Provided by: rsyslog_5.8.6-1ubuntu8_i386 bug


       rsyslogd - reliable and extended syslogd


       rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
       [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
       [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]


       Rsyslogd  is  a  system  utility providing support for message logging.
       Support of both internet and unix domain sockets enables  this  utility
       to support both local and remote logging.

       Note that this version of rsyslog ships with extensive documentation in
       html format.  This is provided in the ./doc subdirectory  and  probably
       in  a separate package if you installed rsyslog via a packaging system.
       To use rsyslog's advanced features,  you  need  to  look  at  the  html
       documentation,  because  the  man  pages  only  cover  basic aspects of
       operation.   For  details   and   configuration   examples,   see   the
       rsyslog.conf   (5)   man   page   and   the   online  documentation  at

       Rsyslogd(8) is derived from the  sysklogd  package  which  in  turn  is
       derived from the stock BSD sources.

       Rsyslogd  provides  a  kind  of  logging that many modern programs use.
       Every logged message contains at least a time  and  a  hostname  field,
       normally  a program name field, too, but that depends on how trusty the
       logging program is. The rsyslog package  supports  free  definition  of
       output  formats  via templates. It also supports precise timestamps and
       writing directly to databases. If the database option  is  used,  tools
       like phpLogCon can be used to view the log data.

       While the rsyslogd sources have been heavily modified a couple of notes
       are in order.  First of all there has  been  a  systematic  attempt  to
       ensure  that  rsyslogd  follows  its default, standard BSD behavior. Of
       course, some configuration file  changes  are  necessary  in  order  to
       support  the template system. However, rsyslogd should be able to use a
       standard syslog.conf and act like the  original  syslogd.  However,  an
       original  syslogd  will  not  work  correctly  with  a rsyslog-enhanced
       configuration file. At best, it will generate funny looking file names.
       The  second  important concept to note is that this version of rsyslogd
       interacts transparently  with  the  version  of  syslog  found  in  the
       standard  libraries.   If  a  binary  linked  to  the  standard  shared
       libraries fails to function correctly we would like an example  of  the
       anomalous behavior.

       The  main  configuration file /etc/rsyslog.conf or an alternative file,
       given with the -f option, is read at startup.   Any  lines  that  begin
       with  the  hash  mark (``#'') and empty lines are ignored.  If an error
       occurs during parsing the error element is  ignored.  It  is  tried  to
       parse the rest of the line.


       Note that in version 3 of rsyslog a number of command line options have
       been deprecated and replaced with config file directives. The -c option
       controls the backward compatibility mode in use.

       -A     When  sending UDP messages, there are potentially multiple paths
              to the target destination. By default, rsyslogd  only  sends  to
              the  first  target  it can successfully send to. If -A is given,
              messages are sent to all targets. This may improve  reliability,
              but  may  also  cause message duplication. This option should be
              enabled only if it is fully understood.

       -4     Causes rsyslogd to listen to IPv4 addresses only.  If neither -4
              nor -6 is given, rsyslogd listens to all configured addresses of
              the system.

       -6     Causes rsyslogd to listen to IPv6 addresses only.  If neither -4
              nor -6 is given, rsyslogd listens to all configured addresses of
              the system.

       -c version
              Selects the desired backward compatibility mode. It must  always
              be  the  first  option  on  the  command  line, as it influences
              processing of the other options. To use the  rsyslog  v3  native
              interface,  specify  -c3.  To use compatibility mode , either do
              not use -c at all  or  use  -c<version>  where  version  is  the
              rsyslog  version  that  it  shall  be compatible with. Using -c0
              tells rsyslog to be command-line compatible to  sysklogd,  which
              is  the  default  if -c is not given.  Please note that rsyslogd
              issues warning messages if the -c3 command line  option  is  not
              given.    This  is  to  alert  you  that  your  are  running  in
              compatibility mode.  Compatibility  mode  interferes  with  your
              rsyslog.conf commands and may cause some undesired side-effects.
              It is meant to be used with a plain old rsyslog.conf  -  if  you
              use  new features, things become messy. So the best advice is to
              work through this document, convert your options and config file
              and then use rsyslog in native mode. In order to aid you in this
              process,  rsyslog  logs  every  compatibility-mode  config  file
              directive  it  has  generated.  So you can simply copy them from
              your logfile and paste them to the config.

       -d     Turns on debug mode.  Using this the daemon will not  proceed  a
              fork(2)  to  set  itself in the background, but opposite to that
              stay in the foreground and write much debug information  on  the
              current tty.  See the DEBUGGING section for more information.

       -f config file
              Specify   an   alternative   configuration   file   instead   of
              /etc/rsyslog.conf, which is the default.

       -i pid file
              Specify an alternative pid file  instead  of  the  default  one.
              This  option  must  be  used  if  multiple instances of rsyslogd
              should run on a single machine.

       -l hostlist
              Specify a hostname that should be logged only  with  its  simple
              hostname  and  not  the  fqdn.   Multiple hosts may be specified
              using the colon (``:'') separator.

       -n     Avoid auto-backgrounding.  This  is  needed  especially  if  the
              rsyslogd is started and controlled by init(8).

       -N  level
              Do  a  coNfig  check.  Do  NOT  run  in regular mode, just check
              configuration file correctness.  This option is meant to  verify
              a   config  file.  To  do  so,  run  rsyslogd  interactively  in
              foreground, specifying -f <config-file> and -N level.  The level
              argument  modifies  behaviour.  Currently,  0 is the same as not
              specifying the -N option at all (so this  makes  limited  sense)
              and  1  actually  activates  the code. Later, higher levels will
              mean more verbosity (this is  a  forward-compatibility  option).
              rsyslogd is started and controlled by init(8).

       -q add hostname if DNS fails during ACL processing
              During  ACL  processing,  hostnames are resolved to IP addresses
              for performance reasons. If DNS fails during that  process,  the
              hostname is added as wildcard text, which results in proper, but
              somewhat slower operation once DNS is up again.

       -Q do not resolve hostnames during ACL processing
              Do not resolve hostnames to IP addresses during ACL processing.

       -s domainlist
              Specify a domainname that should be stripped off before logging.
              Multiple  domains  may  be  specified  using  the  colon (``:'')
              separator.   Please  be  advised  that  no  sub-domains  may  be
              specified  but  only entire domains.  For example if -s
              is   specified   and    the    host    logging    resolves    to
      no domain would be cut, you will have to
              specify two domains like: -s

       -u userlevel
              This is a "catch all" option for some  very  seldomly-used  user
              settings.  The "userlevel" variable selects multiple things. Add
              the specific values to get the combined effect of them.  A value
              of  1  prevents  rsyslogd from parsing hostnames and tags inside
              messages.  A value of 2 prevents rsyslogd from changing  to  the
              root  directory.  This is almost never a good idea in production
              use. This option was  introduced  in  support  of  the  internal
              testbed.   To  combine  these two features, use a userlevel of 3
              (1+2). Whenever you use an  -u  option,  make  sure  you  really
              understand what you do and why you do it.

       -v     Print version and exit.

       -w     Suppress  warnings  issued  when messages are received from non-
              authorized machines (those, that are in no AllowedSender list).

       -x     Disable DNS for remote messages.


       Rsyslogd reacts to a set of signals.  You may easily send a  signal  to
       rsyslogd using the following:

              kill -SIGNAL $(cat /var/run/

       Note  that  -SIGNAL  must  be  replaced  with the actual signal you are
       trying to send, e.g. with HUP. So it then becomes:

              kill -HUP $(cat /var/run/

       HUP    This lets rsyslogd perform close all open files.  Also, in v3  a
              full restart will be done in order to read changed configuration
              files.  Note that this means a full rsyslogd  restart  is  done.
              This  has,  among  others,  the  consequence  that TCP and other
              connections are torn down. Also, if any queues are  not  running
              in  disk  assisted  mode  or  are  not  set  to  persist data on
              shutdown, queue data is lost. HUPing rsyslogd  is  an  extremely
              expensive  operation  and  should  only  be  done  when actually
              necessary. Actually, it is a rsyslgod stop immediately  followed
              by   a   restart.  Future  versions  will  remove  this  restart
              functionality of HUP (it will go away in v5). So it  is  advised
              to  use  HUP  only for closing files, and a "real restart" (e.g.
              /etc/rc.d/rsyslogd restart) to activate configuration changes.

       TERM ,  INT ,  QUIT
              Rsyslogd will die.

       USR1   Switch debugging on/off.   This  option  can  only  be  used  if
              rsyslogd is started with the -d debug option.

       CHLD   Wait for childs if some were born, because of wall'ing messages.


       There  is the potential for the rsyslogd daemon to be used as a conduit
       for a denial of service attack.  A rogue program(mer) could very easily
       flood  the  rsyslogd  daemon  with syslog messages resulting in the log
       files consuming all the remaining space on the filesystem.   Activating
       logging  over the inet domain sockets will of course expose a system to
       risks outside of programs or individuals on the local machine.

       There are a number of methods of protecting a machine:

       1.     Implement kernel firewalling to limit which  hosts  or  networks
              have access to the 514/UDP socket.

       2.     Logging  can  be  directed to an isolated or non-root filesystem
              which, if filled, will not impair the machine.

       3.     The ext2 filesystem can be used which can be configured to limit
              a  certain  percentage  of  a  filesystem to usage by root only.
              NOTE that this will require rsyslogd to be  run  as  a  non-root
              process.   ALSO  NOTE  that  this  will  prevent usage of remote
              logging on the default port since rsyslogd  will  be  unable  to
              bind to the 514/UDP socket.

       4.     Disabling  inet  domain  sockets  will  limit  risk to the local

   Message replay and spoofing
       If remote logging is  enabled,  messages  can  easily  be  spoofed  and
       replayed.   As  the messages are transmitted in clear-text, an attacker
       might use the information  obtained  from  the  packets  for  malicious
       things.  Also,  an  attacker  might replay recorded messages or spoof a
       sender's IP address, which could lead to a wrong perception  of  system
       activity.  These  can  be prevented by using GSS-API authentication and
       encryption. Be sure to  think  about  syslog  network  security  before
       enabling it.


       When  debugging is turned on using -d option then rsyslogd will be very
       verbose by writing much of what it does on stdout.


              Configuration file for rsyslogd.  See rsyslog.conf(5) for  exact
              The  Unix  domain socket to from where local syslog messages are
              The file containing the process id of rsyslogd.
              Default directory for rsyslogd modules. The prefix is  specified
              during compilation (e.g. /usr/local).


              Controls runtime debug support.It contains an option string with
              the following options possible (all are case insensitive):

                     Print out the logical flow  of  functions  (entering  and
                     exiting them)
                     Specifies  which  files  to trace LogFuncFlow. If not set
                     (the default), a LogFuncFlow trace is  provided  for  all
                     files.  Set  to limit it to the files specified.FileTrace
                     may be specified multiple  times,  one  file  each  (e.g.
                     export      RSYSLOG_DEBUG="LogFuncFlow     FileTrace=vm.c
                     Print the content of the debug function database whenever
                     debug information is printed (e.g. abort case)!
                     Print  all  debug information immediately before rsyslogd
                     exits (currently not implemented!)
                     Print mutex action as  it  happens.  Useful  for  finding
                     deadlocks and such.
                     Do  not  prefix log lines with a timestamp (default is to
                     do that).
                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
                     is  not  set, this means no messages will be displayed at
              Help   Display a very short list of commands - hopefully a  life
                     saver if you can't access the documentation...

              If  set,  writes (almost) all debug message to the specified log
              file in addition to stdout.
              Provides the default directory in which loadable modules reside.


       Please review the file BUGS for up-to-date information  on  known  bugs
       and annoyances.

Further Information

       Please  visit  for  additional information,
       tutorials and a support forum.


       rsyslog.conf(5),   logger(1),   syslog(2),   syslog(3),    services(5),


       rsyslogd is derived from sysklogd sources, which in turn was taken from
       the    BSD    sources.    Special    thanks    to    Greg     Wettstein
       (  and  Martin  Schulze  ( for the
       fine sysklogd package.

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld, Germany