*BASH User Commands Ubuntu 10.04.4 LTS Server coreutils
RSYSLOGD(8)               Linux System Administration              RSYSLOGD(8)

       rsyslogd - reliable and extended syslogd

       rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
       [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
       [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]

       Rsyslogd  is  a  system  utility providing support for message logging.
       Support of both internet and unix domain sockets enables  this  utility
       to support both local and remote logging.

       Note that this version of rsyslog ships with extensive documentation in
       html format.  This is provided in the ./doc subdirectory  and  probably
       in  a separate package if you installed rsyslog via a packaging system.
       To use rsyslog's advanced features, you need to look at the html  docu-
       mentation, because the man pages only cover basic aspects of operation.
       For details and configuration examples, see the  rsyslog.conf  (5)  man
       page and the online documentation at http://www.rsyslog.com/doc

       Rsyslogd(8)  is  derived  from  the  sysklogd  package which in turn is
       derived from the stock BSD sources.

       Rsyslogd provides a kind of logging  that  many  modern  programs  use.
       Every  logged  message  contains  at least a time and a hostname field,
       normally a program name field, too, but that depends on how trusty  the
       logging  program  is.  The  rsyslog package supports free definition of
       output formats via templates. It also supports precise  timestamps  and
       writing  directly  to  databases. If the database option is used, tools
       like phpLogCon can be used to view the log data.

       While the rsyslogd sources have been heavily modified a couple of notes
       are  in  order.   First  of  all there has been a systematic attempt to
       ensure that rsyslogd follows its default,  standard  BSD  behavior.  Of
       course,  some configuration file changes are necessary in order to sup-
       port the template system. However, rsyslogd should be  able  to  use  a
       standard  syslog.conf  and  act  like the original syslogd. However, an
       original syslogd will not work correctly with a  rsyslog-enhanced  con-
       figuration  file.  At  best, it will generate funny looking file names.
       The second important concept to note is that this version  of  rsyslogd
       interacts  transparently  with the version of syslog found in the stan-
       dard libraries.  If a binary linked to the  standard  shared  libraries
       fails  to  function correctly we would like an example of the anomalous

       The main configuration file /etc/rsyslog.conf or an  alternative  file,
       given  with  the  -f  option, is read at startup.  Any lines that begin
       with the hash mark (``#'') and empty lines are ignored.   If  an  error
       occurs  during  parsing  the  error  element is ignored. It is tried to
       parse the rest of the line.

       Note that in version 3 of rsyslog a number of command line options have
       been deprecated and replaced with config file directives. The -c option
       controls the backward compatibility mode in use.

       -A     When sending UDP messages, there are potentially multiple  paths
              to  the  target  destination. By default, rsyslogd only sends to
              the first target it can successfully send to. If  -A  is  given,
              messages  are sent to all targets. This may improve reliability,
              but may also cause message duplication. This  option  should  be
              enabled only if it is fully understood.

       -4     Causes rsyslogd to listen to IPv4 addresses only.  If neither -4
              nor -6 is given, rsyslogd listens to all configured addresses of
              the system.

       -6     Causes rsyslogd to listen to IPv6 addresses only.  If neither -4
              nor -6 is given, rsyslogd listens to all configured addresses of
              the system.

       -c version
              Selects  the desired backward compatibility mode. It must always
              be the first option on the command line, as it  influences  pro-
              cessing  of  the  other  options.  To  use the rsyslog v3 native
              interface, specify -c3. To use compatibility mode  ,  either  do
              not  use -c at all or use -c<version> where version is the rsys-
              log version that it shall be compatible with.  Using  -c0  tells
              rsyslog  to be command-line compatible to sysklogd, which is the
              default if -c is not given.  Please note  that  rsyslogd  issues
              warning  messages  if  the -c3 command line option is not given.
              This is to alert you that  your  are  running  in  compatibility
              mode.  Compatibility mode interferes with your rsyslog.conf com-
              mands and may cause some undesired side-effects. It is meant  to
              be used with a plain old rsyslog.conf - if you use new features,
              things become messy. So the best advice is to work through  this
              document,  convert  your  options  and  config file and then use
              rsyslog in native mode. In order to aid  you  in  this  process,
              rsyslog  logs  every compatibility-mode config file directive it
              has generated. So you can simply copy them from your logfile and
              paste them to the config.

       -d     Turns  on  debug mode.  Using this the daemon will not proceed a
              fork(2) to set itself in the background, but  opposite  to  that
              stay  in  the foreground and write much debug information on the
              current tty.  See the DEBUGGING section for more information.

       -f config file
              Specify an alternative configuration file instead of  /etc/rsys-
              log.conf, which is the default.

       -i pid file
              Specify  an  alternative  pid  file  instead of the default one.
              This option must be  used  if  multiple  instances  of  rsyslogd
              should run on a single machine.

       -l hostlist
              Specify  a  hostname  that should be logged only with its simple
              hostname and not the fqdn.   Multiple  hosts  may  be  specified
              using the colon (``:'') separator.

       -n     Avoid  auto-backgrounding.   This  is  needed  especially if the
              rsyslogd is started and controlled by init(8).

       -N  level
              Do a coNfig check. Do NOT run in regular mode, just  check  con-
              figuration  file  correctness.  This option is meant to verify a
              config file. To do so, run rsyslogd interactively in foreground,
              specifying  -f  <config-file>  and -N level.  The level argument
              modifies behaviour. Currently, 0 is the same as  not  specifying
              the  -N  option at all (so this makes limited sense) and 1 actu-
              ally activates the code. Later, higher  levels  will  mean  more
              verbosity (this is a forward-compatibility option).  rsyslogd is
              started and controlled by init(8).

       -q add hostname if DNS fails during ACL processing
              During ACL processing, hostnames are resolved  to  IP  addresses
              for  performance  reasons. If DNS fails during that process, the
              hostname is added as wildcard text, which results in proper, but
              somewhat slower operation once DNS is up again.

       -Q do not resolve hostnames during ACL processing
              Do not resolve hostnames to IP addresses during ACL processing.

       -s domainlist
              Specify a domainname that should be stripped off before logging.
              Multiple domains may be specified using the colon (``:'')  sepa-
              rator.   Please  be advised that no sub-domains may be specified
              but only entire domains.  For example if -s north.de  is  speci-
              fied  and the host logging resolves to satu.infodrom.north.de no
              domain would be cut, you will have to specify two domains  like:
              -s north.de:infodrom.north.de.

       -u userlevel
              This  is  a  "catch all" option for some very seldomly-used user
              settings.  The "userlevel" variable selects multiple things. Add
              the specific values to get the combined effect of them.  A value
              of 1 prevents rsyslogd from parsing hostnames  and  tags  inside
              messages.   A  value of 2 prevents rsyslogd from changing to the
              root directory. This is almost never a good idea  in  production
              use. This option was introduced in support of the internal test-
              bed.  To combine these two features, use a userlevel of 3 (1+2).
              Whenever  you  use an -u option, make sure you really understand
              what you do and why you do it.

       -v     Print version and exit.

       -w     Suppress warnings issued when messages are  received  from  non-
              authorized machines (those, that are in no AllowedSender list).

       -x     Disable DNS for remote messages.

       Rsyslogd  reacts  to a set of signals.  You may easily send a signal to
       rsyslogd using the following:

              kill -SIGNAL $(cat /var/run/rsyslogd.pid)

       Note that -SIGNAL must be replaced with the actual signal you are  try-
       ing to send, e.g. with HUP. So it then becomes:

              kill -HUP $(cat /var/run/rsyslogd.pid)

       HUP    This  lets rsyslogd perform a re-initialization.  All open files
              are  closed,  the  configuration  file  (default  is  /etc/rsys-
              log.conf)  will be reread and the rsyslog(3) facility is started
              again.  Note that this means a full rsyslogd  restart  is  done.
              This  has, among others, the consequence that TCP and other con-
              nections are torn down. Also, if any queues are not  running  in
              disk  assisted  mode or are not set to persist data on shutdown,
              queue data is lost. HUPing rsyslogd is  an  extremely  expensive
              operation and should only be done when actually necessary. Actu-
              ally, it is a rsyslgod stop immediately followed by  a  restart.
              Future  versions  will probably include a special handling which
              only closes files, but will not cause any of the other effects.

       TERM ,  INT ,  QUIT
              Rsyslogd will die.

       USR1   Switch debugging on/off.  This option can only be used if  rsys-
              logd is started with the -d debug option.

       CHLD   Wait for childs if some were born, because of wall'ing messages.

       There  is the potential for the rsyslogd daemon to be used as a conduit
       for a denial of service attack.  A rogue program(mer) could very easily
       flood  the  rsyslogd  daemon  with syslog messages resulting in the log
       files consuming all the remaining space on the filesystem.   Activating
       logging  over the inet domain sockets will of course expose a system to
       risks outside of programs or individuals on the local machine.

       There are a number of methods of protecting a machine:

       1.     Implement kernel firewalling to limit which  hosts  or  networks
              have access to the 514/UDP socket.

       2.     Logging  can  be  directed to an isolated or non-root filesystem
              which, if filled, will not impair the machine.

       3.     The ext2 filesystem can be used which can be configured to limit
              a  certain  percentage  of  a  filesystem to usage by root only.
              NOTE that this will require rsyslogd to be  run  as  a  non-root
              process.   ALSO NOTE that this will prevent usage of remote log-
              ging on the default port since rsyslogd will be unable  to  bind
              to the 514/UDP socket.

       4.     Disabling  inet  domain  sockets  will  limit  risk to the local

   Message replay and spoofing
       If remote logging is  enabled,  messages  can  easily  be  spoofed  and
       replayed.   As  the messages are transmitted in clear-text, an attacker
       might use the information  obtained  from  the  packets  for  malicious
       things.  Also,  an  attacker  might replay recorded messages or spoof a
       sender's IP address, which could lead to a wrong perception  of  system
       activity.  These  can  be prevented by using GSS-API authentication and
       encryption. Be sure to  think  about  syslog  network  security  before
       enabling it.

       When  debugging is turned on using -d option then rsyslogd will be very
       verbose by writing much of what it does on stdout.

              Configuration file for rsyslogd.  See rsyslog.conf(5) for  exact
              The  Unix  domain socket to from where local syslog messages are
              The file containing the process id of rsyslogd.
              Default directory for rsyslogd modules. The prefix is  specified
              during compilation (e.g. /usr/local).
              Controls runtime debug support.It contains an option string with
              the following options possible (all are case insensitive):

                     Print out the logical flow  of  functions  (entering  and
                     exiting them)
                     Specifies  which  files  to trace LogFuncFlow. If not set
                     (the default), a LogFuncFlow trace is  provided  for  all
                     files.  Set  to limit it to the files specified.FileTrace
                     may be specified multiple  times,  one  file  each  (e.g.
                     export  RSYSLOG_DEBUG="LogFuncFlow  FileTrace=vm.c  File-
                     Print the content of the debug function database whenever
                     debug information is printed (e.g. abort case)!
                     Print  all  debug information immediately before rsyslogd
                     exits (currently not implemented!)
                     Print mutex action as  it  happens.  Useful  for  finding
                     deadlocks and such.
                     Do  not  prefix log lines with a timestamp (default is to
                     do that).
                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
                     is  not  set, this means no messages will be displayed at
              Help   Display a very short list of commands - hopefully a  life
                     saver if you can't access the documentation...

              If  set,  writes (almost) all debug message to the specified log
              file in addition to stdout.
              Provides the default directory in which loadable modules reside.

       Please review the file BUGS for up-to-date information  on  known  bugs
       and annoyances.

Further Information
       Please  visit  http://www.rsyslog.com/doc  for  additional information,
       tutorials and a support forum.

       rsyslog.conf(5),   logger(1),   syslog(2),   syslog(3),    services(5),

       rsyslogd is derived from sysklogd sources, which in turn was taken from
       the BSD sources. Special thanks  to  Greg  Wettstein  (greg@wind.enjel-
       lic.com) and Martin Schulze (joey@linux.de) for the fine sysklogd pack-

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld, Germany

Version 3.21.1                   29 July 2008                      RSYSLOGD(8)