All system and kernel messages get passed to rsyslogd. For every log message received Rsyslog looks at its configuration file, /etc/rsyslog.conf to determine how to handle that message. Rsyslog looks through the configuration file for all rule statements which match that message and handles the message as each rule statement dictates. If no rule statement matches the message, Rsyslog discards it. Rule statements specify two things:
1. what messages to match (selectors), and
2. what to do with matched messages (actions).
Messages to match are specified by a selector which matches facilities and priorities, while actions to apply to matched messages are specified by an action field. For example, the following configuration line tells Rsyslog to apply the action /var/log/kernlog to all messages with a facility of kern and a level of debug:
# cat /etc/rsyslog.conf kern.debug /var/log/kernlog
Priority statements in selectors are hierarchical. Rsyslog will match all messages of the specified priority and higher. The selector kern.debug matches all messages produced by the kernel with priority debug or higher; since debug is the lowest possible priority, the selector kern.debug matches all messages with a kern facility. In addition, an asterisk can be used as a wildcard to represent all priorities, so kern.* would also match all messages produced by the kernel.
Unlike the priority field, the facility field is not hierarchical. It is still possible to match multiple messages from different facilities, however. Multiple selectors can be listed on a line, separated by semicolons. This can be useful when the same action needs to be applied to multiple messages. Similarly, the asterisk wild-card can be used to specify all facilities, providing another method for applying an action to a variety of messages.
Syslog Facilities and Priorities
The facility is used to specify what type of program is generating the message. The Syslog daemon can then be configured to handle messages from different sources differently. This table lists the standard defined facilities with brief descriptions of what they are used for:
|cron||crond and atd daemons messages|
|daemon||other system daemons|
|local0 – local7||reserved for local use|
|lpr||line printer subsystem|
|news||USENET news subsystem|
|syslog||messages generated internally by the system log daemon|
|user||generic user-level messages|
The priority, or level, of a message is intended to determine the importance of a message. This table lists the standard priority levels with brief descriptions of their meanings:
|emerg||system is unusable|
|alert||action must be taken immediately|
|notice||normal, but significant, condition|
Many actions are possible, though only one can be included in a rule:
- File names can be listed in the action field, specifying the location of files to which the selected message should be written. These files can be text files, as is usually the case, but they can also be device files such as a terminal or a printer.
- User names can also be specified. If the named user is logged into the system when Rsyslog processes the message, the message will be printed to all of that user’s terminals.
- An asterisk for the action tells Rsyslog to write the message to all logged-in users (it goes to all active terminals).
- Messages can be sent to remote hosts. The action @host tells Rsyslog to forward the message to the machine host, where it will be processed again by that host’s Syslog daemon.
Default /etc/rsyslog.conf file
Below is the default /etc/rsyslog.conf configuration file in CentOS 6.
# cat /etc/rsyslog.conf # rsyslog v5 configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ###