:: RootR ::  Hosting Order Map Login   Secure Inter-Network Operations  
 
rsyslogd(8) - phpMan

Command: man perldoc info search(apropos)  


RSYSLOGD(8)                        Linux System Administration                        RSYSLOGD(8)



NAME
       rsyslogd - reliable and extended syslogd

SYNOPSIS
       rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -D ] [ -f config file ]
       [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
       [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]

DESCRIPTION
       Rsyslogd  is  a  system  utility  providing  support for message logging.  Support of both
       internet and unix domain sockets enables this utility to support  both  local  and  remote
       logging.

       Note that this version of rsyslog ships with extensive documentation in html format.  This
       is provided in the ./doc subdirectory and probably in a separate package if you  installed
       rsyslog  via  a packaging system.  To use rsyslog's advanced features, you need to look at
       the html documentation, because the man pages only cover basic aspects of operation.   For
       details and configuration examples, see the rsyslog.conf (5) man page and the online docu‐
       mentation at http://www.rsyslog.com/doc

       Rsyslogd(8) is derived from the sysklogd package which in turn is derived from  the  stock
       BSD sources.

       Rsyslogd  provides  a kind of logging that many modern programs use.  Every logged message
       contains at least a time and a hostname field, normally a program  name  field,  too,  but
       that depends on how trusty the logging program is. The rsyslog package supports free defi‐
       nition of output formats via templates. It also supports precise  timestamps  and  writing
       directly to databases. If the database option is used, tools like phpLogCon can be used to
       view the log data.

       While the rsyslogd sources have been heavily modified a couple  of  notes  are  in  order.
       First  of  all  there  has  been  a systematic attempt to ensure that rsyslogd follows its
       default, standard BSD behavior. Of course, some configuration file changes  are  necessary
       in  order  to support the template system. However, rsyslogd should be able to use a stan‐
       dard syslog.conf and act like the original syslogd. However, an original syslogd will  not
       work correctly with a rsyslog-enhanced configuration file. At best, it will generate funny
       looking file names.  The second important concept to note is that this version of rsyslogd
       interacts  transparently with the version of syslog found in the standard libraries.  If a
       binary linked to the standard shared libraries fails to function correctly we  would  like
       an example of the anomalous behavior.

       The  main  configuration  file /etc/rsyslog.conf or an alternative file, given with the -f
       option, is read at startup.  Any lines that begin with the hash  mark  (``#'')  and  empty
       lines  are ignored.  If an error occurs during parsing the error element is ignored. It is
       tried to parse the rest of the line.


OPTIONS
       -A     When sending UDP messages, there are potentially multiple paths to the target  des‐
              tination.  By  default, rsyslogd only sends to the first target it can successfully
              send to. If -A is given, messages are sent to all targets. This may improve  relia‐
              bility,  but may also cause message duplication. This option should be enabled only
              if it is fully understood.

       -4     Causes rsyslogd to listen to IPv4 addresses only.  If neither -4 nor -6  is  given,
              rsyslogd listens to all configured addresses of the system.

       -6     Causes  rsyslogd  to listen to IPv6 addresses only.  If neither -4 nor -6 is given,
              rsyslogd listens to all configured addresses of the system.

       -c version
              This option has been obsoleted and has no function any longer. It is still accepted
              in  order  not  to break existing scripts. However, future versions may not support
              it.

       -D     Runs the Bison config parser in debug mode. This may help when hard to find  syntax
              errors  are reported. Please note that the output generated is deeply technical and
              orignally targeted towards developers.

       -d     Turns on debug mode.  Using this the daemon will  not  proceed  a  fork(2)  to  set
              itself  in  the  background,  but opposite to that stay in the foreground and write
              much debug information on the current tty.  See  the  DEBUGGING  section  for  more
              information.

       -f config file
              Specify  an  alternative  configuration file instead of /etc/rsyslog.conf, which is
              the default.

       -i pid file
              Specify an alternative pid file instead of the default one.  This  option  must  be
              used if multiple instances of rsyslogd should run on a single machine.

       -l hostlist
              Specify  a hostname that should be logged only with its simple hostname and not the
              fqdn.  Multiple hosts may be specified using the colon (``:'') separator.

       -n     Avoid auto-backgrounding.  This is needed especially if the rsyslogd is started and
              controlled by init(8).

       -N  level
              Do  a  coNfig check. Do NOT run in regular mode, just check configuration file cor‐
              rectness.  This option is meant to verify a config file. To  do  so,  run  rsyslogd
              interactively  in  foreground, specifying -f <config-file> and -N level.  The level
              argument modifies behaviour. Currently, 0 is the same  as  not  specifying  the  -N
              option  at  all  (so  this  makes limited sense) and 1 actually activates the code.
              Later, higher levels will mean more  verbosity  (this  is  a  forward-compatibility
              option).  rsyslogd is started and controlled by init(8).

       -q add hostname if DNS fails during ACL processing
              During  ACL processing, hostnames are resolved to IP addresses for performance rea‐
              sons. If DNS fails during that process, the hostname is  added  as  wildcard  text,
              which results in proper, but somewhat slower operation once DNS is up again.

       -Q do not resolve hostnames during ACL processing
              Do not resolve hostnames to IP addresses during ACL processing.

       -s domainlist
              Specify  a domainname that should be stripped off before logging.  Multiple domains
              may be specified using the colon (``:'') separator.  Please be advised that no sub-
              domains  may  be  specified but only entire domains.  For example if -s north.de is
              specified and the host logging resolves to satu.infodrom.north.de no  domain  would
              be cut, you will have to specify two domains like: -s north.de:infodrom.north.de.

       -S ip_addresslocal client source IP
              rsyslogd  uses  ip_address  as  local  client  address  while  connecting to remote
              logserver. Currently used by omrelp only and only with tcp.

       -u userlevel
              This is a "catch all" option for some very seldomly-used user settings.  The "user‐
              level"  variable  selects  multiple things. Add the specific values to get the com‐
              bined effect of them.  A value of 1 prevents rsyslogd from  parsing  hostnames  and
              tags  inside  messages.   A  value of 2 prevents rsyslogd from changing to the root
              directory. This is almost never a good idea in  production  use.  This  option  was
              introduced  in support of the internal testbed.  To combine these two features, use
              a userlevel of 3 (1+2). Whenever you use an -u option, make sure you really  under‐
              stand what you do and why you do it.

       -v     Print version and exit.

       -w     Suppress  warnings  issued  when messages are received from non-authorized machines
              (those, that are in no AllowedSender list).

       -x     Disable DNS for remote messages.

SIGNALS
       Rsyslogd reacts to a set of signals.  You may easily send a signal to rsyslogd  using  the
       following:

              kill -SIGNAL $(cat /var/run/rsyslogd.pid)

       Note  that  -SIGNAL  must  be replaced with the actual signal you are trying to send, e.g.
       with HUP. So it then becomes:

              kill -HUP $(cat /var/run/rsyslogd.pid)

       HUP    This lets rsyslogd perform close all open files.

       TERM ,  INT ,  QUIT
              Rsyslogd will die.

       USR1   Switch debugging on/off.  This option can only be used if rsyslogd is started  with
              the -d debug option.

       CHLD   Wait for childs if some were born, because of wall'ing messages.

SECURITY THREATS
       There  is  the  potential  for the rsyslogd daemon to be used as a conduit for a denial of
       service attack.  A rogue program(mer) could very easily flood  the  rsyslogd  daemon  with
       syslog  messages  resulting  in  the  log  files  consuming all the remaining space on the
       filesystem.  Activating logging over the inet domain sockets will of course expose a  sys‐
       tem to risks outside of programs or individuals on the local machine.

       There are a number of methods of protecting a machine:

       1.     Implement  kernel  firewalling  to limit which hosts or networks have access to the
              514/UDP socket.

       2.     Logging can be directed to an isolated or non-root  filesystem  which,  if  filled,
              will not impair the machine.

       3.     The ext2 filesystem can be used which can be configured to limit a certain percent‐
              age of a filesystem to usage by root only.  NOTE that this will require rsyslogd to
              be  run  as  a  non-root process.  ALSO NOTE that this will prevent usage of remote
              logging on the default port since rsyslogd will be unable to bind  to  the  514/UDP
              socket.

       4.     Disabling inet domain sockets will limit risk to the local machine.

   Message replay and spoofing
       If  remote  logging  is enabled, messages can easily be spoofed and replayed.  As the mes‐
       sages are transmitted in clear-text, an attacker might use the information  obtained  from
       the  packets  for  malicious  things.  Also, an attacker might replay recorded messages or
       spoof a sender's IP address, which could lead to a wrong perception  of  system  activity.
       These  can  be  prevented by using GSS-API authentication and encryption. Be sure to think
       about syslog network security before enabling it.

DEBUGGING
       When debugging is turned on using -d option then rsyslogd will be very verbose by  writing
       much of what it does on stdout.

FILES
       /etc/rsyslog.conf
              Configuration file for rsyslogd.  See rsyslog.conf(5) for exact information.
       /dev/log
              The Unix domain socket to from where local syslog messages are read.
       /var/run/rsyslogd.pid
              The file containing the process id of rsyslogd.
       prefix/lib/rsyslog
              Default  directory for rsyslogd modules. The prefix is specified during compilation
              (e.g. /usr/local).
ENVIRONMENT
       RSYSLOG_DEBUG
              Controls runtime debug support.It contains an  option  string  with  the  following
              options possible (all are case insensitive):

              LogFuncFlow
                     Print out the logical flow of functions (entering and exiting them)
              FileTrace
                     Specifies which files to trace LogFuncFlow. If not set (the default), a Log‐
                     FuncFlow trace is provided for all files. Set to limit it to the files spec‐
                     ified.FileTrace  may be specified multiple times, one file each (e.g. export
                     RSYSLOG_DEBUG="LogFuncFlow FileTrace=vm.c FileTrace=expr.c"
              PrintFuncDB
                     Print the content of the debug function database whenever debug  information
                     is printed (e.g. abort case)!
              PrintAllDebugInfoOnExit
                     Print all debug information immediately before rsyslogd exits (currently not
                     implemented!)
              PrintMutexAction
                     Print mutex action as it happens. Useful for finding deadlocks and such.
              NoLogTimeStamp
                     Do not prefix log lines with a timestamp (default is to do that).
              NoStdOut
                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG is not  set,  this
                     means no messages will be displayed at all.
              Help   Display  a very short list of commands - hopefully a life saver if you can't
                     access the documentation...

       RSYSLOG_DEBUGLOG
              If set, writes (almost) all debug message to the specified log file in addition  to
              stdout.
       RSYSLOG_MODDIR
              Provides the default directory in which loadable modules reside.

BUGS
       Please review the file BUGS for up-to-date information on known bugs and annoyances.

Further Information
       Please  visit  http://www.rsyslog.com/doc for additional information, tutorials and a sup‐
       port forum.

SEE ALSO
       rsyslog.conf(5), logger(1), syslog(2), syslog(3), services(5), savelog(8)

COLLABORATORS
       rsyslogd is derived from sysklogd sources, which in turn was taken from the  BSD  sources.
       Special   thanks   to   Greg   Wettstein   (greg AT wind.com)   and  Martin  Schulze
       (joey AT linux.de) for the fine sysklogd package.

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld, Germany
       rgerhards AT adiscon.com



Version 8.3.3                              27 May 2014                                RSYSLOGD(8)


rootr.net - man pages