# /etc/rsyslog.conf Configuration file for rsyslog v3. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad immark # provides --MARK-- message capability $MarkMessagePeriod 900 # mark messages appear every 15 Minutes $ModLoad imtcp $InputTCPServerRun 514 # Accept TCP connections on the default syslog port ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Set the default permissions for all log files. # $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 # Store any queues here. This directory is not created automatically, so it # must already exist! $WorkDirectory /var/spool/rsyslog # Use a (disk-assisted) main queue # Use a linked list for queueing $MainMsgQueueType LinkedList # Name to use for the queue file $MainMsgQueueFileName main # save in-memory data if rsyslog shuts down $MainMsgQueueSaveOnShutdown on # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf ######################## #### Remote logging #### ######################## # Log lines received from other servers (as well as our own logs) centrally. $template HostFacilityLog,"/data/log/rsyslog/hosts/%fromhost%/facilities/%syslogfacility-text%.log" $template HostSeverityLog,"/data/log/rsyslog/hosts/%fromhost%/severities/%syslogseverity-text%.log" $template HostAppLog,"/data/log/rsyslog/hosts/%fromhost%/apps/%app-name%.log" # Use a verbose logging format $template LogFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %syslogfacility-text%.%syslogseverity-text%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" # Log by facility, severity and appname *.* ?HostFacilityLog;LogFormat *.* ?HostSeverityLog;LogFormat *.* ?HostAppLog;LogFormat # Log all entries in a single file, which is meant to be parsed by logcheck # (hence the traditional format). *.* -/data/log/rsyslog/all.log;RSYSLOG_TraditionalFileFormat # Debugging format. Based on RSYSLOG_DebugFormat, available in later versions # of rsyslogd, with some variations. $template DebugFormat,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%', syslogtag: '%syslogtag%'\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n" # Uncomment this to have detailed logging for debugging #*.* -/data/log/rsyslog/debug.log;DebugFormat ####################### #### Local logging #### ####################### # Discard all log entries not locally generated. Newer versions of rsyslogd # have the $fromhost-ip property which can be checked against 127.0.0.1, which # is probably slightly more reliable, but this will work for now. if $fromhost != 'log' then ~ # Log each facility into its own log auth,authpriv.* /var/log/rsyslog/auth.log cron.* -/var/log/rsyslog/user.log daemon.* -/var/log/rsyslog/daemon.log kern.* -/var/log/rsyslog/kern.log lpr.* -/var/log/rsyslog/lpr.log mail.* -/var/log/rsyslog/mail.log user.* -/var/log/rsyslog/user.log local0,local1,local2,\ local3,local4,local5,\ local6,local7.* -/var/log/rsyslog/local.log # Omitted facilities: syslog, news, uucp, ftp # All logs end up in syslog as weel as the corresponding facility log above # (except for auth, mail which only end up in the facility log for privacy # reasons and debug which only ends up in the debug log below to prevent # flooding). *.*;\ *.!=debug;\ auth,authpriv.none;\ mail.none -/var/log/rsyslog/syslog # Debug entries end up in debug.log as well as the corresponding facility log # above (except for auth and mail, which only end up in the facility logs for # privacy reasons). *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/rsyslog/debug.log # # Emergencies are sent to everybody logged in. # *.emerg *