rsyslogd - reliable and extended syslogd


   rsyslogd  [  -d ] [ -D ] [ -f config file ] [ -i pid file ] [ -n ] [ -N
   level ] [ -C ] [ -v ]


   Rsyslogd is a system utility providing  support  for  message  logging.
   Support  of  both internet and unix domain sockets enables this utility
   to support both local and remote logging.

   Note that this version of rsyslog ships with extensive documentation in
   html  format.   This is provided in the ./doc subdirectory and probably
   in a separate package if you installed rsyslog via a packaging  system.
   To  use  rsyslog's  advanced  features,  you  need  to look at the html
   documentation, because the man  pages  only  covers  basic  aspects  of
   operation.    For   details   and   configuration   examples,  see  the
   rsyslog.conf  (5)  man   page   and   the   online   documentation   at

   Rsyslogd(8)  is  derived  from  the  sysklogd  package which in turn is
   derived from the stock BSD sources.

   Rsyslogd provides a kind of logging  that  many  modern  programs  use.
   Every  logged  message  contains  at least a time and a hostname field,
   normally a program name field, too, but that depends on how trusty  the
   logging  program  is.  The  rsyslog package supports free definition of
   output formats via templates. It also supports precise  timestamps  and
   writing  directly  to  databases. If the database option is used, tools
   like phpLogCon can be used to view the log data.

   While the rsyslogd sources have been heavily modified a couple of notes
   are  in  order.   First  of  all there has been a systematic attempt to
   ensure that rsyslogd follows its default,  standard  BSD  behavior.  Of
   course,  some  configuration  file  changes  are  necessary in order to
   support the template system. However, rsyslogd should be able to use  a
   standard  syslog.conf  and  act  like the original syslogd. However, an
   original syslogd  will  not  work  correctly  with  a  rsyslog-enhanced
   configuration file. At best, it will generate funny looking file names.
   The second important concept to note is that this version  of  rsyslogd
   interacts  transparently  with  the  version  of  syslog  found  in the
   standard  libraries.   If  a  binary  linked  to  the  standard  shared
   libraries  fails  to function correctly we would like an example of the
   anomalous behavior.

   The main configuration file /etc/rsyslog.conf or an  alternative  file,
   given  with  the  -f  option, is read at startup.  Any lines that begin
   with the hash mark (``#'') and empty lines are ignored.   If  an  error
   occurs  during  parsing  the  error  element is ignored. It is tried to
   parse the rest of the line.


   -D     Runs the Bison config parser in debug mode. This may  help  when
          hard  to  find  syntax errors are reported. Please note that the
          output generated is  deeply  technical  and  orignally  targeted
          towards developers.

   -d     Turns  on  debug  mode.  See  the  DEBUGGING  section  for  more

   -f config file
          Specify   an   alternative   configuration   file   instead   of
          /etc/rsyslog.conf, which is the default.

   -i pid file
          Specify  an  alternative  pid  file  instead of the default one.
          This option must be  used  if  multiple  instances  of  rsyslogd
          should run on a single machine.

   -n     Avoid  auto-backgrounding.   This  is  needed  especially if the
          rsyslogd is started and controlled by init(8).

   -N  level
          Do a coNfig check. Do  NOT  run  in  regular  mode,  just  check
          configuration  file correctness.  This option is meant to verify
          a  config  file.  To  do  so,  run  rsyslogd  interactively   in
          foreground, specifying -f <config-file> and -N level.  The level
          argument modifies behaviour. Currently, 0 is  the  same  as  not
          specifying  the  -N  option at all (so this makes limited sense)
          and 1 actually activates the code.  Later,  higher  levels  will
          mean  more  verbosity  (this is a forward-compatibility option).
          rsyslogd is started and controlled by init(8).

   -C     This prevents rsyslogd from changing to the root directory. This
          is  almost  never a good idea in production use. This option was
          introduced in support of the internal testbed.

   -v     Print version and exit.


   Rsyslogd reacts to a set of signals.  You may easily send a  signal  to
   rsyslogd using the following:

          kill -SIGNAL $(cat /var/run/

   Note  that  -SIGNAL  must  be  replaced  with the actual signal you are
   trying to send, e.g. with HUP. So it then becomes:

          kill -HUP $(cat /var/run/

   HUP    This lets rsyslogd perform close all open files.

   TERM ,  INT ,  QUIT
          Rsyslogd will die.

   USR1   Switch debugging on/off.   This  option  can  only  be  used  if
          rsyslogd is started with the -d debug option.

   CHLD   Wait for childs if some were born, because of wall'ing messages.


   There  is the potential for the rsyslogd daemon to be used as a conduit
   for a denial of service attack.  A rogue program(mer) could very easily
   flood  the  rsyslogd  daemon  with syslog messages resulting in the log
   files consuming all the remaining space on the filesystem.   Activating
   logging  over the inet domain sockets will of course expose a system to
   risks outside of programs or individuals on the local machine.

   There are a number of methods of protecting a machine:

   1.     Implement kernel firewalling to limit which  hosts  or  networks
          have access to the 514/UDP socket.

   2.     Logging  can  be  directed to an isolated or non-root filesystem
          which, if filled, will not impair the machine.

   3.     The ext2 filesystem can be used which can be configured to limit
          a  certain  percentage  of  a  filesystem to usage by root only.
          NOTE that this will require rsyslogd to be  run  as  a  non-root
          process.   ALSO  NOTE  that  this  will  prevent usage of remote
          logging on the default port since rsyslogd  will  be  unable  to
          bind to the 514/UDP socket.

   4.     Disabling  inet  domain  sockets  will  limit  risk to the local

   Message replay and spoofing
   If remote logging is  enabled,  messages  can  easily  be  spoofed  and
   replayed.   As  the messages are transmitted in clear-text, an attacker
   might use the information  obtained  from  the  packets  for  malicious
   things.  Also,  an  attacker  might replay recorded messages or spoof a
   sender's IP address, which could lead to a wrong perception  of  system
   activity.  These  can  be prevented by using GSS-API authentication and
   encryption. Be sure to  think  about  syslog  network  security  before
   enabling it.


   When  debugging  is  turned  on  using the -d option, rsyslogd produces
   debugging  information  according  to  the  RSYSLOG_DEBUG   environment
   variable  and  the  signals  received.  When  run  in  foreground,  the
   information is written to stdout. An  additional  output  file  can  be
   specified using the RSYSLOG_DEBUGLOG environment variable.


          Configuration  file for rsyslogd.  See rsyslog.conf(5) for exact
          The Unix domain socket to from where local syslog  messages  are
          The file containing the process id of rsyslogd.
          Default  directory for rsyslogd modules. The prefix is specified
          during compilation (e.g. /usr/local).


          Controls runtime debug support. It  contains  an  option  string
          with the following options possible (all are case insensitive):

          Debug  Turns   on   debugging  and  prevents  forking.  This  is
                 processed  earlier  in  the  startup  than  command  line
                 options  (i.e.  -d) and as such enables earlier debugging
                 output. Mutually exclusive with DebugOnDemand.
                 Enables debugging but turns off debug output. The  output
                 can  be  toggled  by  sending SIGUSR1. Mutually exclusive
                 with Debug.
                 Print out the logical flow  of  functions  (entering  and
                 exiting them)
                 Specifies  which  files  to trace LogFuncFlow. If not set
                 (the default), a LogFuncFlow trace is  provided  for  all
                 files.  Set  to limit it to the files specified.FileTrace
                 may be specified multiple  times,  one  file  each  (e.g.
                 export      RSYSLOG_DEBUG="LogFuncFlow     FileTrace=vm.c
                 Print the content of the debug function database whenever
                 debug information is printed (e.g. abort case)!
                 Print  all  debug information immediately before rsyslogd
                 exits (currently not implemented!)
                 Print mutex action as  it  happens.  Useful  for  finding
                 deadlocks and such.
                 Do  not  prefix log lines with a timestamp (default is to
                 do that).
                 Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
                 is  not  set, this means no messages will be displayed at
          Help   Display a very short list of commands - hopefully a  life
                 saver if you can't access the documentation...

          If  set,  writes (almost) all debug message to the specified log
          file in addition to stdout.
          Provides the default directory in which loadable modules reside.


   Please review the file BUGS for up-to-date information  on  known  bugs
   and annoyances.

Further Information

   Please  visit  for  additional information,
   tutorials and a support forum.


   rsyslog.conf(5),   logger(1),   syslog(2),   syslog(3),    services(5),


   rsyslogd is derived from sysklogd sources, which in turn was taken from
   the    BSD    sources.    Special    thanks    to    Greg     Wettstein
   (  and  Martin  Schulze  ( for the
   fine sysklogd package.

   Rainer Gerhards
   Adiscon GmbH
   Grossrinderfeld, Germany


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.

Free Software

Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.

Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.

Free Books

The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.

Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.

Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.