[packages/rsyslog.git] / rsyslog.conf

#rsyslog v5 config file

# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

#### MODULES ####

$ModLoad imuxsock.so	# provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so	# provides kernel logging support (previously done by rklogd)
#$ModLoad immark.so	# provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp.so  
#$InputTCPServerRun 514


# ### GLOBAL DIRECTIVES ####

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required, 
# not useful and an extreme performance hit.
# Without that dash doesn't work.
#$ActionFileEnableSync on

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup logs
$FileCreateMode 0640
$DirCreateMode 0750


# ### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*							/dev/console

# The authpriv file has restricted access.
authpriv.*						/var/log/secure

# Log all the mail messages in one place.
mail.*							-/var/log/maillog

# Log cron stuff
cron.*							/var/log/cron

# Everybody gets emergency messages
*.emerg							*

# Save news errors of level crit and higher in a special file.
uucp,news.crit						/var/log/spooler

# Save boot messages also to boot.log
local7.*						/var/log/boot.log

#
# Some "catch-all" log files.
#
*.=debug;\
	auth,authpriv.none;\
	news.none;mail.none				-/var/log/debug
*.=info;*.=notice;*.=warn;\
	auth,authpriv.none;\
	cron,daemon.none;\
	mail,news.none					-/var/log/messages

# ### Additional - from wiki ###
# A basic template mostly from the docs, but I wanted to know what system forwarded the                                                                               
# messages so I added some text. Also I added the ":::space" to handle the windows                                                                                    
# events (based on the other suggestions in the wiki)                                                                                                                 
#                                                                                                                                                                     
# $template SyslFormat,"%timegenerated% [WJCG]-%HOSTNAME% %syslogtag%%msg:::space$

# this is for Windows events from SNARE                                                                                                                               
#                                                                                                                                                                     
# $EscapeControlCharactersOnReceive off

# ### misc
#
# reduce any duplicates                                                                                                                                               
#                                                                                                                                                                     
# $RepeatedMsgReduction on
# $OptimizeForUniprocessor on


# ### Begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/spppl/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514


# ### For central logs server use an example: host/year/month/day/facility ###
#
#$template DailyPerHostLogs,"/var/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%syslogfacility-text%"                                                                #*.* -?DailyPerHostLogs
Commit	Line	Data
266a992d	1	#rsyslog v5 config file
ec96f36f AZ	2
	3	# if you experience problems, check
	4	# http://www.rsyslog.com/troubleshoot for assistance
	5
	6	#### MODULES ####
	7
	8	$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
	9	$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
	10	#$ModLoad immark.so # provides --MARK-- message capability
	11
	12	# Provides UDP syslog reception
	13	#$ModLoad imudp.so
	14	#$UDPServerRun 514
	15
	16	# Provides TCP syslog reception
d2b53787	17	#$ModLoad imtcp.so
ec96f36f AZ	18	#$InputTCPServerRun 514
ec96f36f AZ	19
d2b53787	20
ec96f36f AZ	21	# ### GLOBAL DIRECTIVES ####
	22
	23	#
	24	# Use traditional timestamp format.
	25	# To enable high precision timestamps, comment out the following line.
	26	$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
	27
	28	# File syncing capability is disabled by default. This feature is usually not required,
	29	# not useful and an extreme performance hit.
	30	# Without that dash doesn't work.
	31	#$ActionFileEnableSync on
	32
	33	#
	34	# Set the default permissions for all log files.
	35	#
	36	$FileOwner root
	37	$FileGroup logs
	38	$FileCreateMode 0640
	39	$DirCreateMode 0750
	40
	41
	42	# ### RULES ####
d2b53787 SP	43
	44	# Log all kernel messages to the console.
	45	# Logging much else clutters up the screen.
ec96f36f	46	#kern.* /dev/console
d2b53787 SP	47
d2b53787 SP	48	# The authpriv file has restricted access.
ec96f36f	49	authpriv.* /var/log/secure
d2b53787 SP	50
d2b53787 SP	51	# Log all the mail messages in one place.
ec96f36f	52	mail.* -/var/log/maillog
d2b53787 SP	53
d2b53787 SP	54	# Log cron stuff
ec96f36f	55	cron.* /var/log/cron
d2b53787 SP	56
d2b53787 SP	57	# Everybody gets emergency messages
ec96f36f	58	.emerg
d2b53787 SP	59
d2b53787 SP	60	# Save news errors of level crit and higher in a special file.
ec96f36f	61	uucp,news.crit /var/log/spooler
d2b53787 SP	62
d2b53787 SP	63	# Save boot messages also to boot.log
ec96f36f AZ	64	local7.* /var/log/boot.log
	65
	66	#
	67	# Some "catch-all" log files.
	68	#
	69	*.=debug;\
	70	auth,authpriv.none;\
	71	news.none;mail.none -/var/log/debug
	72	.=info;.=notice;*.=warn;\
	73	auth,authpriv.none;\
	74	cron,daemon.none;\
	75	mail,news.none -/var/log/messages
	76
	77	# ### Additional - from wiki ###
	78	# A basic template mostly from the docs, but I wanted to know what system forwarded the
	79	# messages so I added some text. Also I added the ":::space" to handle the windows
	80	# events (based on the other suggestions in the wiki)
	81	#
	82	# $template SyslFormat,"%timegenerated% [WJCG]-%HOSTNAME% %syslogtag%%msg:::space$
	83
	84	# this is for Windows events from SNARE
	85	#
	86	# $EscapeControlCharactersOnReceive off
	87
	88	# ### misc
	89	#
	90	# reduce any duplicates
	91	#
	92	# $RepeatedMsgReduction on
	93	# $OptimizeForUniprocessor on
	94
	95
	96
	97	# ### Begin forwarding rule ###
	98	# The statement between the begin ... end define a SINGLE forwarding
	99	# rule. They belong together, do NOT split them. If you create multiple
	100	# forwarding rules, duplicate the whole block!
	101	# Remote Logging (we use TCP for reliable delivery)
	102	#
	103	# An on-disk queue is created for this action. If the remote host is
	104	# down, messages are spooled to disk and sent when it is up again.
	105	#$WorkDirectory /var/spppl/rsyslog # where to place spool files
	106	#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
	107	#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
	108	#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
	109	#$ActionQueueType LinkedList # run asynchronously
	110	#$ActionResumeRetryCount -1 # infinite retries if host is down
	111	# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
	112	#. @@remote-host:514
	113
	114
	115
	116	# ### For central logs server use an example: host/year/month/day/facility ###
	117	#
	118	#$template DailyPerHostLogs,"/var/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%syslogfacility-text%" #. -?DailyPerHostLogs
	119