Rsyslog.conf 템플릿

http://ftp.ics.uci.edu/pub/centos0/ics-custom-build/BUILD/rsyslog-3.19.7/doc/rsyslog_conf.html

https://answers.splunk.com/answers/79844/example-rsyslog-conf-for-multiple-data-sources-with-uf.html

 

http://serverfault.com/questions/400293/syslog-ip-ranges-to-specific-files-using-rsyslog

 

Examples

Below are example for templates and selector lines. I hope they are self-explanatory. If not, please see www.monitorware.com/rsyslog/ for advise.

TEMPLATES

Please note that the samples are split across multiple lines. A template MUST NOT actually be split across multiple lines.

A template that resembles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME%
%syslogtag%%msg:::drop-last-lf%\n"

A template that tells you a little more about the message:
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,
%syslogtag%,%msg%\n"

A template for RFC 3164 format:
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"

A template for the format traditonally used for user messages:
$template usermsg," XXXX%syslogtag%%msg%\n\r"

And a template with the traditonal wall-message format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%

A template that can be used for the database write (please note the SQL
template option)
$template MySQLInsert,"insert iut, message, receivedat values
('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')
into systemevents\r\n", SQL

The following template emulates WinSyslog format (it's an Adiscon format, you do not feel bad if you don't know it ;)). It's interesting to see how it takes different parts out of the date stamps. What happens is that the date stamp is split into the actual date and time and the these two are combined with just a comma in between them.

$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,
%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,
%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,
%syslogtag%%msg%\n"

SELECTOR LINES

# Store critical stuff in critical
#
*.=crit;kern.none /var/adm/critical

This will store all messages with the priority crit in the file /var/adm/critical, except for any kernel message.


# Kernel messages are first, stored in the kernel
# file, critical messages and higher ones also go
# to another host and to the console. Messages to
# the host finlandia are forwarded in RFC 3164
# format (using the template defined above).
#
kern.* /var/adm/kernel
kern.crit @finlandia;RFC3164fmt
kern.crit /dev/console
kern.info;kern.!err /var/adm/kernel-info

The first rule direct any message that has the kernel facility to the file /var/adm/kernel.

The second statement directs all kernel messages of the priority crit and higher to the remote host finlandia. This is useful, because if the host crashes and the disks get irreparable errors you might not be able to read the stored messages. If they're on a remote host, too, you still can try to find out the reason for the crash.

The third rule directs these messages to the actual console, so the person who works on the machine will get them, too.

The fourth line tells rsyslogd to save all kernel messages that come with priorities from info up to warning in the file /var/adm/kernel-info. Everything from err and higher is excluded.


# The tcp wrapper loggs with mail.info, we display
# all the connections on tty12
#
mail.=info /dev/tty12

This directs all messages that uses mail.info (in source LOG_MAIL | LOG_INFO) to /dev/tty12, the 12th console. For example the tcpwrapper tcpd(8) uses this as it's default.


# Store all mail concerning stuff in a file
#
mail.*;mail.!=info /var/adm/mail

This pattern matches all messages that come with the mail facility, except for the info priority. These will be stored in the file /var/adm/mail.


# Log all mail.info and news.info messages to info
#
mail,news.=info /var/adm/info

This will extract all messages that come either with mail.info or with news.info and store them in the file /var/adm/info.


# Log info and notice messages to messages file
#
*.=info;*.=notice;\
mail.none /var/log/messages

This lets rsyslogd log all messages that come with either the info or the notice facility into the file /var/log/messages, except for all
messages that use the mail facility.


# Log info messages to messages file
#
*.=info;\
mail,news.none /var/log/messages

This statement causes rsyslogd to log all messages that come with the info priority to the file /var/log/messages. But any message coming either with the mail or the news facility will not be stored.


# Emergency messages will be displayed using wall
#
*.=emerg *

This rule tells rsyslogd to write all emergency messages to all currently logged in users. This is the wall action.


# Messages of the priority alert will be directed
# to the operator
#
*.alert root,rgerhards

This rule directs all messages with a priority of alert or higher to the terminals of the operator, i.e. of the users "root'' and "rgerhards'' if they're logged in.


*.* @finlandia

This rule would redirect all messages to a remote host called finlandia. This is useful especially in a cluster of machines where all syslog messages will be stored on only one machine.

In the format shown above, UDP is used for transmitting the message. The destination port is set to the default auf 514. Rsyslog is also capable of using much more secure and reliable TCP sessions for message forwarding. Also, the destination port can be specified. To select TCP, simply add one additional @ in front of the host name (that is, @host is UPD, @@host is TCP). For example:


*.* @@finlandia

To specify the destination port on the remote machine, use a colon followed by the port number after the machine name. The following forwards to port 1514 on finlandia:


*.* @@finlandia:1514

This syntax works both with TCP and UDP based syslog. However, you will probably primarily need it for TCP, as there is no well-accepted port for this transport (it is non-standard). For UDP, you can usually stick with the default auf 514, but might want to modify it for security rea-
sons. If you would like to do that, it's quite easy:


*.* @finlandia:1514



*.* >dbhost,dbname,dbuser,dbpassword;dbtemplate

This rule writes all message to the database "dbname" hosted on "dbhost". The login is done with user "dbuser" and password "dbpassword". The actual table that is updated is specified within the template (which contains the insert statement). The template is called "dbtemplate" in this case.

:msg,contains,"error" @errorServer

This rule forwards all messages that contain the word "error" in the msg part to the server "errorServer". Forwarding is via UDP. Please note the colon in fron

[manual index] [rsyslog.conf] [rsyslog site]

This documentation is part of the rsyslog project.
Copyright © 2008 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 2 or higher.

 

 

 

# A commented quick reference and sample configuration
# WARNING: This is not a manual, the full manual of rsyslog configuration is in
# rsyslog.conf (5) manpage
#
# "$" starts lines that contain new directives. The full list of directives
# can be found in /usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html
# Set syslogd options

#                 Some global directives
#                 ----------------------

# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd
# --------------
$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com

# $UMASK - specifies the rsyslogd processes' umask
# ------
$umask 0000

# $FileGroup - Set the group for dynaFiles newly created
# ----------
$FileGroup loggroup

# $FileOwner - Set the file owner for dynaFiles newly created.
# ----------
$FileOwner loguser

# $IncludeConfig - include other files into the main configuration file
# --------------
$IncludeConfig /etc/some-included-file.conf    # one file
$IncludeConfig /etc/rsyslog.d/                 # whole directory (must contain the final slash)

# $ModLoad - Dynamically loads a plug-in and activates it
# --------
$ModLoad MySQL  # load MySQL functionality
$ModLoad /rsyslog/modules/somemodule.so # load a module via absolute path



#                       Templates
#                       ---------

# Templates allow to specify any format a user might want.
# They MUST be defined BEFORE they are used.

# A template consists of a template directive, a name, the actual template text
# and optional options. A sample is:
#
$template MyTemplateName,"\7Text %property% some more text\n",

#  where:
#   * $template - tells rsyslog that this line contains a template.
#   * MyTemplateName - template name. All other config lines refer to this name.
#   * "\7Text %property% some more text\n" - templage text

# The backslash is an escape character, i.e. \7 rings the bell, \n is a new line.
# To escape:
# % = \%
# \ = \\

# Template options are case-insensitive. Currently defined are:
# sql      format the string suitable for a SQL statement. This will replace single
#          quotes ("'") by two single quotes ("''") to prevent the SQL injection 
#          (NO_BACKSLASH_ESCAPES turned off)
# stdsql - format the string suitable for a SQL statement that is to
#          be sent  to  a standards-compliant sql server. 
#          (NO_BACKSLASH_ESCAPES turned on)



#               Properties inside templates
#               ---------------------------

# Properties can be modified by the property replacer. They are accessed
# inside the template by putting them between percent signs. The full syntax is as follows:

#     %propname:fromChar:toChar:options%

# FromChar and toChar are used to build substrings. 
# If you need to obtain the first 2 characters of the
# message text, you can use this syntax: 
"%msg:1:2%".
# If you do not whish to specify from and to, but you want to
# specify options, you still need to include the colons. 

# For example, to convert the full message text to lower case only, use 
#     "%msg:::lowercase%".

# The full list of property options can be found in rsyslog.conf(5) manpage



#               Samples of template definitions
#               -------------------------------

# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"

# A more verbose template:
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"

# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"

# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"

# The template below emulates winsyslog format, but we need to check the time
# stamps used. It is also a good sampleof the property replacer in action.
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"

# A template used for database writing (notice it *is* an actual
# sql-statement):
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql



#                       Samples of rules
#                       ----------------
# Regular file
# ------------
*.*     /var/log/traditionalfile.log;TraditionalFormat      # log to a file in the traditional format

# Forwarding to remote machine
# ----------------------------
*.*	@172.19.2.16		# udp (standard for syslog)
*.*	@@172.19.2.17		# tcp

# Database action
# ---------------
# (you must have rsyslog-mysql package installed)
# !!! Don't forget to set permission of rsyslog.conf to 600 !!!
*.*	>hostname,dbname,userid,password	# (default Monitorware schema, can be created by /usr/share/doc/rsyslog-mysql-1.19.6/createDB.sql)

# And this one uses the template defined above:
*.*	>hostname,dbname,userid,password;dbFormat

# Program to execute
# ------------------
*.*			^alsaunmute 	# set default volume to soundcard

# Filter using regex
# ------------------
# if the user logges word rulez or rulezz or rulezzz or..., then we will shut down his pc
# (note, that + have to be double backslashed...)
:msg, regex, "rulez\\+"	 ^poweroff

# A more complex example
# ----------------------
$template bla_logged,"%timegenerated% the BLA was logged"
:msg, contains, "bla"    ^logger;bla_logged

# Pipes
# -----
# first we need to create pipe by # mkfifo /a_big_pipe
*.*	|/a_big_pipe

# Discarding
# ----------
*.*	~      # discards everything