Man Linux: Main Page and Category List


       rsyslogd - reliable and extended syslogd


       rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
       [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
       [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]


       Rsyslogd  is  a  system  utility providing support for message logging.
       Support of both internet and unix domain sockets enables  this  utility
       to support both local and remote logging.

       Note that this version of rsyslog ships with extensive documentation in
       html format.  This is provided in the ./doc subdirectory  and  probably
       in  a separate package if you installed rsyslog via a packaging system.
       To use rsyslog’s advanced features,  you  need  to  look  at  the  html
       documentation,  because  the  man  pages  only  cover  basic aspects of
       operation.   For  details   and   configuration   examples,   see   the
       rsyslog.conf   (5)   man   page   and   the   online  documentation  at

       Rsyslogd(8) is derived from the  sysklogd  package  which  in  turn  is
       derived from the stock BSD sources.

       Rsyslogd  provides  a  kind  of  logging that many modern programs use.
       Every logged message contains at least a time  and  a  hostname  field,
       normally  a program name field, too, but that depends on how trusty the
       logging program is. The rsyslog package  supports  free  definition  of
       output  formats  via templates. It also supports precise timestamps and
       writing directly to databases. If the database option  is  used,  tools
       like phpLogCon can be used to view the log data.

       While the rsyslogd sources have been heavily modified a couple of notes
       are in order.  First of all there has  been  a  systematic  attempt  to
       ensure  that  rsyslogd  follows  its default, standard BSD behavior. Of
       course, some configuration file  changes  are  necessary  in  order  to
       support  the template system. However, rsyslogd should be able to use a
       standard syslog.conf and act like the  original  syslogd.  However,  an
       original  syslogd  will  not  work  correctly  with  a rsyslog-enhanced
       configuration file. At best, it will generate funny looking file names.
       The  second  important concept to note is that this version of rsyslogd
       interacts transparently  with  the  version  of  syslog  found  in  the
       standard  libraries.   If  a  binary  linked  to  the  standard  shared
       libraries fails to function correctly we would like an example  of  the
       anomalous behavior.

       The  main  configuration file /etc/rsyslog.conf or an alternative file,
       given with the -f option, is read at startup.   Any  lines  that  begin
       with  the  hash  mark (‘‘#’’) and empty lines are ignored.  If an error
       occurs during parsing the error element is  ignored.  It  is  tried  to
       parse the rest of the line.


       Note that in version 3 of rsyslog a number of command line options have
       been deprecated and replaced with config file directives. The -c option
       controls the backward compatibility mode in use.

       -A     When  sending UDP messages, there are potentially multiple paths
              to the target destination. By default, rsyslogd  only  sends  to
              the  first  target  it can successfully send to. If -A is given,
              messages are sent to all targets. This may improve  reliability,
              but  may  also  cause message duplication. This option should be
              enabled only if it is fully understood.

       -4     Causes rsyslogd to listen to IPv4 addresses only.  If neither -4
              nor -6 is given, rsyslogd listens to all configured addresses of
              the system.

       -6     Causes rsyslogd to listen to IPv6 addresses only.  If neither -4
              nor -6 is given, rsyslogd listens to all configured addresses of
              the system.

       -c version
              Selects the desired backward compatibility mode. It must  always
              be  the  first  option  on  the  command  line, as it influences
              processing of the other options. To use the  rsyslog  v3  native
              interface,  specify  -c3.  To use compatibility mode , either do
              not use -c at all  or  use  -c<version>  where  version  is  the
              rsyslog  version  that  it  shall  be compatible with. Using -c0
              tells rsyslog to be command-line compatible to  sysklogd,  which
              is  the  default  if -c is not given.  Please note that rsyslogd
              issues warning messages if the -c3 command line  option  is  not
              given.    This  is  to  alert  you  that  your  are  running  in
              compatibility mode.  Compatibility  mode  interferes  with  your
              rsyslog.conf commands and may cause some undesired side-effects.
              It is meant to be used with a plain old rsyslog.conf  -  if  you
              use  new features, things become messy. So the best advice is to
              work through this document, convert your options and config file
              and then use rsyslog in native mode. In order to aid you in this
              process,  rsyslog  logs  every  compatibility-mode  config  file
              directive  it  has  generated.  So you can simply copy them from
              your logfile and paste them to the config.

       -d     Turns on debug mode.  Using this the daemon will not  proceed  a
              fork(2)  to  set  itself in the background, but opposite to that
              stay in the foreground and write much debug information  on  the
              current tty.  See the DEBUGGING section for more information.

       -f config file
              Specify   an   alternative   configuration   file   instead   of
              /etc/rsyslog.conf, which is the default.

       -i pid file
              Specify an alternative pid file  instead  of  the  default  one.
              This  option  must  be  used  if  multiple instances of rsyslogd
              should run on a single machine.

       -l hostlist
              Specify a hostname that should be logged only  with  its  simple
              hostname  and  not  the  fqdn.   Multiple hosts may be specified
              using the colon (‘‘:’’) separator.

       -n     Avoid auto-backgrounding.  This  is  needed  especially  if  the
              rsyslogd is started and controlled by init(8).

       -N  level
              Do  a  coNfig  check.  Do  NOT  run  in regular mode, just check
              configuration file correctness.  This option is meant to  verify
              a   config  file.  To  do  so,  run  rsyslogd  interactively  in
              foreground, specifying -f <config-file> and -N level.  The level
              argument  modifies  behaviour.  Currently,  0 is the same as not
              specifying the -N option at all (so this  makes  limited  sense)
              and  1  actually  activates  the code. Later, higher levels will
              mean more verbosity (this is  a  forward-compatibility  option).
              rsyslogd is started and controlled by init(8).

       -q add hostname if DNS fails during ACL processing
              During  ACL  processing,  hostnames are resolved to IP addresses
              for performance reasons. If DNS fails during that  process,  the
              hostname is added as wildcard text, which results in proper, but
              somewhat slower operation once DNS is up again.

       -Q do not resolve hostnames during ACL processing
              Do not resolve hostnames to IP addresses during ACL  processing.

       -s domainlist
              Specify a domainname that should be stripped off before logging.
              Multiple domains  may  be  specified  using  the  colon  (‘‘:’’)
              separator.   Please  be  advised  that  no  sub-domains  may  be
              specified but only entire domains.  For example if  -s
              is    specified    and    the    host    logging   resolves   to
     no domain would be cut, you will have  to
              specify two domains like: -s

       -u userlevel
              This  is  a  "catch all" option for some very seldomly-used user
              settings.  The "userlevel" variable selects multiple things. Add
              the specific values to get the combined effect of them.  A value
              of 1 prevents rsyslogd from parsing hostnames  and  tags  inside
              messages.   A  value of 2 prevents rsyslogd from changing to the
              root directory. This is almost never a good idea  in  production
              use.  This  option  was  introduced  in  support of the internal
              testbed.  To combine these two features, use a  userlevel  of  3
              (1+2).  Whenever  you  use  an  -u  option, make sure you really
              understand what you do and why you do it.

       -v     Print version and exit.

       -w     Suppress warnings issued when messages are  received  from  non-
              authorized  machines (those, that are in no AllowedSender list).

       -x     Disable DNS for remote messages.


       Rsyslogd reacts to a set of signals.  You may easily send a  signal  to
       rsyslogd using the following:

              kill -SIGNAL $(cat /var/run/

       Note  that  -SIGNAL  must  be  replaced  with the actual signal you are
       trying to send, e.g. with HUP. So it then becomes:

              kill -HUP $(cat /var/run/

       HUP    This lets rsyslogd perform a re-initialization.  All open  files
              are    closed,    the    configuration    file    (default    is
              /etc/rsyslog.conf) will be reread and the rsyslog(3) facility is
              started  again.  Note that this means a full rsyslogd restart is
              done. This has, among others, the consequence that TCP and other
              connections  are  torn down. Also, if any queues are not running
              in disk assisted  mode  or  are  not  set  to  persist  data  on
              shutdown,  queue  data  is lost. HUPing rsyslogd is an extremely
              expensive operation  and  should  only  be  done  when  actually
              necessary.  Actually, it is a rsyslgod stop immediately followed
              by a restart. Future versions will probably  include  a  special
              handling  which only closes files, but will not cause any of the
              other effects.

       TERM ,  INT ,  QUIT
              Rsyslogd will die.

       USR1   Switch debugging on/off.   This  option  can  only  be  used  if
              rsyslogd is started with the -d debug option.

       CHLD   Wait for childs if some were born, because of wall’ing messages.


       There is the potential for the rsyslogd daemon to be used as a  conduit
       for a denial of service attack.  A rogue program(mer) could very easily
       flood the rsyslogd daemon with syslog messages  resulting  in  the  log
       files  consuming all the remaining space on the filesystem.  Activating
       logging over the inet domain sockets will of course expose a system  to
       risks outside of programs or individuals on the local machine.

       There are a number of methods of protecting a machine:

       1.     Implement  kernel  firewalling  to limit which hosts or networks
              have access to the 514/UDP socket.

       2.     Logging can be directed to an isolated  or  non-root  filesystem
              which, if filled, will not impair the machine.

       3.     The ext2 filesystem can be used which can be configured to limit
              a certain percentage of a filesystem  to  usage  by  root  only.
              NOTE  that  this  will  require rsyslogd to be run as a non-root
              process.  ALSO NOTE that  this  will  prevent  usage  of  remote
              logging  on  the  default  port since rsyslogd will be unable to
              bind to the 514/UDP socket.

       4.     Disabling inet domain sockets  will  limit  risk  to  the  local

   Message replay and spoofing
       If  remote  logging  is  enabled,  messages  can  easily be spoofed and
       replayed.  As the messages are transmitted in clear-text,  an  attacker
       might  use  the  information  obtained  from  the packets for malicious
       things. Also, an attacker might replay recorded  messages  or  spoof  a
       sender’s  IP  address, which could lead to a wrong perception of system
       activity. These can be prevented by using  GSS-API  authentication  and
       encryption.  Be  sure  to  think  about  syslog network security before
       enabling it.


       When debugging is turned on using -d option then rsyslogd will be  very
       verbose by writing much of what it does on stdout.


              Configuration  file for rsyslogd.  See rsyslog.conf(5) for exact
              The Unix domain socket to from where local syslog  messages  are
              The file containing the process id of rsyslogd.
              Default  directory for rsyslogd modules. The prefix is specified
              during compilation (e.g. /usr/local).


              Controls runtime debug support.It contains an option string with
              the following options possible (all are case insensitive):

                     Print  out  the  logical  flow of functions (entering and
                     exiting them)
                     Specifies which files to trace LogFuncFlow.  If  not  set
                     (the  default),  a  LogFuncFlow trace is provided for all
                     files. Set to limit it to the  files  specified.FileTrace
                     may  be  specified  multiple  times,  one file each (e.g.
                     export     RSYSLOG_DEBUG="LogFuncFlow      FileTrace=vm.c
                     Print the content of the debug function database whenever
                     debug information is printed (e.g. abort case)!
                     Print all debug information immediately  before  rsyslogd
                     exits (currently not implemented!)
                     Print  mutex  action  as  it  happens. Useful for finding
                     deadlocks and such.
                     Do not prefix log lines with a timestamp (default  is  to
                     do that).
                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
                     is not set, this means no messages will be  displayed  at
              Help   Display  a very short list of commands - hopefully a life
                     saver if you can’t access the documentation...

              If set, writes (almost) all debug message to the  specified  log
              file in addition to stdout.
              Provides the default directory in which loadable modules reside.


       Please review the file BUGS for up-to-date information  on  known  bugs
       and annoyances.

Further Information

       Please  visit  for  additional information,
       tutorials and a support forum.


       rsyslog.conf(5),   logger(1),   syslog(2),   syslog(3),    services(5),


       rsyslogd is derived from sysklogd sources, which in turn was taken from
       the    BSD    sources.    Special    thanks    to    Greg     Wettstein
       (  and  Martin  Schulze  ( for the
       fine sysklogd package.

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld, Germany