rsyslogd

reliable and extended syslogd
Rocket Fast

rsyslogd [-c3] [-4][-6][-A][-d][-f config file]
[-i pid file][-l hostlist][-n][-N 1
[-q][-Q][-s domainlist][-u l][-v][-w][-x]

This document severly adapted by Dennis German, assumes an understanding of various syslog utilities.
See the author's documentation rsyslog.com/doc

Includes definition of output formats via templates, precise timestamps and writing to databases

Helpful for debugging conf:
rsyslogd -N 1 |more # incredibily verbose

rsyslogd -N 1 -d 2>~/0 | egrep "cnf:|ssigned|filter|ACTION|PRIFILT" |\
   egrep -v 'cnf:global:script|END'|more # stderr not helpful

sudo service rsyslog restart ; cd /var/log; tail -n30 -f 04_warn.log # restart and CHECK for errors

-N 1 config check only. 
rsyslogd: version 8.24.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
-d debug mode. Does't background, writes on stdout. Very Verbose! sample
‑f config_fileDefault /etc/rsyslog.conf

/opt/homebrew/etc/rsyslog.conf

-n     No backgrounding.  Needed if started and controlled by init.


-4     listen  to  IPv4  addresses only.


-6     listen to IPv6 addresses only.  

If neither -4 nor -6 is given, listens to all configured addresses 

-i pid_file used if multiple  instances  are run 

-l host [:host …] hostnames that are to be logged with simple hostname and not the FQDN.



-q add hostname 

if DNS fails during ACL processing when hostnames are resolved to IP addresses. 

If DNS initally fails, hostname is added as wildcard text, slower.

       
-Q do not resolve hostnames to IPs during ACL processing.  
       
-s domain[:domain] domainnames  to be stripped.

       
-u l 1 prevents parsing hostnames and tags inside messages. 

2 prevents changing to the root directory. Almost  never  a  good idea 
3 both.

       
-v     raspberryPi as of  3/18/18

rsyslogd 8.24.0, compiled with:

rsyslogd 8.24.0, compiled with:
    PLATFORM:               arm-unknown-linux-gnueabihf
    PLATFORM (lsb_release -d):      
    FEATURE_REGEXP:             Yes
    GSSAPI Kerberos 5 support:      Yes
    FEATURE_DEBUG (debug build, slow code): No
    32bit Atomic operations supported:  Yes
    64bit Atomic operations supported:  Yes
    memory allocator:           system default
    Runtime Instrumentation (slow code):    No
    uuid support:               Yes
    Number of Bits in RainerScript integers: 6

See http://www.rsyslog.com  

       
-w     warnings suppressed  when messages are received from machines in  no  AllowedSender list.  
       
-x     Disable DNS for remote messages.


 -A      All targets are sent UDP messages. May improve reliability, but causes message duplication. 

When sending UDP messages, there are potentially multiple paths to the target destination. 

Default: Only send to the first target it can successfully send to. 

-c version Compatibility mode. Must be first.

-c0 compatible to sysklogd Default

-c3: use older v3 native interface, 

              Issues  warning messages if -c3 is not given.  

              Logs compatibility-mode config file directive it has generated which can be copied from logfile and pasted to config.  






SIGNALS

To restart if controled by systemd :  sudo systemctl restart rsyslog 

To send a signal to rsyslogd directly to enable debugging use: sudo kill -USR1 $(cat /var/run/rsyslogd.pid)






 HUP   Avoid! 

use /etc/init.d/rsyslog restart instead.		    STOP then START: 

close/open files, TCP and other  connections are torn down, 

queues are not running in disk assisted mode or not set to persist data
              on shutdown, data is lost.  



Start, Read changed configuration files.

Extremely expensive operation and should only be done when actually necessary.  

       
/etc/init.d/rsyslog restartHUP processing
       
TERM, 
  INT  		Well, it TERMinates!
       
USR1   toggle debugging if started with -d 
       
CHLD   Wait for childs if some were born, because of wall messages.








Files






       
/etc/rsyslog.conf Configuration See filter at rsyslogd.com

Selector extensions: none, comma seperated facilities with same priority, multiple selectors seperated by ;
= priority prefix : do not include higher prorities, ! priority prefix 
       
/dev/log Unix domain socket to from where local syslog messages are read.
       
/var/run/rsyslogd.pid contains the process id 
       
prefix/lib/rsyslog Default directory for modules. prefix is specified during compilation (e.g. /usr/local).





ENVIRONMENT



       
$RSYSLOG_MODDIR directory for modules. 



$RSYSLOG_DEBUG Controls  runtime  debug  contains an option string of:


$LogFuncFlow output the logical flow of functions (entering and exiting )

$FileTrace files to trace LogFuncFlow. Defaults to all files. 

May be specified multiple times, one file each (e.g. 
export RSYSLOG_DEBUG="LogFuncFlow FileTrace=vm.c FileTrace=expr.c"


$PrintFuncDB content of the debug function database whenever debug information is output (e.g. abort case)!

PrintAllDebugInfoOnExit (not implemented!)

$PrintMutexAction as it happens. Useful for finding deadlocks and such.

$NoLogTimeStamp Do Not prefix log lines with a timestamp (default Does).

$NoStdOut Do not emit debug messages to stdout. 

If $RSYSLOG_DEBUGLOG is not set, this means no debug messages are displayed.

$RSYSLOG_DEBUGLOG writes debug messages to the log file in addition to stdout.





 
              Help   Display a very short list of commands 



Support for message local and remote  logging.  






rsyslogd.conf


rules




selectionaction



selection ::= selector [;selector ]

selector   ::=  facility[,facility].[!][=]priority



Messages of the specified priority and higher are logged according to the given action 

unless priority is preceeded by = meaning only this priority .

Preceeding  priority  with ! ignores this and higher priorities



Destination file or host

    

  • [-][?][.]filename[;remplate]
    
- suppresses sync on each messsage reducing I/O load ( Should be on most files other than emer and alert. 
    
? specifies a dynamic filename based on message.(see rsyslog.com).
    
filename  should be  a complete path unless preceeded by a . which references files relative to the current directory.
    
FIles will be created if necessary

    

  • @host[;template]
    
@ preceeds a host syslog server where messages are forwarded via UDP (an reliable protocol) or
    
@@ to use TCP with 1 retry, after 30 seconds.
    
An example of the newer action specification:
    
action(name="warn_fwd" type="omfwd" target="syslog@dynamic.dns.org" 
    
                    protocol="tcp" 
    
                    action.resumeRetryCount="100"
    
                                queue.type="linkedList" )      
    








template a definition of the format of the log message, defined previously in this config or one of the 
reserved names like:
RSYSLOG_TraditionalFileFormat, RSYSLOG_FileFormat, …






/opt/homebrew/etc/rsyslog.conf



# Minimal config file for RECeiving logs over UDP port 10514
$ModLoad imudp
$UDPServerRun 10514
*.* /usr/local/var/log/rsyslog-remote.log







 facility:

 cron, ftp, lpr, kern, mail, news, syslog, uucp, daemon, user, local0, 1 … 6, local7,

auth, authpriv (for security information of a sensitive nature,


* (i.e. all)


      priority  emerg(0), alert(1), crit(2), err(3), warning(4), notice(5), info(6), debug(7)


none 

* (i.e. all)

 


Templates

Define the format of the log records.







list:: constant(value="vvv") property(name="pr") …



string:: string="specification …"



template(name="tpl3" type="string"
         string="%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
        )







properties



property replacer
 
::%pr% 



optional range%property:[i]:[j]:options%
        i,j are origin 1. 

j can be $ to specify the end.

regular expresion%property:R:regx-end:options%
        
"%msg:R:.*Sev:. \(.*\) \[.*-end%"

[BRE|ERE]


field %property:F[,delimiter[+]][,i]:n[,j]:options%
    
delimiter in decimal, default TAB 

Examples: space:32 or
 comma:44 or semicolon:59

+ multiple occurances of delimiter.  Useful when parsing space filled fields

nth field number; origin 1. 

The ith through the jth position.


Example: comma seperated values, the 4th field: 

 F44,4






Options 





json encode the value so that it can be used inside a JSON field. Example a LineFeed is replaced by \n. 

Cannot be used with jsonf or csv .

jsonf[:outname]
be expressed as a JSON field.  "fieldname"="value"

where fieldname is given in the outname property (or the property name if none was assigned) and value is the end result of property replacer operation. value supports all property replacer options, like substrings, case converson, etc. Values are properly JSON-escaped, field names are not,

Cannot be used together with either json or csv .

See Rainer's  article


csv Comma Seperated Values as specified in RFC 4180. in quotes. Example 

 $template csvline,"%syslogtag:::csv%,%msg:::csv%"  provide commas between the fields 

uppercase

lowercase 

fixed-widthpads source with spaces up to the value of j

drop-last-lf training  is dropped. useful for PIX.




date-

-utc 

-mysql

-rfc3164

-rfc3164-buggyday use  filled  2 digit day . Avoid when forwarding to remote hosts 

-rfc3339 ccyy-mm-ddTHH:MM:SS

-unixtimestamp seconds since epoch

-year ccyy 

-month mm 

    -day dd 		 

-hour HH 00..23
    
-minute MM
    
-second SS 		 

-subsecondsmmmmmm milliseconds (0 for a low precision timestamp)

-tzoffshourzH time-zone offset hours

-tzoffsmin zM 

-tzoffsdirection+|-

-ordinal returns the ordinal for the given day, e.g. it is 2 for January, 2nd

-week returns the week number

-wday w weekday 0=Sunday, 1=Monday.. 6=Saturday.

-wdaynameabbreviated english name of the weekday (e.g. Mon, Sat) 




escape-cc Replace control characters (ASCII values less then x'20' and x'7F' ) with an escape sequence. 
The sequence is #charval where charval is the 3-digit decimal value of the control character. 

For example, TAB would be replaced by #009. 

Requires $EscapeControlCharactersOnReceive  off.

space-cc Replace control characters by spaces 

Requires $EscapeControlCharactersOnReceive off.

drop-cc
Drop control characters 
Requires $EscapeControlCharactersOnReceive off.

compressspace compresses multiple spaces to one, after substring extraction, 

sp-if-no-1st-sp
A space if and only if the first character of the field is NOT a space. 

RFC 3164: specifies no delimiter between the tag and message text. o

Most implementation delimit by a space. 
Some log parsers cannot determine what is the tag and what the message. 
The default template can contain a conditional space, which exists only if the message does not start with one. 



secpath-drop Drops slashes (e.g. a/b becomes ab). Useful for secure pathname generation (with dynafiles).

secpath-replace Replace slash by underscore. (e.g. a/b becomes a_b). Useful for secure pathname generation (with dynafiles).







Properties 




priority Numeric:PRI| syslogfacility | syslogpriority 

Text:  pri-text.

Example:

$template TraditionalFormatWithPRI,"%pri-text%: %timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"







Message string Matching

Includes very flexable messsage matching. One use it to stop processing when a message containing a particular string is encountered.
:msg, contains, "SHOW+RETENTION+POLICIES" stop









Configuration Directives


$PrivDropToUser Name 

$PrivDropToGroup Name 

Drop privileges by impersonating as another user and/or group after startup.
 
rsyslogd needs to start as root if there is a listener who binds to a network port below 1024. 

For example, the UDP needs to listen to 514. 

 
Use $PrivDropToGroup and $PrivDropToUser to specify a group and/or user to drop to after initialization. 

omfile config directives: 
$omfileForceChown, $DirGroup, $DirOwner, $FileCreateMode, $FileGroup, $FileOwner, $DynaFileCacheSize 


 $RepeatedMsgReduction default is off    (not recommended)

$RepeatedMsgContainsOriginalMsg        


$ActionResumeInterval 

$ActionExecOnlyWhenPreviousIsSuspended







Started on RaspberryPi via /etc/init.d/rsyslog 


See also

./doc  subdirectory

From: rsyslog.com


Regarding Memory usage:

On raspberrypi top reports VIRT:27,968 ; RES:1536; SHR: 1096 


Debug output


 rsyslogd 5.8.11 startup, compatibility mode 0, module path '', cwd:/var/log
 caller requested object 'net', not found (iRet -3003)
 Requested to load module 'lmnet'
 loading module '/usr/lib/rsyslog/lmnet.so'
 module of type 2 being loaded.
 entry point 'isCompatibleWithFeature' not present in module
 source file conf.c requested reference for module 'lmnet', reference count now 1
 rsyslog runtime initialized, version 5.8.11, current users 1
 source file syslogd.c requested reference for module 'lmnet', reference count now 2

 GenerateLocalHostName uses 'raspberrypi'

 omfile: using transactional output interface.

 module of type 1 being loaded.
 module of type 1 being loaded.
 entry point 'beginTransaction' not present in module
 entry point 'endTransaction' not present in module
 source file omfwd.c requested reference for module 'lmnet', reference count now 3

 module of type 1 being loaded.
 entry point 'doHUP' not present in module
 entry point 'beginTransaction' not present in module
 entry point 'endTransaction' not present in module

: module of type 1 being loaded.
: entry point 'doHUP' not present in module
: entry point 'beginTransaction' not present in module
: entry point 'endTransaction' not present in module

: module of type 1 being loaded.
: entry point 'doHUP' not present in module
: entry point 'beginTransaction' not present in module
: entry point 'endTransaction' not present in module

: module of type 1 being loaded.
: entry point 'doHUP' not present in module
: entry point 'beginTransaction' not present in module
: entry point 'endTransaction' not present in module
: rfc5424 parser init called
: GetParserName addr 0x19ff4
: module of type 3 being loaded.
: Parser 'rsyslog.rfc5424' added to list of available parsers.
: rfc3164 parser init called
: module of type 3 being loaded.
: Parser 'rsyslog.rfc3164' added to list of available parsers.
: Parser 'rsyslog.rfc5424' added to default parser set.
: Parser 'rsyslog.rfc3164' added to default parser set.
: rsyslog standard file format strgen init called, compiled with version 5.8.11
: module of type 4 being loaded.
: entry point 'isCompatibleWithFeature' not present in module
: Strgen 'RSYSLOG_FileFormat' added to list of available strgens.
: traditional file format strgen init called, compiled with version 5.8.11
: module of type 4 being loaded.
: entry point 'isCompatibleWithFeature' not present in module
: Strgen 'RSYSLOG_TraditionalFileFormat' added to list of available strgens.
: rsyslog standard (network) forward format strgen init called, compiled with version 5.8.11
: module of type 4 being loaded.
: entry point 'isCompatibleWithFeature' not present in module
: Strgen 'RSYSLOG_ForwardFormat' added to list of available strgens.
: rsyslog traditional (network) forward format strgen init called, compiled with version 5.8.11
: module of type 4 being loaded.
: entry point 'isCompatibleWithFeature' not present in module
: Strgen 'RSYSLOG_TraditionalForwardFormat' added to list of available strgens.
: Called LogError, msg: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option.
: Checking pidfile.
: Writing pidfile /var/run/rsyslogd.pid.
Can't open or create /var/run/rsyslogd.pid.
Can't write pid.





10/29/22 From dapi2:  

 rsyslogd -N 1 -d 2>~/0 |cut -d':' -f 4-   |grep imudp
    name: 'load', value 'imudp'
 load:  'imudp'
 Requested to load module 'imudp'
 loading module '/usr/lib/arm-linux-gnueabihf/rsyslog/imudp.so'
 source file imudp.c requested reference for module 'lmnet', reference count now 4
 imudp: version 8.1901.0 initializing
 module imudp of type 0 being loaded (keepType=0).
 module config name is 'imudp'
 module imudp supports rsyslog v6 config interface
 module (global) param blk for imudp:
    name: 'type', value 'imudp'
 type:  'imudp'
 newInpInst (imudp)
 input param blk in imudp:
 beginCnfLoad(0xb6ac1008) for module 'imudp'
 calling endCnfLoad() for module 'imudp'
 module imudp tells us config can be activated




#  /etc/rsyslog.conf    Configuration file for rsyslog.
# 1/27/13 DGG
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability  default: 1200 seconds (i.e. 20minutes) to 

# provides UDP syslog reception    DGG enabled
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception   DGG enabled
$ModLoad imtcp
$InputTCPServerRun 514

#### RULES :
# First some standard log files.  Log by facility.
auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none         -/var/log/syslog
#cron.*             /var/log/cron.log
daemon.*               -/var/log/daemon.log
kern.*                 -/var/log/kern.log
mail.*;news.*;lpr.*        -/var/log/unused.log
user.*                 -/var/log/user.log
dhclient.info           -/var/dhcpclient.log

# Some "catch-all" log files.
*.=debug;auth,authpriv.none     -/var/log/07_debug.log
*.=crit             -/var/log/02_crit.log
*.err               -/var/log/03_err.log
*.warn              -/var/log/04_warn.log
*.notice            -/var/log/05_notice.log
*.info              -/var/log/06_info.log
*.info              -/var/log/06_info.log2
*.emerg                         -/var/log/01_crit.log
cron,daemon.none;       -/var/log/messages

# Emergencies are sent to everybody logged in.
*.emerg             :omusrmsg:*

# place spool and state files
$WorkDirectory /var/spool/rsyslog

# Include all config files in /etc/rsyslog.d/ DGG: There aren't any
$IncludeConfig /etc/rsyslog.d/*.conf

#### GLOBAL DIRECTIVES :  Set the default permissions for all log files.
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

# The named pipe /dev/xconsole is for the `xconsole' utility.
# To use it, invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably   busy site..
daemon.*;*.=debug;*.=info;*.=notice;*.=warn |/dev/xconsole 






Drop in replacment for syslog. Uses traditional syslog.conf and acts  like  the original  syslogd  .

Used on raspberryPi and onion Omega .


Tools like phpLogCon can be used to view the log data.



errors

From rsyslog:

local7.warning liblogging-stdlog: action 'action 7' suspended, next retry is Wed May 15 12:43:59 2019 [v8.24.0 try http://www.rs

To find out what is use:

rsyslogd -N 1  | grep 'ACTION 7'


Try rsyslogd -N 1 |more 





DHCP option 7 specifies the syslog server.