Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
RSYSLOGD(8)		  Linux	System Administration		   RSYSLOGD(8)

       rsyslogd	- reliable and extended	syslogd

       rsyslogd	 [  -d ] [ -D ]	[ -f config file ] [ -i	pid file ] [ -n	] [ -N
       level ] [ -o fullconf ] [ -C ] [	-v ]

       Rsyslogd	is a system utility providing  support	for  message  logging.
       Support	of  both internet and unix domain sockets enables this utility
       to support both local and remote	logging.

       Note that this version of rsyslog ships with extensive documentation in
       HTML  format.   This is provided	in the ./doc subdirectory and probably
       in a separate package if	you installed rsyslog via a packaging  system.
       To  use rsyslog's advanced features, you	need to	look at	the HTML docu-
       mentation, because the man pages	only covers basic  aspects  of	opera-
       tion.  For details and configuration examples, see the rsyslog.conf (5)
       man page	and the	online documentation at

       Rsyslogd(8) is derived from the sysklogd	package	which in turn  is  de-
       rived from the stock BSD	sources.

       Rsyslogd	provides a kind	of logging that	many modern programs use.  Ev-
       ery logged message contains at least a time and a hostname field,  nor-
       mally  a	 program  name	field, too, but	that depends on	how trusty the
       logging program is. The rsyslog package	supports  free	definition  of
       output  formats	via templates. It also supports	precise	timestamps and
       writing directly	to databases. If the database option  is  used,	 tools
       like phpLogCon can be used to view the log data.

       While the rsyslogd sources have been heavily modified a couple of notes
       are in order.  First of all there has been a systematic attempt to  en-
       sure  that  rsyslogd  follows  its  default,  standard BSD behavior. Of
       course, some configuration file changes are necessary in	order to  sup-
       port  the  template  system.  However, rsyslogd should be able to use a
       standard	syslog.conf and	act like the  original	syslogd.  However,  an
       original	 syslogd  will not work	correctly with a rsyslog-enhanced con-
       figuration file.	At best, it will generate funny	 looking  file	names.
       The  second  important concept to note is that this version of rsyslogd
       interacts transparently with the	version	of syslog found	in  the	 stan-
       dard  libraries.	  If  a	binary linked to the standard shared libraries
       fails to	function correctly we would like an example of	the  anomalous

       The  main configuration file /usr/local/etc/rsyslog.conf	or an alterna-
       tive file, given	with the -f option, is read  at	 startup.   Any	 lines
       that  begin with	the hash mark (``#'') and empty	lines are ignored.  If
       an error	occurs during parsing the error	 element  is  ignored.	It  is
       tried to	parse the rest of the line.

       -D     Runs  the	 Bison config parser in	debug mode. This may help when
	      hard to find syntax errors are reported. Please  note  that  the
	      output  generated	is deeply technical and	orignally targeted to-
	      wards developers.

       -d     Turns on debug mode. See the DEBUGGING section for more informa-

       -f config file
	      Specify  an  alternative	configuration file instead of /usr/lo-
	      cal/etc/rsyslog.conf, which is the default.

       -i pid file
	      Specify an alternative pid file  instead	of  the	 default  one.
	      This  option  must  be  used  if	multiple instances of rsyslogd
	      should run on a single machine. To disable writing a  pid	 file,
	      use the reserved name "NONE" (all	upper case!), so "-iNONE".

       -n     Avoid  auto-backgrounding.   This	 is  needed  especially	if the
	      rsyslogd is started and controlled by init(8).

       -N  level
	      Do a config check. Do NOT	run in regular mode, just  check  con-
	      figuration  file	correctness.  This option is meant to verify a
	      config file. To do so, run rsyslogd interactively	in foreground,
	      specifying  -f  <config-file>  and -N level.  The	level argument
	      modifies behaviour. Currently, 0 is the same as  not  specifying
	      the  -N  option at all (so this makes limited sense) and 1 actu-
	      ally activates the code. Later, higher  levels  will  mean  more
	      verbosity	(this is a forward-compatibility option).

       -o  fullconf
	      Generates	 a consolidated	config file fullconf that contains all
	      of rsyslog's configuration in a single file. Include  files  are
	      exploded	into  that  file in exactly the	way rsyslog sees them.
	      This option is useful for	troubleshooting, especially  if	 prob-
	      lems  with  the  order of	action processing is suspected.	It may
	      also be used to check for	"unexepectedly"	included  config  con-

       -C     This prevents rsyslogd from changing to the root directory. This
	      is almost	never a	good idea in production	use. This  option  was
	      introduced in support of the internal testbed.

       -v     Print version and	exit.

       Rsyslogd	 reacts	 to a set of signals.  You may easily send a signal to
       rsyslogd	using the following:

	      kill -SIGNAL $(cat /var/run/

       Note that -SIGNAL must be replaced with the actual signal you are  try-
       ing to send, e.g. with HUP. So it then becomes:

	      kill -HUP	$(cat /var/run/

       HUP    This lets	rsyslogd perform close all open	files.

       TERM ,  INT ,  QUIT
	      Rsyslogd will die.

       USR1   Switch  debugging	on/off.	 This option can only be used if rsys-
	      logd is started with the -d debug	option.

       CHLD   Wait for childs if some were born, because of wall'ing messages.

       There is	the potential for the rsyslogd daemon to be used as a  conduit
       for a denial of service attack.	A rogue	program(mer) could very	easily
       flood the rsyslogd daemon with syslog messages  resulting  in  the  log
       files  consuming	all the	remaining space	on the filesystem.  Activating
       logging over the	inet domain sockets will of course expose a system  to
       risks outside of	programs or individuals	on the local machine.

       There are a number of methods of	protecting a machine:

       1.     Implement	 kernel	 firewalling  to limit which hosts or networks
	      have access to the 514/UDP socket.

       2.     Logging can be directed to an isolated  or  non-root  filesystem
	      which, if	filled,	will not impair	the machine.

       3.     The ext2 filesystem can be used which can	be configured to limit
	      a	certain	percentage of a	filesystem  to	usage  by  root	 only.
	      NOTE  that  this	will  require rsyslogd to be run as a non-root
	      process.	ALSO NOTE that this will prevent usage of remote  log-
	      ging  on	the default port since rsyslogd	will be	unable to bind
	      to the 514/UDP socket.

       4.     Disabling	inet domain sockets will limit risk to the  local  ma-

   Message replay and spoofing
       If  remote  logging  is enabled,	messages can easily be spoofed and re-
       played.	As the messages	are transmitted	 in  clear-text,  an  attacker
       might  use  the	information  obtained  from  the packets for malicious
       things. Also, an	attacker might replay recorded	messages  or  spoof  a
       sender's	 IP  address, which could lead to a wrong perception of	system
       activity. These can be prevented	by using  GSS-API  authentication  and
       encryption.  Be	sure to	think about syslog network security before en-
       abling it.

       When debugging is turned	on using the -d	option,	rsyslogd produces  de-
       bugging information according to	the RSYSLOG_DEBUG environment variable
       and the signals received. When run in foreground,  the  information  is
       written to stdout. An additional	output file can	be specified using the
       RSYSLOG_DEBUGLOG	environment variable.

	      Configuration file for rsyslogd.	See rsyslog.conf(5) for	 exact
	      The  Unix	 domain	socket to from where local syslog messages are
	      The file containing the process id of rsyslogd.
	      Default directory	for rsyslogd modules. The prefix is  specified
	      during compilation (e.g. /usr/local).
	      Controls	runtime	 debug	support.  It contains an option	string
	      with the following options possible (all are case	insensitive):

	      Debug  Turns on debugging	and prevents  forking.	This  is  pro-
		     cessed  earlier  in the startup than command line options
		     (i.e. -d) and as such enables earlier  debugging  output.
		     Mutually exclusive	with DebugOnDemand.
		     Enables  debugging	but turns off debug output. The	output
		     can be toggled by	sending	 SIGUSR1.  Mutually  exclusive
		     with Debug.
		     Print out the logical flow	of functions (entering and ex-
		     iting them)
		     Specifies which files to trace LogFuncFlow.  If  not  set
		     (the  default),  a	 LogFuncFlow trace is provided for all
		     files. Set	to limit it to the  files  specified.FileTrace
		     may  be specified multiple	times, one file	each (e.g. ex-
		     port  RSYSLOG_DEBUG="LogFuncFlow	FileTrace=vm.c	 File-
		     Print the content of the debug function database whenever
		     debug information is printed (e.g.	abort case)!
		     Print all debug information immediately  before  rsyslogd
		     exits (currently not implemented!)
		     Print  mutex  action  as  it  happens. Useful for finding
		     deadlocks and such.
		     Do	not prefix log lines with a timestamp (default	is  to
		     do	that).
		     Do	not emit debug messages	to stdout. If RSYSLOG_DEBUGLOG
		     is	not set, this means no messages	will be	 displayed  at
	      Help   Display  a	very short list	of commands - hopefully	a life
		     saver if you can't	access the documentation...

	      If set, writes (almost) all debug	message	to the	specified  log
	      file in addition to stdout.
	      Provides the default directory in	which loadable modules reside.

       Please  review  the  file BUGS for up-to-date information on known bugs
       and annoyances.

Further	Information
       Please visit for  additional  information,
       tutorials and a support forum.

       rsyslog.conf(5),	   logger(1),	syslog(2),   syslog(3),	  services(5),

       rsyslogd	is derived from	sysklogd sources, which	in turn	was taken from
       the  BSD	 sources.  Special  thanks to Greg Wettstein (greg@wind.enjel-	and Martin Schulze ( for the fine	sysklogd pack-

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld,	Germany

Version	8.1905.0		  28 May 2014			   RSYSLOGD(8)


Want to link to this manual page? Use this URL:

home | help