Rsyslog-example.conf

# A commented quick reference and sample configuration # warning: this is not a manual, the full manual of rsyslog configuration is in # rsyslog. conf (5) manpage # "$" starts lines that contain new directives. the full list of directives # can be found in/usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html or online # At http://www.rsyslog.com/doc if you do not have (or find) a local copy. # Set Syslog D options # Some global direves ves # rules # $ allowedsender-specifies which remote systems are allowed to send syslog messages to rsyslogd # ------------ $ allowedsender UDP, 127.0.0.1, 192.0.2.0/24 ,[:: 1]/128, * .example.net, somehost.example.com # $ umask-specifies the rsyslogd processes 'umask # ------ $ umask 0000 # $ filegroup-set the group for dynafiles newly created # ---------- $ F Ilegroup loggroup # $ fileowner-set the file owner for dynafiles newly created. # ---------- $ fileowner loguser # $ includeconfig-include other files into the main configuration file # ------------ $ includeconfig/etc/some-included-file.conf # One file $ includeconfig/etc/rsyslog. d/# whole directory (must contain the final slash) # $ modload-dynamically loads a plug-in and activates it # -------- $ mod Load MySQL # Load MySQL functionality $ modload/rsyslog/modules/somemodule. so # load a module via absolute path # templates # --------- # templates allow to specify any format a user might want. # They must be defined before they are used. # A template consists of a template directive, a name, the actual template text # And Optional options. A sample is: # $ template mytemplatename, "\ 7 text % property % Some m Ore text \ n ", # Where: # * $ template-tells rsyslog that this line contains a template. # * mytemplatename-Template Name. all other config lines refer to this name. # * "\ 7 text % property % some more text \ n"-templage text # The backslash is an escape character, I. e. \ 7 rings the bell, \ n is a new line. # To escape: # % =\%#\\\# template options are case-insensitive. currently defined are: # SQL Mat the string suitable for a SQL statement. this will replace single # quotes ("'") by two single quotes ("'' ") to prevent the SQL Injection # (no_backslash_escapes turned off) # stdsql-format the string suitable for a SQL statement that is to # be sent to a standards-compliant SQL Server. # (no_backslash_escapes turned on) # properties inside templates # ------------------------- # properties can Be modified by the property replacer. they are accessed # inside the template by putting them between percent signs. the full syntax is as follows: # % propname: fromchar: tochar: Options % # fromchar and tochar are used to build substrings. # If you need to obtain the first 2 Characters of the # message text, you can use this syntax: "% MSG: 1: 2% ". # If you do not whish to specify from and to, but you want t O # specify options, you still need to include the colons. # For example, to convert the full message text to lower case only, use # "% MSG: lowercase % ". # The full list of property options can be found in rsyslog. conf (5) manpage # samples of template definitions # ----------------------------- # a template that resambles traditional syslogd file output: $ template traditionalformat, "% timegenerated % H Ostname % syslogtag % MSG: Drop-last-lf % \ n "# A more verbose template: $ template precise," % syslogpriority %, % syslogfacility %, % timegenerated: fulltime %, % hostname %, % syslogtag %, % MSG % \ n "# a template that resembles RFC 3164 on-the-wire format: # (yes, there is no space betwen syslogtag and MSG! That's important !) $ Template rfc00004fmt, "<% pri %> % timestamp % hostname % syslogtag % MSG %" # A template resembling traditional wallmessage format: $ template wallmsg, "\ r \ n \ 7 message from syslogd @ % hostname % at % timegenerated %... \ r \ n % syslogtag % MSG % \ n \ r "# The template below emulates winsyslog format, but we need to check the time # stamps used. it is also a good sampleof the property replacer in action. $ template winsyslogfm T, "% hostname %, % timegenerated: 1: 10: date-rfc3339 %, % timegenerated: 12: 19: date-rfc3339 %, % timegenerated: 1: 10: date-rfc3339 %, % timegenerated: 12: 19: date-rfc3339 %, % syslogfacility %, % syslogpriority %, % syslogtag % MSG % \ n "# A template used for database writing (notice it * is * an actual # SQL-Statement): $ template dbformat, "insert into systemevents (message, facility, fromhost, priority, devicereportedtime, receivedat, Infounitid, syslogtag) values ('% MSG %', % syslogfacility %, '% hostname %', % syslogpriority %, '% timereported: Date-mysql % ', '% timegenerated: Date-mysql %', % IUT %, '% syslogtag %') ", SQL # samples of rules # ---------------- # regular file #------------*. */var/log/traditionalfile. log; traditionalformat # log to a file in the traditional format # forwarding to remote machine #----------------------------*. *@ 172.19.2.16 # UDP (standard for syslog) *. * @ 172.19.2.17 # TCP # Database Action # --------------- # (you must have rsyslog-mysql package installed )#!!! Don't forget to set permission of rsyslog. conf to 600 !!! *. *> Hostname, dbname, userid, password # (default monitorware schema, can be created by/usr/share/doc/rsyslog-mysql-1.19.6/createdb. SQL) # And this one uses the template defined above :*. *> hostname, dbname, userid, password; dbformat # program to execute #------------------*. * ^ alsaunmute # Set Default volume to Soundcard # filter using RegEx # ---------------- # If the user logges word rulez or rulezz or rule Zzz or ..., then we will shut down his PC # (note, that + have to be double backslashed ...): MSG, RegEx, "rulez \ +" ^ poweroff # A more complex example # -------------------- $ template bla_logged, "% timegenerated % The BLA was logged": MSG, contains, "bla" ^ logger; bla_logged # pipes # ----- # first we need to create Pipe by # mkfifo/a_big_pipe *. * |/a_big_pipe # discarding #----------*. *~ # Discards everything