Man Pages

rsyslogd(8) - phpMan rsyslogd(8) - phpMan

Command: man perldoc info search(apropos)  

RSYSLOGD(8)               Linux System Administration              RSYSLOGD(8)

       rsyslogd - reliable and extended syslogd

       rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
       [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
       [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]

       Rsyslogd  is  a system utility providing support for message logging.  Support of both internet and unix domain
       sockets enables this utility to support both local and remote logging.

       Note that this version of rsyslog ships with extensive documentation in html format.  This is provided  in  the
       ./doc  subdirectory and probably in a separate package if you installed rsyslog via a packaging system.  To use
       rsyslog's advanced features, you need to look at the html documentation, because the man pages only cover basic
       aspects of operation.  For details and configuration examples, see the rsyslog.conf (5) man page and the online
       documentation at

       Rsyslogd(8) is derived from the sysklogd package which in turn is derived from the stock BSD sources.

       Rsyslogd provides a kind of logging that many modern programs use.  Every logged message contains  at  least  a
       time  and a hostname field, normally a program name field, too, but that depends on how trusty the logging pro-
       gram is. The rsyslog package supports free definition of output formats via templates. It also supports precise
       timestamps  and writing directly to databases. If the database option is used, tools like phpLogCon can be used
       to view the log data.

       While the rsyslogd sources have been heavily modified a couple of notes are in order.  First of all  there  has
       been  a  systematic attempt to ensure that rsyslogd follows its default, standard BSD behavior. Of course, some
       configuration file changes are necessary in order to support the template system. However, rsyslogd  should  be
       able  to  use  a  standard syslog.conf and act like the original syslogd. However, an original syslogd will not
       work correctly with a rsyslog-enhanced configuration file. At best, it will generate funny looking file  names.
       The  second important concept to note is that this version of rsyslogd interacts transparently with the version
       of syslog found in the standard libraries.  If a binary linked to the standard shared libraries fails to  func-
       tion correctly we would like an example of the anomalous behavior.

       The  main  configuration  file  /etc/rsyslog.conf  or an alternative file, given with the -f option, is read at
       startup.  Any lines that begin with the hash mark (''#'') and empty lines are ignored.  If an error occurs dur-
       ing parsing the error element is ignored. It is tried to parse the rest of the line.

       Note  that in version 3 of rsyslog a number of command line options have been deprecated and replaced with con-
       fig file directives. The -c option controls the backward compatibility mode in use.

       -A     When sending UDP messages, there are potentially multiple paths to the target destination.  By  default,
              rsyslogd  only  sends to the first target it can successfully send to. If -A is given, messages are sent
              to all targets. This may improve reliability, but may also cause message duplication. This option should
              be enabled only if it is fully understood.

       -4     Causes  rsyslogd  to  listen to IPv4 addresses only.  If neither -4 nor -6 is given, rsyslogd listens to
              all configured addresses of the system.

       -6     Causes rsyslogd to listen to IPv6 addresses only.  If neither -4 nor -6 is given,  rsyslogd  listens  to
              all configured addresses of the system.

       -c version
              Selects the desired backward compatibility mode. It must always be the first option on the command line,
              as it influences processing of the other options. To use the rsyslog v3 native interface,  specify  -c3.
              To  use compatibility mode , either do not use -c at all or use -c<version> where version is the rsyslog
              version that it shall be compatible with. Using -c0 tells  rsyslog  to  be  command-line  compatible  to
              sysklogd, which is the default if -c is not given.  Please note that rsyslogd issues warning messages if
              the -c3 command line option is not given.  This is to alert you that your are running  in  compatibility
              mode.  Compatibility  mode interferes with your rsyslog.conf commands and may cause some undesired side-
              effects. It is meant to be used with a plain old rsyslog.conf - if you use new features,  things  become
              messy.  So  the  best  advice is to work through this document, convert your options and config file and
              then use rsyslog in native mode. In order to aid you in this process, rsyslog logs every  compatibility-
              mode  config  file  directive  it has generated. So you can simply copy them from your logfile and paste
              them to the config.

       -d     Turns on debug mode. See the DEBUGGING section for more information.

       -f config file
              Specify an alternative configuration file instead of /etc/rsyslog.conf, which is the default.

       -i pid file
              Specify an alternative pid file instead of the default one.   This  option  must  be  used  if  multiple
              instances of rsyslogd should run on a single machine.

       -l hostlist
              Specify a hostname that should be logged only with its simple hostname and not the fqdn.  Multiple hosts
              may be specified using the colon ('':'') separator.

       -n     Avoid auto-backgrounding.  This is needed especially if  the  rsyslogd  is  started  and  controlled  by

       -N  level
              Do  a  coNfig check. Do NOT run in regular mode, just check configuration file correctness.  This option
              is meant to verify a config file. To do so, run rsyslogd  interactively  in  foreground,  specifying  -f
              <config-file>  and  -N  level.   The  level argument modifies behaviour. Currently, 0 is the same as not
              specifying the -N option at all (so this makes limited sense) and 1 actually activates the code.  Later,
              higher  levels  will  mean more verbosity (this is a forward-compatibility option).  rsyslogd is started
              and controlled by init(8).

       -q add hostname if DNS fails during ACL processing
              During ACL processing, hostnames are resolved to IP addresses for performance reasons. If DNS fails dur-
              ing  that  process, the hostname is added as wildcard text, which results in proper, but somewhat slower
              operation once DNS is up again.

       -Q do not resolve hostnames during ACL processing
              Do not resolve hostnames to IP addresses during ACL processing.

       -s domainlist
              Specify a domainname that should be stripped off before logging.   Multiple  domains  may  be  specified
              using  the  colon  ('':'')  separator.   Please be advised that no sub-domains may be specified but only
              entire domains.  For example if -s is specified and the host  logging  resolves  to
      no  domain  would  be  cut,  you will have to specify two domains like: -s

       -u userlevel
              This is a "catch all" option for some  very  seldomly-used  user  settings.   The  "userlevel"  variable
              selects  multiple things. Add the specific values to get the combined effect of them.  A value of 1 pre-
              vents rsyslogd from parsing hostnames and tags inside messages.  A value of  2  prevents  rsyslogd  from
              changing  to  the  root  directory.  This is almost never a good idea in production use. This option was
              introduced in support of the internal testbed.  To combine these two features,  use  a  userlevel  of  3
              (1+2). Whenever you use an -u option, make sure you really understand what you do and why you do it.

       -v     Print version and exit.

       -w     Suppress  warnings issued when messages are received from non-authorized machines (those, that are in no
              AllowedSender list).

       -x     Disable DNS for remote messages.

       Rsyslogd reacts to a set of signals.  You may easily send a signal to rsyslogd using the following:

              kill -SIGNAL $(cat /var/run/

       Note that -SIGNAL must be replaced with the actual signal you are trying to send, e.g. with  HUP.  So  it  then

              kill -HUP $(cat /var/run/

       HUP    This  lets  rsyslogd  perform close all open files.  Also, in v3 a full restart will be done in order to
              read changed configuration files.  Note that this means a full rsyslogd restart is done. This has, among
              others,  the  consequence that TCP and other connections are torn down. Also, if any queues are not run-
              ning in disk assisted mode or are not set to persist data on shutdown, queue data is lost. HUPing  rsys-
              logd  is  an extremely expensive operation and should only be done when actually necessary. Actually, it
              is a rsyslgod stop immediately followed by a restart. Future versions will remove this restart function-
              ality  of  HUP  (it will go away in v5). So it is advised to use HUP only for closing files, and a "real
              restart" (e.g. /etc/rc.d/rsyslogd restart) to activate configuration changes.

       TERM ,  INT ,  QUIT
              Rsyslogd will die.

       USR1   Switch debugging on/off.  This option can only be used if rsyslogd is started with the -d debug  option.

       CHLD   Wait for childs if some were born, because of wall'ing messages.

       There is the potential for the rsyslogd daemon to be used as a conduit for a denial of service attack.  A rogue
       program(mer) could very easily flood the rsyslogd daemon with syslog messages resulting in the log  files  con-
       suming  all  the  remaining  space  on the filesystem.  Activating logging over the inet domain sockets will of
       course expose a system to risks outside of programs or individuals on the local machine.

       There are a number of methods of protecting a machine:

       1.     Implement kernel firewalling to limit which hosts or networks have access to the 514/UDP socket.

       2.     Logging can be directed to an isolated or non-root filesystem which, if  filled,  will  not  impair  the

       3.     The ext2 filesystem can be used which can be configured to limit a certain percentage of a filesystem to
              usage by root only.  NOTE that this will require rsyslogd to be run as a non-root  process.   ALSO  NOTE
              that this will prevent usage of remote logging on the default port since rsyslogd will be unable to bind
              to the 514/UDP socket.

       4.     Disabling inet domain sockets will limit risk to the local machine.

   Message replay and spoofing
       If remote logging is enabled, messages can easily be spoofed and replayed.  As the messages are transmitted  in
       clear-text,  an  attacker  might  use  the information obtained from the packets for malicious things. Also, an
       attacker might replay recorded messages or spoof a sender's IP address, which could lead to a wrong  perception
       of  system  activity.  These  can be prevented by using GSS-API authentication and encryption. Be sure to think
       about syslog network security before enabling it.

       When debugging is turned on using the -d option, rsyslogd produces debugging information according to the RSYS-
       LOG_DEBUG  environment variable and the signals received. When run in foreground, the information is written to
       stdout. An additional output file can be specified using the RSYSLOG_DEBUGLOG environment variable.

              Configuration file for rsyslogd.  See rsyslog.conf(5) for exact information.
              The Unix domain socket to from where local syslog messages are read.
              The file containing the process id of rsyslogd.
              Default directory for rsyslogd modules. The prefix is specified during compilation (e.g. /usr/local).
              Controls runtime debug support. It contains an option string with the following  options  possible  (all
              are case insensitive):

              Debug  Turns  on  debugging  and prevents forking. This is processed earlier in the startup than command
                     line options (i.e. -d) and as such enables earlier  debugging  output.  Mutually  exclusive  with
                     Enables debugging but turns off debug output. The output can be toggled by sending SIGUSR1. Mutu-
                     ally exclusive with Debug.
                     Print out the logical flow of functions (entering and exiting them)
                     Specifies which files to trace LogFuncFlow. If not set (the default), a LogFuncFlow trace is pro-
                     vided  for  all files. Set to limit it to the files specified.FileTrace may be specified multiple
                     times, one file each (e.g. export RSYSLOG_DEBUG="LogFuncFlow FileTrace=vm.c FileTrace=expr.c"
                     Print the content of the debug function database whenever  debug  information  is  printed  (e.g.
                     abort case)!
                     Print all debug information immediately before rsyslogd exits (currently not implemented!)
                     Print mutex action as it happens. Useful for finding deadlocks and such.
                     Do not prefix log lines with a timestamp (default is to do that).
                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG is not set, this means no messages will
                     be displayed at all.
              Help   Display a very short list of commands - hopefully a life saver if you can't access the documenta-

              If set, writes (almost) all debug message to the specified log file in addition to stdout.
              Provides the default directory in which loadable modules reside.

       Please review the file BUGS for up-to-date information on known bugs and annoyances.

Further Information
       Please visit for additional information, tutorials and a support forum.

       rsyslog.conf(5), logger(1), syslog(2), syslog(3), services(5), savelog(8)

       rsyslogd is derived from sysklogd sources, which in turn was taken from the BSD sources. Special thanks to Greg
       Wettstein ( and Martin Schulze ( for the fine sysklogd package.

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld, Germany

Version 3.21.1                   29 July 2008                      RSYSLOGD(8)