1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
rsyslog for Debian
==================
Configuration file(s)
---------------------
The default configuration file for rsyslog is /etc/rsyslog.conf.
Its format is based on the standard syslog.conf format. As rsyslog
has a lot more advanced features than sysklogd, it extends this format
with special configuration directives which all start with the '$'
prefix. See the rsyslogd(8) and rsyslog.conf(5) man pages for further
information or install the rsyslog-doc package which provides much
more detailed documentation.
The Debian default configuration for rsyslog uses:
$IncludeConfig /etc/rsyslog.d/*.conf
That means, all configuration files in /etc/rsyslog.d/ with a .conf file
extension are read by rsyslog. This way the rsyslog configuration can be
extended easily (either by package maintainers or local administrators).
Command line arguments, modules and compatibility levels
--------------------------------------------------------
With version 3, rsyslog became much more modular. A lot of
functionality has been moved into loadable modules, e.g. udp reception,
which must be loaded explicitly.
To keep compatibility with sysklogd, rsyslog introduced the concept of
compatibility modes, which can be selected with the -c command line
argument. E.g. with -c0, rsyslog becomes command line compatible with
sysklogd and loads a default set of modules automatically.
The default in Debian is -c3, i.e. command line arguments like -r or
-m 0 have no effect and instead have to be configured via special
configuration directives in rsyslog.conf.
The options that are passed to rsyslog can be changed easily by
modifying the RSYSLOGD_OPTIONS variable in /etc/default/rsyslog.
If you have an existing, customized syslog.conf, it is recommended that
you migrate your custom logging rules to rsyslog.conf or into a separate
configuration file in /etc/rsyslog.d (in most cases it should be as
simple as copy&paste).
To read more about this topic please see
/usr/share/doc/rsyslog-doc/html/v3compatibility.html or
http://www.rsyslog.com/doc-v3compatibility.html.
Log rotation
------------
Rsyslog uses the logrotate(8) utilitiy to rotate the standard Debian
log files. The configuration file can be found at
/etc/logrotate.d/rsyslog.
The rotation cycle starts with .1, as this is the logrotate default.
In contrast to sysklogd, which starts with .0.
When upgrading from sysklogd, the postinst script will automatically
rotate the existing standard Debian log files, if it is safe to do so
(i.e. only if .0 is newer than .1).
Forwarding messages to sysklogd
-------------------------------
If you are forwarding messages from a rsyslog client to a sysklogd
server, it can lead to doubled hostnames in the syslog message on the
server side. The reason is a limitation in sysklogd which does not parse
the hostname in the syslog header (as defined by RFC 3164). See Debian
bug #514051 for more details.
A simple workaround in rsyslog is, to define a custom template, which
does not include the hostname:
$template sysklogd,"<%PRI%>%TIMESTAMP% %syslogtag%%msg%"
*.* @remote-host;sysklogd
This creates a template called "sysklogd" and assigns it to the forward
rule when logging to "remote-host".
-- Michael Biebl <biebl@debian.org> Sat, 07 Feb 2009 18:54:37 +0100
|
