Provided by: rsyslog_5.8.6-1ubuntu8_amd64 bug

NAME

       rsyslogd - reliable and extended syslogd

SYNOPSIS

       rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
       [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
       [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]

DESCRIPTION

       Rsyslogd  is  a  system  utility  providing  support for message logging.  Support of both
       internet and unix domain sockets enables this utility to support  both  local  and  remote
       logging.

       Note that this version of rsyslog ships with extensive documentation in html format.  This
       is provided in the ./doc subdirectory and probably in a separate package if you  installed
       rsyslog  via  a packaging system.  To use rsyslog's advanced features, you need to look at
       the html documentation, because the man pages only cover basic aspects of operation.   For
       details  and  configuration  examples,  see  the  rsyslog.conf (5) man page and the online
       documentation at http://www.rsyslog.com/doc

       Rsyslogd(8) is derived from the sysklogd package which in turn is derived from  the  stock
       BSD sources.

       Rsyslogd  provides  a kind of logging that many modern programs use.  Every logged message
       contains at least a time and a hostname field, normally a program  name  field,  too,  but
       that  depends  on  how  trusty  the  logging program is. The rsyslog package supports free
       definition of output formats via  templates.  It  also  supports  precise  timestamps  and
       writing directly to databases. If the database option is used, tools like phpLogCon can be
       used to view the log data.

       While the rsyslogd sources have been heavily modified a couple  of  notes  are  in  order.
       First  of  all  there  has  been  a systematic attempt to ensure that rsyslogd follows its
       default, standard BSD behavior. Of course, some configuration file changes  are  necessary
       in  order  to  support  the  template  system.  However,  rsyslogd should be able to use a
       standard syslog.conf and act like the original syslogd. However, an original syslogd  will
       not  work  correctly with a rsyslog-enhanced configuration file. At best, it will generate
       funny looking file names.  The second important concept to note is that  this  version  of
       rsyslogd  interacts  transparently  with  the  version  of  syslog  found  in the standard
       libraries.  If a binary  linked  to  the  standard  shared  libraries  fails  to  function
       correctly we would like an example of the anomalous behavior.

       The  main  configuration  file /etc/rsyslog.conf or an alternative file, given with the -f
       option, is read at startup.  Any lines that begin with the hash  mark  (``#'')  and  empty
       lines  are ignored.  If an error occurs during parsing the error element is ignored. It is
       tried to parse the rest of the line.

OPTIONS

       Note that in version 3 of rsyslog a number of command line options  have  been  deprecated
       and   replaced   with  config  file  directives.  The  -c  option  controls  the  backward
       compatibility mode in use.

       -A     When sending UDP messages, there are  potentially  multiple  paths  to  the  target
              destination.   By  default,  rsyslogd  only  sends  to  the  first  target  it  can
              successfully send to. If -A is given, messages are sent to all  targets.  This  may
              improve  reliability, but may also cause message duplication. This option should be
              enabled only if it is fully understood.

       -4     Causes rsyslogd to listen to IPv4 addresses only.  If neither -4 nor -6  is  given,
              rsyslogd listens to all configured addresses of the system.

       -6     Causes  rsyslogd  to listen to IPv6 addresses only.  If neither -4 nor -6 is given,
              rsyslogd listens to all configured addresses of the system.

       -c version
              Selects the desired backward compatibility mode. It must always be the first option
              on  the  command line, as it influences processing of the other options. To use the
              rsyslog v3 native interface, specify -c3. To use compatibility mode , either do not
              use -c at all or use -c<version> where version is the rsyslog version that it shall
              be compatible with. Using -c0  tells  rsyslog  to  be  command-line  compatible  to
              sysklogd,  which  is  the  default  if  -c is not given.  Please note that rsyslogd
              issues warning messages if the -c3 command line option is not given.   This  is  to
              alert  you  that  your  are  running  in  compatibility  mode.  Compatibility  mode
              interferes with your rsyslog.conf commands  and  may  cause  some  undesired  side-
              effects.  It  is  meant  to  be used with a plain old rsyslog.conf - if you use new
              features, things become messy. So the best advice is to work through this document,
              convert  your options and config file and then use rsyslog in native mode. In order
              to aid you in this process,  rsyslog  logs  every  compatibility-mode  config  file
              directive it has generated. So you can simply copy them from your logfile and paste
              them to the config.

       -d     Turns on debug mode.  Using this the daemon will  not  proceed  a  fork(2)  to  set
              itself  in  the  background,  but opposite to that stay in the foreground and write
              much debug information on the current tty.  See  the  DEBUGGING  section  for  more
              information.

       -f config file
              Specify  an  alternative  configuration file instead of /etc/rsyslog.conf, which is
              the default.

       -i pid file
              Specify an alternative pid file instead of the default one.  This  option  must  be
              used if multiple instances of rsyslogd should run on a single machine.

       -l hostlist
              Specify  a hostname that should be logged only with its simple hostname and not the
              fqdn.  Multiple hosts may be specified using the colon (``:'') separator.

       -n     Avoid auto-backgrounding.  This is needed especially if the rsyslogd is started and
              controlled by init(8).

       -N  level
              Do  a  coNfig  check.  Do  NOT  run  in regular mode, just check configuration file
              correctness.  This option is meant to verify a config file. To do so, run  rsyslogd
              interactively  in  foreground, specifying -f <config-file> and -N level.  The level
              argument modifies behaviour. Currently, 0 is the same  as  not  specifying  the  -N
              option  at  all  (so  this  makes limited sense) and 1 actually activates the code.
              Later, higher levels will mean more  verbosity  (this  is  a  forward-compatibility
              option).  rsyslogd is started and controlled by init(8).

       -q add hostname if DNS fails during ACL processing
              During  ACL  processing,  hostnames  are  resolved  to IP addresses for performance
              reasons. If DNS fails during that process, the hostname is added as wildcard  text,
              which results in proper, but somewhat slower operation once DNS is up again.

       -Q do not resolve hostnames during ACL processing
              Do not resolve hostnames to IP addresses during ACL processing.

       -s domainlist
              Specify  a domainname that should be stripped off before logging.  Multiple domains
              may be specified using the colon (``:'') separator.  Please be advised that no sub-
              domains  may  be  specified but only entire domains.  For example if -s north.de is
              specified and the host logging resolves to satu.infodrom.north.de no  domain  would
              be cut, you will have to specify two domains like: -s north.de:infodrom.north.de.

       -u userlevel
              This  is  a  "catch  all"  option  for  some very seldomly-used user settings.  The
              "userlevel" variable selects multiple things. Add the specific values  to  get  the
              combined effect of them.  A value of 1 prevents rsyslogd from parsing hostnames and
              tags inside messages.  A value of 2 prevents rsyslogd from  changing  to  the  root
              directory.  This  is  almost  never  a good idea in production use. This option was
              introduced in support of the internal testbed.  To combine these two features,  use
              a  userlevel  of  3  (1+2).  Whenever  you  use  an -u option, make sure you really
              understand what you do and why you do it.

       -v     Print version and exit.

       -w     Suppress warnings issued when messages are received  from  non-authorized  machines
              (those, that are in no AllowedSender list).

       -x     Disable DNS for remote messages.

SIGNALS

       Rsyslogd  reacts  to a set of signals.  You may easily send a signal to rsyslogd using the
       following:

              kill -SIGNAL $(cat /var/run/rsyslogd.pid)

       Note that -SIGNAL must be replaced with the actual signal you are  trying  to  send,  e.g.
       with HUP. So it then becomes:

              kill -HUP $(cat /var/run/rsyslogd.pid)

       HUP    This  lets  rsyslogd perform close all open files.  Also, in v3 a full restart will
              be done in order to read changed configuration files.  Note that this means a  full
              rsyslogd  restart  is  done.  This  has, among others, the consequence that TCP and
              other connections are torn down. Also, if  any  queues  are  not  running  in  disk
              assisted  mode  or  are  not  set  to persist data on shutdown, queue data is lost.
              HUPing rsyslogd is an extremely expensive operation and should only  be  done  when
              actually  necessary.  Actually,  it  is  a  rsyslgod stop immediately followed by a
              restart. Future versions will remove this restart functionality of HUP (it will  go
              away  in  v5).  So  it  is  advised  to use HUP only for closing files, and a "real
              restart" (e.g. /etc/rc.d/rsyslogd restart) to activate configuration changes.

       TERM ,  INT ,  QUIT
              Rsyslogd will die.

       USR1   Switch debugging on/off.  This option can only be used if rsyslogd is started  with
              the -d debug option.

       CHLD   Wait for childs if some were born, because of wall'ing messages.

SECURITY THREATS

       There  is  the  potential  for the rsyslogd daemon to be used as a conduit for a denial of
       service attack.  A rogue program(mer) could very easily flood  the  rsyslogd  daemon  with
       syslog  messages  resulting  in  the  log  files  consuming all the remaining space on the
       filesystem.  Activating logging over the inet domain  sockets  will  of  course  expose  a
       system to risks outside of programs or individuals on the local machine.

       There are a number of methods of protecting a machine:

       1.     Implement  kernel  firewalling  to limit which hosts or networks have access to the
              514/UDP socket.

       2.     Logging can be directed to an isolated or non-root  filesystem  which,  if  filled,
              will not impair the machine.

       3.     The  ext2  filesystem  can  be  used  which  can  be  configured to limit a certain
              percentage of a filesystem to usage by root only.   NOTE  that  this  will  require
              rsyslogd  to  be run as a non-root process.  ALSO NOTE that this will prevent usage
              of remote logging on the default port since rsyslogd will be unable to bind to  the
              514/UDP socket.

       4.     Disabling inet domain sockets will limit risk to the local machine.

   Message replay and spoofing
       If  remote  logging  is  enabled,  messages  can  easily  be spoofed and replayed.  As the
       messages are transmitted in clear-text, an attacker might  use  the  information  obtained
       from the packets for malicious things. Also, an attacker might replay recorded messages or
       spoof a sender's IP address, which could lead to a wrong perception  of  system  activity.
       These  can  be  prevented by using GSS-API authentication and encryption. Be sure to think
       about syslog network security before enabling it.

DEBUGGING

       When debugging is turned on using -d option then rsyslogd will be very verbose by  writing
       much of what it does on stdout.

FILES

       /etc/rsyslog.conf
              Configuration file for rsyslogd.  See rsyslog.conf(5) for exact information.
       /dev/log
              The Unix domain socket to from where local syslog messages are read.
       /var/run/rsyslogd.pid
              The file containing the process id of rsyslogd.
       prefix/lib/rsyslog
              Default  directory for rsyslogd modules. The prefix is specified during compilation
              (e.g. /usr/local).

ENVIRONMENT

       RSYSLOG_DEBUG
              Controls runtime debug support.It contains an  option  string  with  the  following
              options possible (all are case insensitive):

              LogFuncFlow
                     Print out the logical flow of functions (entering and exiting them)
              FileTrace
                     Specifies  which  files  to  trace  LogFuncFlow. If not set (the default), a
                     LogFuncFlow trace is provided for all files. Set to limit it  to  the  files
                     specified.FileTrace  may  be  specified  multiple times, one file each (e.g.
                     export RSYSLOG_DEBUG="LogFuncFlow FileTrace=vm.c FileTrace=expr.c"
              PrintFuncDB
                     Print the content of the debug function database whenever debug  information
                     is printed (e.g. abort case)!
              PrintAllDebugInfoOnExit
                     Print all debug information immediately before rsyslogd exits (currently not
                     implemented!)
              PrintMutexAction
                     Print mutex action as it happens. Useful for finding deadlocks and such.
              NoLogTimeStamp
                     Do not prefix log lines with a timestamp (default is to do that).
              NoStdOut
                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG is not  set,  this
                     means no messages will be displayed at all.
              Help   Display  a very short list of commands - hopefully a life saver if you can't
                     access the documentation...

       RSYSLOG_DEBUGLOG
              If set, writes (almost) all debug message to the specified log file in addition  to
              stdout.
       RSYSLOG_MODDIR
              Provides the default directory in which loadable modules reside.

BUGS

       Please review the file BUGS for up-to-date information on known bugs and annoyances.

Further Information

       Please  visit  http://www.rsyslog.com/doc  for  additional  information,  tutorials  and a
       support forum.

SEE ALSO

       rsyslog.conf(5), logger(1), syslog(2), syslog(3), services(5), savelog(8)

COLLABORATORS

       rsyslogd is derived from sysklogd sources, which in turn was taken from the  BSD  sources.
       Special   thanks   to   Greg   Wettstein   (greg@wind.enjellic.com)   and  Martin  Schulze
       (joey@linux.de) for the fine sysklogd package.

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld, Germany
       rgerhards@adiscon.com