• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Understanding the /etc/rsyslog.conf file for configuring System Logging

by admin

All system and kernel messages get passed to rsyslogd. For every log message received Rsyslog looks at its configuration file, /etc/rsyslog.conf to determine how to handle that message. Rsyslog looks through the configuration file for all rule statements which match that message and handles the message as each rule statement dictates. If no rule statement matches the message, Rsyslog discards it. Rule statements specify two things:
1. what messages to match (selectors), and
2. what to do with matched messages (actions).

Selectors

Messages to match are specified by a selector which matches facilities and priorities, while actions to apply to matched messages are specified by an action field. For example, the following configuration line tells Rsyslog to apply the action /var/log/kernlog to all messages with a facility of kern and a level of debug:

# cat /etc/rsyslog.conf
kern.debug             /var/log/kernlog

Priority statements in selectors are hierarchical. Rsyslog will match all messages of the specified priority and higher. The selector kern.debug matches all messages produced by the kernel with priority debug or higher; since debug is the lowest possible priority, the selector kern.debug matches all messages with a kern facility. In addition, an asterisk can be used as a wildcard to represent all priorities, so kern.* would also match all messages produced by the kernel.

Unlike the priority field, the facility field is not hierarchical. It is still possible to match multiple messages from different facilities, however. Multiple selectors can be listed on a line, separated by semicolons. This can be useful when the same action needs to be applied to multiple messages. Similarly, the asterisk wild-card can be used to specify all facilities, providing another method for applying an action to a variety of messages.

Syslog Facilities and Priorities

The facility is used to specify what type of program is generating the message. The Syslog daemon can then be configured to handle messages from different sources differently. This table lists the standard defined facilities with brief descriptions of what they are used for:

Facility Description
auth/authpriv security/authorization messages
cron crond and atd daemons messages
daemon other system daemons
kern kernel messages
local0 – local7 reserved for local use
lpr line printer subsystem
mail mail subsystem
news USENET news subsystem
syslog messages generated internally by the system log daemon
user generic user-level messages
uucp UUCP subsystem

The priority, or level, of a message is intended to determine the importance of a message. This table lists the standard priority levels with brief descriptions of their meanings:

Priority Description
emerg system is unusable
alert action must be taken immediately
crit critical conditions
err error conditions
warning warning conditions
notice normal, but significant, condition
info informational messages
debug debugging messages

Actions

Many actions are possible, though only one can be included in a rule:

  • File names can be listed in the action field, specifying the location of files to which the selected message should be written. These files can be text files, as is usually the case, but they can also be device files such as a terminal or a printer.
  • User names can also be specified. If the named user is logged into the system when Rsyslog processes the message, the message will be printed to all of that user’s terminals.
  • An asterisk for the action tells Rsyslog to write the message to all logged-in users (it goes to all active terminals).
  • Messages can be sent to remote hosts. The action @host tells Rsyslog to forward the message to the machine host, where it will be processed again by that host’s Syslog daemon.

Default /etc/rsyslog.conf file

Below is the default /etc/rsyslog.conf configuration file in CentOS 6.

# cat /etc/rsyslog.conf 
# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

Filed Under: CentOS/RHEL 6, Linux, OEL 6

Some more articles you might also be interested in …

  1. Understanding /proc/meminfo file (Analyzing Memory utilization in Linux)
  2. libreoffice: command not found
  3. nmap Command Examples in Linux
  4. nsnake: command not found
  5. cryptsetup Command Examples in Linux
  6. mdadm Command Examples in Linux
  7. CentOS / RHEL : How to resize (extend) existing Physical Volume (PV)
  8. How to set up the htaccess File on Apache on CentOS/RHEL
  9. How to Tune Btrfs Filesystem for Better Performance
  10. Starting udev: udevd inotify_init failed: too many open files

You May Also Like

Primary Sidebar

Recent Posts

  • aws ec2: CLI for AWS EC2 (Command Examples)
  • aws cur – Create, query, and delete AWS usage report definitions (Command Examples)
  • aws configure – Manage configuration for the AWS CLI (Command Examples)
  • aws cognito-idp: Manage Amazon Cognito user pool and its users and groups using the CLI

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright