
the name of the file. This is handy for debugging. Note that the
fifo must be created with the mkfifo(1) command before rsys-
logd(8) is started.
Terminal and console
If the file you specified is a tty, special tty-handling is
done, same with /dev/console.
There are three ways to forward message: the traditional UDP
transport, which is extremely lossy but standard, the plain TCP
based transport which loses messages only during certain situa-
tions but is widely available and the RELP transport which does
not lose messages but is currently available only as part of
rsyslogd 3.15.0 and above.
To forward messages to another host via UDP, prepend the host-
name with the at sign ("@"). To forward it via plain tcp,
prepend two at signs ("@@"). To forward via RELP, prepend the
string ":omrelp:" in front of the hostname.
Keep in mind that you need to load the correct input and output
plugins (see "Modules" above).
Please note that rsyslogd offers a variety of options in regard-
ing to remote forwarding. For full details, please see the html
List of users
Usually critical messages are also directed to ''root'' on that
machine. You can specify a list of users that shall get the mes-
sage by simply writing ":omusrmsg:" followed by the login name.
You may specify more than one user by separating them with com-
mas (','). If they're logged in they get the message (for exam-
Everyone logged on
Emergency messages often go to all users currently online to
notify them that something strange is happening with the system.
To specify this wall(1)-feature use an ":omusrmsg:*".
This allows logging of the message to a database table. By
default, a MonitorWare-compatible schema is required for this to
work. You can create that schema with the createDB.SQL file that
came with the rsyslog package. You can also use any other schema
of your liking - you just need to define a proper template and
assign this template to the action.
See the html documentation for further details on database log-
If the discard action is carried out, the received message is
immediately discarded. Discard can be highly effective if you
want to filter out some annoying messages that otherwise would
fill your log files. To do that, place the discard actions early
in your log files. This often plays well with property-based
filters, giving you great freedom in specifying what you do not
Discard is just the single tilde character with no further
*.* ~ # discards everything.
The program-to-execute can be any valid executable. It receives
the template string as a single parameter (argv).
Rsyslog offers three different types "filter conditions":
* "traditional" severity and facility based selectors
* property-based filters
* expression-based filters
Rsyslogd supports BSD-style blocks inside rsyslog.conf. Each
block of lines is separated from the previous block by a program
or hostname specification. A block will only log messages corre-
sponding to the most recent program and hostname specifications
given. Thus, a block which selects "ppp" as the program,
directly followed by a block that selects messages from the
hostname "dialhost", then the second block will only log mes-
sages from the ppp program on dialhost.
Selectors are the traditional way of filtering syslog messages.
They have been kept in rsyslog with their original syntax,
because it is well-known, highly effective and also needed for
compatibility with stock syslogd configuration files. If you
just need to filter based on priority and facility, you should
do this with selector lines. They are not second-class citizens
in rsyslog and offer the best performance for this job.
Property-based filters are unique to rsyslogd. They allow to
filter on any property, like HOSTNAME, syslogtag and msg.
A property-based filter must start with a colon in column 0.
This tells rsyslogd that it is the new filter type. The colon
must be followed by the property name, a comma, the name of the
compare operation to carry out, another comma and then the value
to compare against. This value must be quoted. There can be
spaces and tabs between the commas. Property names and compare
operations are case-sensitive, so "msg" works, while "MSG" is an
invalid property name. In brief, the syntax is as follows:
:property, [!]compare-operation, "value"
The following compare-operations are currently supported:
Compares the property against the provided regular
See the html documentation for this feature.
Every output in rsyslog uses templates - this holds true for
files, user messages and so on. Templates compatible with the
stock syslogd formats are hardcoded into rsyslogd. If no tem-
plate is specified, we use one of these hardcoded templates.
Search for "template_" in syslogd.c and you will find the hard-
A template consists of a template directive, a name, the actual
template text and optional options. A sample is:
$template MyTemplateName,"\7Text %property% some more
The "$template" is the template directive. It tells rsyslog that
this line contains a template. The backslash is an escape char-
acter. For example, \7 rings the bell (this is an ASCII value),
\n is a new line. The set in rsyslog is a bit restricted cur-
All text in the template is used literally, except for things
within percent signs. These are properties and allow you access
to the contents of the syslog message. Properties are accessed
via the property replacer and it can for example pick a sub-
string or do date-specific formatting. More on this is the PROP-
ERTY REPLACER section of this manpage.
% = \%
\ = \\ --> '\' is used to escape (as in C)
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslog-
Properties can be accessed by the property replacer (see there
Please note that templates can also by used to generate selector
lines with dynamic file names. For example, if you would like
to split syslog messages from different hosts to different files
(one per host), you can define the following template:
sql format the string suitable for a SQL statement in
MySQL format. This will replace single quotes
("'") and the backslash character by their back-
slash-escaped counterpart ("?" and "\") inside
each field. Please note that in MySQL configura-
tion, the NO_BACKSLASH_ESCAPES mode must be turned
off for this format to work (this is the default).
stdsql format the string suitable for a SQL statement
that is to be sent to a standards-compliant sql
server. This will replace single quotes ("'") by
two single quotes ("''") inside each field. You
must use stdsql together with MySQL if in MySQL
configuration the NO_BACKSLASH_ESCAPES is turned
Either the sql or stdsql option MUST be specified when a tem-
plate is used for writing to a database, otherwise injection
might occur. Please note that due to the unfortunate fact that
several vendors have violated the sql standard and introduced
their own escape methods, it is impossible to have a single
option doing all the work. So you yourself must make sure you
are using the right format. If you choose the wrong one, you
are still vulnerable to sql injection.
Please note that the database writer *checks* that the sql
option is present in the template. If it is not present, the
write database action is disabled. This is to guard you against
accidental forgetting it and then becoming vulnerable to SQL
injection. The sql option can also be useful with files - espe-
cially if you want to import them into a database on another
machine for performance reasons. However, do NOT use it if you
do not have a real need for it - among others, it takes some
toll on the processing time. Not much, but on a really busy sys-
tem you might notice it ;)
The default template for the write to database action has the
sql option set.
Please note that the samples are split across multiple lines. A
template MUST NOT actually be split across multiple lines.
A template that resembles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME%
And a template with the traditional wall-message format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME%
A template that can be used for writing to a database (please
note the SQL template option)
$template MySQLInsert,"insert iut, message, receivedat
values ('%iut%', '%msg:::UPPERCASE%', '%timegener-
ated:::date-mysql%') into systemevents\r\n", SQL
NOTE 1: This template is embedded into core application
under name StdDBFmt , so you don't need to define it.
NOTE 2: You have to have MySQL module installed to use
Output Channels are a new concept first introduced in rsyslog
0.9.0. As of this writing, it is most likely that they will be
replaced by something different in the future. So if you use
them, be prepared to change you configuration file syntax when
you upgrade to a later release.
Output channels are defined via an $outchannel directive. It's
syntax is as follows:
name is the name of the output channel (not the file), file-name
is the file name to be written to, max-size the maximum allowed
size and action-on-max-size a command to be issued when the max
size is reached. This command always has exactly one parameter.
The binary is that part of action-on-max-size before the first
space, its parameter is everything behind that space.
Keep in mind that $outchannel just defines a channel with
"name". It does not activate it. To do so, you must use a
selector line (see below). That selector line includes the chan-
nel name plus ":omfile:$" in front of it. A sample might be:
The property replacer is a core component in rsyslogd's output
system. A syslog message has a number of well-defined properties
(see below). Each of this properties can be accessed and manipu-
lated by the property replacer. With it, it is easy to use only
msg the MSG part of the message (aka "the message" ;))
rawmsg the message exactly as it was received from the socket.
Should be useful for debugging.
hostname from the message
hostname of the system the message was received from (in
a relay chain, this is the system immediately in front of
us and not necessarily the original sender)
TAG from the message
the "static" part of the tag, as defined by BSD syslogd.
For example, when TAG is "named", programname is
PRI PRI part of the message - undecoded (single value)
the PRI part of the message in a textual form (e.g. "sys-
IUT the monitorware InfoUnitType - used when talking to a
MonitorWare backend (also for phpLogCon)
the facility from the message - in numerical form
the facility from the message - in text form
severity from the message - in numerical form
severity from the message - in text form
timestamp when the message was RECEIVED. Always in high
timestamp from the message. Resolution depends on what
was provided in the message (in most cases, only seconds)
PROCID The contents of the PROCID field from IETF draft draft-
MSGID The contents of the MSGID field from IETF draft draft-
$NOW The current date stamp in the format YYYY-MM-DD
$YEAR The current year (4-digit)
$MONTH The current month (2-digit)
$DAY The current day of the month (2-digit)
$HOUR The current hour in military (24 hour) time (2-digit)
The current minute (2-digit)
Properties starting with a $-sign are so-called system proper-
ties. These do NOT stem from the message but are rather inter-
FromChar and toChar are used to build substrings. They specify
the offset within the string that should be copied. Offset
counting starts at 1, so if you need to obtain the first 2 char-
acters of the message text, you can use this syntax:
"%msg:1:2%". If you do not wish to specify from and to, but you
want to specify options, you still need to include the colons.
For example, if you would like to convert the full message text
to lower case, use "%msg:::lowercase%". If you would like to
extract from a position until the end of the string, you can
place a dollar-sign ("$") in toChar (e.g. %msg:10:$%, which will
extract from position 10 to the end of the string).
There is also support for regular expressions. To use them, you
need to place a "R" into FromChar. This tells rsyslog that a
regular expression instead of position-based extraction is
desired. The actual regular expression must then be provided in
toChar. The regular expression must be followed by the string
"--end". It denotes the end of the regular expression and will
not become part of it. If you are using regular expressions,
the property replacer will return the part of the property text
that matches the regular expression. An example for a property
replacer sequence with a regular expression is: "%msg:R:.*Sev:.
3rd field (delimited by TAB) from the msg property is extracted
is as follows: "%msg:F:3%". The same example with semicolon as
delimiter is "%msg:F,59:3%".
Please note that the special characters "F" and "R" are case-
sensitive. Only upper case works, lower case will return an
error. There are no white spaces permitted inside the sequence
(that will lead to error messages and will NOT provide the
Property options are case-insensitive. Currently, the following
options are defined:
convert property to lowercase only
convert property text to uppercase only
The last LF in the message (if any), is dropped. Espe-
cially useful for PIX.
format as mysql date
format as RFC 3164 date
format as RFC 3339 date
replace control characters (ASCII value 127 and values
less then 32) with an escape sequence. The sequence is
"#<charval>" where charval is the 3-digit decimal value
of the control character. For example, a tabulator would
be replaced by "#009".
replace control characters by spaces
drop control characters - the resulting string will nei-
ther contain control characters, escape sequences nor any
other replacement character like space.
Rsyslogd supports queued operations to handle offline outputs
Configuration file for rsyslogd
rsyslogd(8), logger(1), syslog(3)
The complete documentation can be found in the doc folder of the
rsyslog distribution or online at
Please note that the man page reflects only a subset of the con-
figuration options. Be sure to read the html documentation for
all features and details. This is especially vital if you plan
to set up a more-then-extremely-simple system.
rsyslogd is taken from sysklogd sources, which have been heavily
modified by Rainer Gerhards (firstname.lastname@example.org) and others.
Version 3.18.0 11 July 2008 RSYSLOG.CONF(5)