rsyslogd |
This document severly adapted by Dennis German, assumes an understanding of various syslog
utilities.
See the author's documentation rsyslog.com/doc
Includes definition of output formats via templates, precise timestamps and writing to databases
Helpful for debugging conf:
rsyslogd -N 1 |more
# incredibily verbose
rsyslogd -N 1 -d 2>~/0 | egrep "cnf:|ssigned|filter|ACTION|PRIFILT" |\
egrep -v 'cnf:global:script|END'|more # stderr not helpful
sudo service rsyslog restart ; cd /var/log; tail -n30 -f 04_warn.log # restart and CHECK for errors
-N 1 |
sudo systemctl restart rsyslog
To send a signal to rsyslogd directly to enable debugging use: sudo kill -USR1 $(cat /var/run/rsyslogd.pid)
HUP Avoid! use /etc/init.d/rsyslog restart instead. | STOP then START: close/open files, TCP and other connections are torn down, queues are not running in disk assisted mode or not set to persist data on shutdown, data is lost.
Start, Read changed configuration files. | ||||||
/etc/init.d/rsyslog restart |
/etc/rsyslog.conf |
$RSYSLOG_MODDIR |
Help
Support for message local and remote logging.
rsyslogd.conf
selection | action |
---|---|
selection ::= selector [;selector …] facility[,facility
…].[!][=]priority
priority and higherunless priority is preceeded by = meaning only this priority .
Preceeding Destination file or host
|
|
action.resumeInterval seconds
Default 30, increases! When an action is suspended it is resumed later.
action.resumeRetryCount
default:0.
action.reportSuspension on|off
template
a definition of the format of the log message, defined previously in this config or one of the
reserved names like:
RSYSLOG_TraditionalFileFormat, RSYSLOG_FileFormat, …
/opt/homebrew/etc/rsyslog.conf
# Minimal config file for RECeiving logs over UDP port 10514 $ModLoad imudp $UDPServerRun 10514 *.* /usr/local/var/log/rsyslog-remote.log
facility:
|
$template name,"specification …"
.
template(name=name,type=[list| subtree| string| plugin] parameters) [{ list-descriptions} ]
list:: constant(value="vvv") property(name="pr") …
string:: string="specification …"
template(name="tpl3" type="string" string="%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" )
%pr%
optional range | %property:[i]:[j]:options%
| i,j are origin 1. j can be $ to specify the end.
|
regular expresion | %property:R:regx-end:options%
| "%msg:R:.*Sev:. \(.*\) \[.*-end%"[ BRE |ERE ]
|
field | %property:F[,delimiter[+]][,i]:n[,j]:options%
| delimiter in decimal, default TAB Examples: space: 32 or
comma:44 or semicolon:59 + multiple occurances of delimiter. Useful when parsing space filled fieldsn th field number; origin 1. The i th through the j th position.
Example: comma seperated values, the 4th field: |
json |
priority | Numeric:PRI | syslogfacility | syslogpriority Text: pri-text .
Example:
|
stop
processing when a message containing a particular string is encountered.:msg, contains, "SHOW+RETENTION+POLICIES" stop
$PrivDropToUser Name
$PrivDropToGroup Name
$PrivDropToGroup
and $PrivDropToUser
to specify a group and/or user to drop to after initialization. $RepeatedMsgContainsOriginalMsg
$ActionResumeInterval
$ActionExecOnlyWhenPreviousIsSuspended
/etc/init.d/rsyslog
./doc
subdirectory
From: rsyslog.com
Regarding Memory usage:
On raspberrypi top reports VIRT:27,968 ; RES:1536; SHR: 1096
rsyslogd 5.8.11 startup, compatibility mode 0, module path '', cwd:/var/log caller requested object 'net', not found (iRet -3003) Requested to load module 'lmnet' loading module '/usr/lib/rsyslog/lmnet.so' module of type 2 being loaded. entry point 'isCompatibleWithFeature' not present in module source file conf.c requested reference for module 'lmnet', reference count now 1 rsyslog runtime initialized, version 5.8.11, current users 1 source file syslogd.c requested reference for module 'lmnet', reference count now 2 GenerateLocalHostName uses 'raspberrypi' omfile: using transactional output interface. module of type 1 being loaded. module of type 1 being loaded. entry point 'beginTransaction' not present in module entry point 'endTransaction' not present in module source file omfwd.c requested reference for module 'lmnet', reference count now 3 module of type 1 being loaded. entry point 'doHUP' not present in module entry point 'beginTransaction' not present in module entry point 'endTransaction' not present in module : module of type 1 being loaded. : entry point 'doHUP' not present in module : entry point 'beginTransaction' not present in module : entry point 'endTransaction' not present in module : module of type 1 being loaded. : entry point 'doHUP' not present in module : entry point 'beginTransaction' not present in module : entry point 'endTransaction' not present in module : module of type 1 being loaded. : entry point 'doHUP' not present in module : entry point 'beginTransaction' not present in module : entry point 'endTransaction' not present in module : rfc5424 parser init called : GetParserName addr 0x19ff4 : module of type 3 being loaded. : Parser 'rsyslog.rfc5424' added to list of available parsers. : rfc3164 parser init called : module of type 3 being loaded. : Parser 'rsyslog.rfc3164' added to list of available parsers. : Parser 'rsyslog.rfc5424' added to default parser set. : Parser 'rsyslog.rfc3164' added to default parser set. : rsyslog standard file format strgen init called, compiled with version 5.8.11 : module of type 4 being loaded. : entry point 'isCompatibleWithFeature' not present in module : Strgen 'RSYSLOG_FileFormat' added to list of available strgens. : traditional file format strgen init called, compiled with version 5.8.11 : module of type 4 being loaded. : entry point 'isCompatibleWithFeature' not present in module : Strgen 'RSYSLOG_TraditionalFileFormat' added to list of available strgens. : rsyslog standard (network) forward format strgen init called, compiled with version 5.8.11 : module of type 4 being loaded. : entry point 'isCompatibleWithFeature' not present in module : Strgen 'RSYSLOG_ForwardFormat' added to list of available strgens. : rsyslog traditional (network) forward format strgen init called, compiled with version 5.8.11 : module of type 4 being loaded. : entry point 'isCompatibleWithFeature' not present in module : Strgen 'RSYSLOG_TraditionalForwardFormat' added to list of available strgens. : Called LogError, msg: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option. : Checking pidfile. : Writing pidfile /var/run/rsyslogd.pid. Can't open or create /var/run/rsyslogd.pid. Can't write pid.
rsyslogd -N 1 -d 2>~/0 |cut -d':' -f 4- |grep imudp name: 'load', value 'imudp' load: 'imudp' Requested to load module 'imudp' loading module '/usr/lib/arm-linux-gnueabihf/rsyslog/imudp.so' source file imudp.c requested reference for module 'lmnet', reference count now 4 imudp: version 8.1901.0 initializing module imudp of type 0 being loaded (keepType=0). module config name is 'imudp' module imudp supports rsyslog v6 config interface module (global) param blk for imudp: name: 'type', value 'imudp' type: 'imudp' newInpInst (imudp) input param blk in imudp: beginCnfLoad(0xb6ac1008) for module 'imudp' calling endCnfLoad() for module 'imudp' module imudp tells us config can be activated
# /etc/rsyslog.conf Configuration file for rsyslog. # 1/27/13 DGG $ModLoad imklog # provides kernel logging support #$ModLoad immark # provides --MARK-- message capability default: 1200 seconds (i.e. 20minutes) to # provides UDP syslog reception DGG enabled $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception DGG enabled $ModLoad imtcp $InputTCPServerRun 514 #### RULES : # First some standard log files. Log by facility. auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log mail.*;news.*;lpr.* -/var/log/unused.log user.* -/var/log/user.log dhclient.info -/var/dhcpclient.log # Some "catch-all" log files. *.=debug;auth,authpriv.none -/var/log/07_debug.log *.=crit -/var/log/02_crit.log *.err -/var/log/03_err.log *.warn -/var/log/04_warn.log *.notice -/var/log/05_notice.log *.info -/var/log/06_info.log *.info -/var/log/06_info.log2 *.emerg -/var/log/01_crit.log cron,daemon.none; -/var/log/messages # Emergencies are sent to everybody logged in. *.emerg :omusrmsg:* # place spool and state files $WorkDirectory /var/spool/rsyslog # Include all config files in /etc/rsyslog.d/ DGG: There aren't any $IncludeConfig /etc/rsyslog.d/*.conf #### GLOBAL DIRECTIVES : Set the default permissions for all log files. $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 # The named pipe /dev/xconsole is for the `xconsole' utility. # To use it, invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably busy site.. daemon.*;*.=debug;*.=info;*.=notice;*.=warn |/dev/xconsole
Drop in replacment for syslog. Uses traditional syslog.conf
and acts like the original syslogd
.
Used on raspberryPi and onion Omega .
Tools like phpLogCon can be used to view the log data.
local7.warning liblogging-stdlog: action 'action 7' suspended, next retry is Wed May 15 12:43:59 2019 [v8.24.0 try http://www.rsTo find out what
rsyslogd -N 1 | grep 'ACTION 7'Try
rsyslogd -N 1 |more
DHCP option 7 specifies the syslog server.