Yolinux.com

RSYSLOG.CONF manpage

Search topic Section


RSYSLOG.CONF(5)		  Linux System Administration	       RSYSLOG.CONF(5)



NAME
       rsyslog.conf - rsyslogd(8) configuration file

DESCRIPTION
       The  rsyslog.conf  file	is  the	 main configuration file for the rsys-
       logd(8) which logs system messages on *nix systems.  This  file	speci-
       fies  rules for logging.	 For special features see the rsyslogd(8) man-
       page. Rsyslog.conf is backward-compatible with  sysklogd's  syslog.conf
       file.  So  if you migrate from sysklogd you can rename it and it should
       work.

       Note that this version of rsyslog ships with extensive documentation in
       html  format.   This is provided in the ./doc subdirectory and probably
       in a separate package if you installed rsyslog via a packaging  system.
       To  use rsyslog's advanced features, you need to look at the html docu-
       mentation, because the man pages only cover basic aspects of operation.



MODULES
       Rsyslog has a modular design. Consequently, there is a  growing	number
       of modules. See the html documentation for their full description.


       omsnmp SNMP trap output module

       omgssapi
	      Output module for GSS-enabled syslog

       ommysql
	      Output module for MySQL

       omrelp Output  module  for the reliable RELP protocol (prevents message
	      loss).  For details, see below at imrelp and the html documenta-
	      tion.  It can be used like this:

	      *.*  :omrelp:server:port

	      *.*  :omrelp:192.168.0.1:2514 # actual sample

       ompgsql
	      Output module for PostgreSQL

       omlibdbi
	      Generic  database	 output	 module	 (Firebird/Interbase,  MS SQL,
	      Sybase, SQLite, Ingres, Oracle, mSQL)

       imfile Input module for text files

       imudp  Input plugin for UDP syslog. Replaces the deprecated -r  option.
	      Can be used like this:

	      $ModLoad imudp

	      $UDPServerRun 514

       imtcp  Input  plugin  for  plain TCP syslog. Replaces the deprecated -t
	      option. Can be used like this:

	      $ModLoad imtcp

	      $InputTCPServerRun 514


       imrelp Input plugin for the RELP	 protocol.  RELP  can  be  used
	      instead  of  UDP	or plain TCP syslog to provide reliable
	      delivery of syslog messages. Please note that  plain  TCP
	      syslog  does NOT provide truly reliable delivery, with it
	      messages may be lost when there is a  connection	problem
	      or  the server shuts down.  RELP prevents message loss in
	      those cases.  It can be used like this:

	      $ModLoad imrelp

	      $InputRELPServerRun 2514

       imgssapi
	      Input plugin for plain TCP and GSS-enable syslog

       immark Support for mark messages

       imklog Kernel logging. To include kernel log messages, you  need
	      to do

	      $ModLoad imklog

	      Please  note that the klogd daemon is no longer necessary
	      and consequently no longer provided by the rsyslog  pack-
	      age.

       imuxsock
	      Unix  sockets,  including the system log socket. You need
	      to specify

	      $ModLoad imuxsock

	      in order to receive log messages from local  system  pro-
	      cesses. This config directive should only left out if you
	      know exactly what you are doing.



BASIC STRUCTURE
       Lines starting with a  hash  mark  ('#')	 and  empty  lines  are
       ignored.	 Rsyslog.conf should contain following sections (sorted
       by recommended order in file):


       Global directives
	      Global directives set some  global  properties  of  whole
	      rsyslog  daemon,	for  example size of main message queue
	      ($MainMessageQueueSize), loading external modules	 ($Mod-
	      Load) and so on.	All global directives need to be speci-
	      fied on a line by their own and must start with a dollar-
	      sign. The complete list of global directives can be found
	      in html documentation in doc directory or online	on  web
	      pages.


       Templates
	      Templates	 allow you to specify format of the logged mes-
	      sage. They are also used for dynamic  file  name	genera-
	      tion.  They  have	 to  be defined before they are used in
	      rules. For more info about templates see	TEMPLATES  sec-
	      tion of this manpage.


       Output channels
	      Output  channels provide an umbrella for any type of out-
	      put that the user might want.  They have	to  be	defined
	      before they are used in rules. For more info about output
	      channels see OUTPUT CHANNELS section of this manpage.


       Rules (selector + action)
	      Every rule line consists of two fields, a selector  field
	      and  an  action  field. These two fields are separated by
	      one or more spaces or tabs. The selector field  specifies
	      a	 pattern  of facilities and priorities belonging to the
	      specified action.


SELECTORS
       The selector field itself again consists of two parts, a	 facil-
       ity  and a priority, separated by a period ('.'). Both parts are
       case insensitive and can also be specified as  decimal  numbers,
       but  don't  do  that, you have been warned.  Both facilities and
       priorities are described in syslog(3). The names mentioned below
       correspond to the similar LOG_-values in /usr/include/syslog.h.

       The  facility  is one of the following keywords: auth, authpriv,
       cron, daemon, kern, lpr, mail, mark,  news,  security  (same  as
       auth), syslog, user, uucp and local0 through local7. The keyword
       security should not be used anymore and mark is only for	 inter-
       nal  use and therefore should not be used in applications.  Any-
       way, you may want to specify and redirect these	messages  here.
       The  facility specifies the subsystem that produced the message,
       i.e. all mail programs log with the mail facility (LOG_MAIL)  if
       they log using syslog.

       The  priority  is  one  of  the following keywords, in ascending
       order: debug, info, notice, warning,  warn  (same  as  warning),
       err,  error  (same  as  err), crit, alert, emerg, panic (same as
       emerg). The keywords error, warn and panic  are	deprecated  and
       should not be used anymore. The priority defines the severity of
       the message.

       The behavior of the original BSD syslogd is that all messages of
       the  specified  priority	 and higher are logged according to the
       given action. Rsyslogd behaves the same,	 but  has  some	 exten-
       sions.

       In  addition to the above mentioned names the rsyslogd(8) under-
       stands the following extensions: An asterisk  ('*')  stands  for
       all  facilities or all priorities, depending on where it is used
       (before or after the period). The keyword  none	stands	for  no
       priority of the given facility.

       You  can specify multiple facilities with the same priority pat-
       tern in one statement using the comma (',')  operator.  You  may
       specify	as  much facilities as you want. Remember that only the
       facility part from such a statement is taken,  a	 priority  part
       would be skipped.

       Multiple	 selectors  may	 be specified for a single action using
       the semicolon (';') separator. Remember that  each  selector  in
       the  selector  field is capable to overwrite the preceding ones.
       Using this behavior you can exclude  some  priorities  from  the
       pattern.

       Rsyslogd has a syntax extension to the original BSD source, that
       makes its use more intuitively. You may precede	every  priority
       with  an	 equals sign ('=') to specify only this single priority
       and not any of the above. You may also (both is valid, too) pre-
       cede  the  priority with an exclamation mark ('!') to ignore all
       that priorities, either exact this one or this  and  any	 higher
       priority.  If  you use both extensions than the exclamation mark
       must occur before the equals sign, just use it intuitively.


ACTIONS
       The action field of a rule describes what to do	with  the  mes-
       sage.  In general, message content is written to a kind of "log-
       file". But also other actions might be done, like writing  to  a
       database table or forwarding to another host.


   Regular file
       Typically  messages are logged to real files. The file has to be
       specified with full pathname, beginning with a slash ('/').

       Example:
	      *.*     /var/log/traditionalfile.log;RSYSLOG_Traditional-
	      Format	  # log to a file in the traditional format

       Note: if you would like to use high-precision timestamps in your
       log files, just remove  the  ";RSYSLOG_TraditionalFormat".  That
       will  select  the  default template, which, if not changed, uses
       RFC 3339 timestamps.

       Example:
	      *.*     /var/log/file.log # log to a  file  with	RFC3339
	      timestamps


   Named pipes
       This  version  of  rsyslogd(8) has support for logging output to
       named pipes (fifos). A fifo or named pipe can be used as a  des-
       tination	 for  log messages by prepending a pipe symbol ('|') to
       the name of the file. This is handy for debugging. Note that the
       fifo  must  be  created	with the mkfifo(1) command before rsys-
       logd(8) is started.


   Terminal and console
       If the file you specified is  a	tty,  special  tty-handling  is
       done, same with /dev/console.


   Remote machine
       There  are  three  ways	to forward message: the traditional UDP
       transport, which is extremely lossy but standard, the plain  TCP
       based  transport which loses messages only during certain situa-
       tions but is widely available and the RELP transport which  does
       not  lose  messages  but	 is currently available only as part of
       rsyslogd 3.15.0 and above.

       To forward messages to another host via UDP, prepend  the  host-
       name  with  the	at  sign  ("@").   To forward it via plain tcp,
       prepend two at signs ("@@"). To forward via  RELP,  prepend  the
       string ":omrelp:" in front of the hostname.

       Example:
	      *.* @192.168.0.1

       In  the	example	 above,	 messages  are forwarded via UDP to the
       machine 192.168.0.1, the destination port defaults to  514.  Due
       to  the	nature	of UDP, you will probably lose some messages in
       transit.	 If you expect high traffic volume, you can  expect  to
       lose a quite noticeable number of messages (the higher the traf-
       fic, the more likely and severe is message loss).

       If you would like to prevent message loss, use RELP:
	      *.* :omrelp:192.168.0.1:2514

       Note that a port number was given as there is no	 standard  port
       for relp.

       Keep  in mind that you need to load the correct input and output
       plugins (see "Modules" above).

       Please note that rsyslogd offers a variety of options in regard-
       ing  to remote forwarding. For full details, please see the html
       documentation.


   List of users
       Usually critical messages are also directed to ``root'' on  that
       machine. You can specify a list of users that shall get the mes-
       sage by simply writing ":omusrmsg:" followed by the login  name.
       You  may specify more than one user by separating them with com-
       mas (','). If they're logged in they get the message (for  exam-
       ple: ":omusrmsg:root,user1,user2").


   Everyone logged on
       Emergency  messages  often  go  to all users currently online to
       notify them that something strange is happening with the system.
       To specify this wall(1)-feature use an ":omusrmsg:*".


   Database table
       This  allows  logging  of  the  message to a database table.  By
       default, a MonitorWare-compatible schema is required for this to
       work. You can create that schema with the createDB.SQL file that
       came with the rsyslog package. You can also use any other schema
       of  your	 liking - you just need to define a proper template and
       assign this template to the action.

       See the html documentation for further details on database  log-
       ging.


   Discard
       If  the	discard	 action is carried out, the received message is
       immediately discarded. Discard can be highly  effective	if  you
       want  to	 filter out some annoying messages that otherwise would
       fill your log files. To do that, place the discard actions early
       in  your	 log  files.  This often plays well with property-based
       filters, giving you great freedom in specifying what you do  not
       want.

       Discard	is  just  the  single  tilde  character with no further
       parameters.

       Example:
	      *.*   ~	   # discards everything.



   Output channel
       Binds an output channel definition (see there  for  details)  to
       this  action.  Output  channel actions must start with a $-sign,
       e.g. if you would like to bind your  output  channel  definition
       "mychannel"  to	the  action,  use "$mychannel". Output channels
       support template definitions like all all other actions.


   Shell execute
       This executes a program in a subshell. The program is passed the
       template-generated  message  as the only command line parameter.
       Rsyslog waits until the program terminates and only then contin-
       ues to run.

       Example:
	      ^program-to-execute;template

       The  program-to-execute can be any valid executable. It receives
       the template string as a single parameter (argv[1]).


FILTER CONDITIONS
       Rsyslog offers three different types "filter conditions":
	  * "traditional" severity and facility based selectors
	  * property-based filters
	  * expression-based filters


   Blocks
       Rsyslogd supports BSD-style  blocks  inside  rsyslog.conf.  Each
       block of lines is separated from the previous block by a program
       or hostname specification. A block will only log messages corre-
       sponding	 to the most recent program and hostname specifications
       given. Thus,  a	block  which  selects  "ppp"  as  the  program,
       directly	 followed  by  a  block	 that selects messages from the
       hostname "dialhost", then the second block will	only  log  mes-
       sages from the ppp program on dialhost.


   Selectors
       Selectors  are the traditional way of filtering syslog messages.
       They have been kept  in	rsyslog	 with  their  original	syntax,
       because	it  is well-known, highly effective and also needed for
       compatibility with stock syslogd	 configuration	files.	If  you
       just  need  to filter based on priority and facility, you should
       do this with selector lines. They are not second-class  citizens
       in rsyslog and offer the best performance for this job.


   Property-Based Filters
       Property-based  filters	are  unique  to rsyslogd. They allow to
       filter on any property, like HOSTNAME, syslogtag and msg.

       A property-based filter must start with a  colon	 in  column  0.
       This  tells  rsyslogd  that it is the new filter type. The colon
       must be followed by the property name, a comma, the name of  the
       compare operation to carry out, another comma and then the value
       to compare against. This value must be  quoted.	 There	can  be
       spaces  and  tabs between the commas. Property names and compare
       operations are case-sensitive, so "msg" works, while "MSG" is an
       invalid property name. In brief, the syntax is as follows:

	      :property, [!]compare-operation, "value"

       The following compare-operations are currently supported:

	      contains
		     Checks  if	 the  string  provided in value is con-
		     tained in the property

	      isequal
		     Compares the "value" string provided and the prop-
		     erty  contents.  These  two values must be exactly
		     equal to match.

	      startswith
		     Checks if the value is found exactly at the begin-
		     ning of the property value

	      regex
		     Compares the property against the provided regular
		     expression.


   Expression-Based Filters
       See the html documentation for this feature.



TEMPLATES
       Every output in rsyslog uses templates -	 this  holds  true  for
       files,  user  messages  and so on. Templates compatible with the
       stock syslogd formats are hardcoded into rsyslogd.  If  no  tem-
       plate  is  specified,  we  use one of these hardcoded templates.
       Search for "template_" in syslogd.c and you will find the  hard-
       coded ones.

       A  template consists of a template directive, a name, the actual
       template text and optional options. A sample is:

	      $template	 MyTemplateName,"\7Text	 %property%  some  more
	      text\n",<options>

       The "$template" is the template directive. It tells rsyslog that
       this line contains a template. The backslash is an escape  char-
       acter.  For example, \7 rings the bell (this is an ASCII value),
       \n is a new line. The set in rsyslog is a  bit  restricted  cur-
       rently.

       All  text  in  the template is used literally, except for things
       within percent signs. These are properties and allow you	 access
       to  the	contents of the syslog message. Properties are accessed
       via the property replacer and it can for	 example  pick	a  sub-
       string or do date-specific formatting. More on this is the PROP-
       ERTY REPLACER section of this manpage.

       To escape:
	  % = \%
	  \ = \\ --> '\' is used to escape (as in C)
       $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslog-
       tag%%msg%0

       Properties  can	be accessed by the property replacer (see there
       for details).

       Please note that templates can also by used to generate selector
       lines  with  dynamic file names.	 For example, if you would like
       to split syslog messages from different hosts to different files
       (one per host), you can define the following template:

	      $template DynFile,"/var/log/system-%HOSTNAME%.log"

       This  template can then be used when defining an output selector
       line. It will result in something  like	"/var/log/system-local-
       host.log"


   Template options
       The  <options>  part is optional. It carries options influencing
       the template as whole.  See details below. Be sure NOT  to  mis-
       take template options with property options - the later ones are
       processed by the property replacer and apply to a  SINGLE  prop-
       erty, only (and not the whole template).

       Template options are case-insensitive. Currently defined are:


	      sql    format  the string suitable for a SQL statement in
		     MySQL format.  This  will	replace	 single	 quotes
		     ("'")  and	 the backslash character by their back-
		     slash-escaped counterpart	("'"  and  "\")	 inside
		     each  field.  Please note that in MySQL configura-
		     tion, the NO_BACKSLASH_ESCAPES mode must be turned
		     off for this format to work (this is the default).


	      stdsql format  the  string  suitable  for a SQL statement
		     that is to be sent to  a  standards-compliant  sql
		     server.  This  will replace single quotes ("'") by
		     two single quotes ("''") inside each  field.   You
		     must  use	stdsql	together with MySQL if in MySQL
		     configuration the NO_BACKSLASH_ESCAPES  is	 turned
		     on.

       Either  the  sql	 or stdsql option MUST be specified when a tem-
       plate is used for writing to  a	database,  otherwise  injection
       might  occur.  Please note that due to the unfortunate fact that
       several vendors have violated the sql  standard	and  introduced
       their  own  escape  methods,  it	 is impossible to have a single
       option doing all the work.  So you yourself must make  sure  you
       are  using  the	right format.  If you choose the wrong one, you
       are still vulnerable to sql injection.

       Please note that the  database  writer  *checks*	 that  the  sql
       option  is  present  in	the template. If it is not present, the
       write database action is disabled.  This is to guard you against
       accidental  forgetting  it  and	then becoming vulnerable to SQL
       injection. The sql option can also be useful with files -  espe-
       cially  if  you	want  to import them into a database on another
       machine for performance reasons. However, do NOT use it	if  you
       do  not	have  a	 real need for it - among others, it takes some
       toll on the processing time. Not much, but on a really busy sys-
       tem you might notice it ;)

       The  default  template  for the write to database action has the
       sql option set.


   Template examples
       Please note that the samples are split across multiple lines.  A
       template MUST NOT actually be split across multiple lines.

       A template that resembles traditional syslogd file output:

	      $template TraditionalFormat,"%timegenerated% %HOSTNAME%
	      %syslogtag%%msg:::drop-last-lf%0

       A template that tells you a little more about the message:

	      $template		precise,"%syslogpriority%,%syslogfacil-
	      ity%,%timegenerated%,%HOSTNAME%,
	      %syslogtag%,%msg%0

       A template for RFC 3164 format:

	      $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %sys-
	      logtag%%msg%"

       A template for the format traditionally used for user messages:

	      $template usermsg," XXXX%syslogtag%%msg%0r"

       And a template with the traditional wall-message format:

	      $template	 wallmsg,"\r\n\7Message from syslogd@%HOSTNAME%
	      at %timegenerated%"

       A template that can be used for writing to  a  database	(please
       note the SQL template option)

	      $template MySQLInsert,"insert iut, message, receivedat
	      values ('%iut%', '%msg:::UPPERCASE%', '%timegener-
	      ated:::date-mysql%') into systemevents\r\n", SQL

	      NOTE 1: This template is embedded into core application
	      under name StdDBFmt , so you don't need to define it.

	      NOTE 2: You have to have MySQL module installed to use
	      this template.


OUTPUT CHANNELS
       Output  Channels	 are  a new concept first introduced in rsyslog
       0.9.0. As of this writing, it is most likely that they  will  be
       replaced	 by  something	different in the future.  So if you use
       them, be prepared to change you configuration file  syntax  when
       you upgrade to a later release.

       Output  channels	 are defined via an $outchannel directive. It's
       syntax is as follows:

	      $outchannel name,file-name,max-size,action-on-max-size

       name is the name of the output channel (not the file), file-name
       is  the file name to be written to, max-size the maximum allowed
       size and action-on-max-size a command to be issued when the  max
       size  is reached. This command always has exactly one parameter.
       The binary is that part of action-on-max-size before  the  first
       space, its parameter is everything behind that space.

       Keep  in	 mind  that  $outchannel  just	defines	 a channel with
       "name". It does not activate it.	 To  do	 so,  you  must	 use  a
       selector line (see below). That selector line includes the chan-
       nel name plus ":omfile:$" in front of it. A sample might be:

	      *.* :omfile:$mychannel


PROPERTY REPLACER
       The property replacer is a core component in  rsyslogd's	 output
       system. A syslog message has a number of well-defined properties
       (see below). Each of this properties can be accessed and manipu-
       lated  by the property replacer. With it, it is easy to use only
       part of a property value or manipulate the value, e.g.  by  con-
       verting all characters to lower case.


   Accessing Properties
       Syslog  message	properties  are used inside templates. They are
       accessed by putting them between percent signs.	Properties  can
       be modified by the property replacer. The full syntax is as fol-
       lows:

	      %propname:fromChar:toChar:options%

       propname is the name of the property to access.	It is case-sen-
       sitive.


   Available Properties
       msg    the MSG part of the message (aka "the message" ;))

       rawmsg the  message  exactly as it was received from the socket.
	      Should be useful for debugging.

       HOSTNAME
	      hostname from the message

       FROMHOST
	      hostname of the system the message was received from  (in
	      a relay chain, this is the system immediately in front of
	      us and not necessarily the original sender)

       syslogtag
	      TAG from the message

       programname
	      the "static" part of the tag, as defined by BSD  syslogd.
	      For  example,  when TAG is "named[12345]", programname is
	      "named".

       PRI    PRI part of the message - undecoded (single value)

       PRI-text
	      the PRI part of the message in a textual form (e.g. "sys-
	      log.info")

       IUT    the  monitorware	InfoUnitType  -	 used when talking to a
	      MonitorWare backend (also for phpLogCon)

       syslogfacility
	      the facility from the message - in numerical form

       syslogfacility-text
	      the facility from the message - in text form

       syslogseverity
	      severity from the message - in numerical form

       syslogseverity-text
	      severity from the message - in text form

       timegenerated
	      timestamp when the message was RECEIVED. Always  in  high
	      resolution

       timereported
	      timestamp	 from  the  message. Resolution depends on what
	      was provided in the message (in most cases, only seconds)

       TIMESTAMP
	      alias for timereported

       PROTOCOL-VERSION
	      The contents of  the  PROTOCOL-VERSION  field  from  IETF
	      draft draft-ietf-syslog-protocol

       STRUCTURED-DATA
	      The contents of the STRUCTURED-DATA field from IETF draft
	      draft-ietf-syslog-protocol

       APP-NAME
	      The contents of the APP-NAME field from IETF draft draft-
	      ietf-syslog-protocol

       PROCID The  contents  of the PROCID field from IETF draft draft-
	      ietf-syslog-protocol

       MSGID  The contents of the MSGID field from  IETF  draft	 draft-
	      ietf-syslog-protocol

       $NOW   The current date stamp in the format YYYY-MM-DD

       $YEAR  The current year (4-digit)

       $MONTH The current month (2-digit)

       $DAY   The current day of the month (2-digit)

       $HOUR  The current hour in military (24 hour) time (2-digit)

       $MINUTE
	      The current minute (2-digit)


       Properties  starting  with a $-sign are so-called system proper-
       ties. These do NOT stem from the message but are	 rather	 inter-
       nally-generated.


   Character Positions
       FromChar	 and  toChar are used to build substrings. They specify
       the offset within the  string  that  should  be	copied.	 Offset
       counting starts at 1, so if you need to obtain the first 2 char-
       acters  of  the	message	 text,	you  can   use	 this	syntax:
       "%msg:1:2%".  If you do not wish to specify from and to, but you
       want to specify options, you still need to include  the	colons.
       For  example, if you would like to convert the full message text
       to lower case, use "%msg:::lowercase%". If  you	would  like  to
       extract	from  a	 position  until the end of the string, you can
       place a dollar-sign ("$") in toChar (e.g. %msg:10:$%, which will
       extract from position 10 to the end of the string).

       There is also support for regular expressions.  To use them, you
       need to place a "R" into FromChar.  This tells  rsyslog	that  a
       regular	expression  instead  of	 position-based	 extraction  is
       desired. The actual regular expression must then be provided  in
       toChar.	The  regular  expression must be followed by the string
       "--end". It denotes the end of the regular expression  and  will
       not  become  part  of it.  If you are using regular expressions,
       the property replacer will return the part of the property  text
       that  matches  the regular expression. An example for a property
       replacer sequence with a regular expression is:	"%msg:R:.*Sev:.
       \(.*\) \[.*--end%"

       Also,  extraction can be done based on so-called "fields". To do
       so, place a "F" into FromChar. A field in its current definition
       is  anything  that  is  delimited  by a delimiter character. The
       delimiter by default is TAB (US-ASCII value 9). However, if  can
       be changed to any other US-ASCII character by specifying a comma
       and the decimal US-ASCII	 value	of  the	 delimiter  immediately
       after  the  "F". For example, to use comma (",") as a delimiter,
       use this field specifier: "F,44".  If your syslog data is delim-
       ited,  this is a quicker way to extract than via regular expres-
       sions (actually, a *much* quicker way). Field counting starts at
       1.  Field zero is accepted, but will always lead to a "field not
       found" error. The same happens if a field number higher than the
       number  of fields in the property is requested. The field number
       must be placed in the "ToChar" parameter. An example  where  the
       3rd  field (delimited by TAB) from the msg property is extracted
       is as follows: "%msg:F:3%". The same example with  semicolon  as
       delimiter is "%msg:F,59:3%".

       Please  note  that  the special characters "F" and "R" are case-
       sensitive. Only upper case works,  lower	 case  will  return  an
       error.  There  are no white spaces permitted inside the sequence
       (that will lead to error	 messages  and	will  NOT  provide  the
       intended result).


   Property Options
       Property	 options are case-insensitive. Currently, the following
       options are defined:

       uppercase
	      convert property to lowercase only

       lowercase
	      convert property text to uppercase only

       drop-last-lf
	      The last LF in the message (if any),  is	dropped.  Espe-
	      cially useful for PIX.

       date-mysql
	      format as mysql date

       date-rfc3164
	      format as RFC 3164 date

       date-rfc3339
	      format as RFC 3339 date

       escape-cc
	      replace  control	characters  (ASCII value 127 and values
	      less then 32) with an escape sequence.  The  sequence  is
	      "#<charval>"  where  charval is the 3-digit decimal value
	      of the control character. For example, a tabulator  would
	      be replaced by "#009".

       space-cc
	      replace control characters by spaces

       drop-cc
	      drop  control characters - the resulting string will nei-
	      ther contain control characters, escape sequences nor any
	      other replacement character like space.


QUEUED OPERATIONS
       Rsyslogd	 supports  queued  operations to handle offline outputs
       (like remote syslogd's or database  servers  being  down).  When
       running	in queued mode, rsyslogd buffers messages to memory and
       optionally to disk (on an as-needed basis). Queues survive rsys-
       logd restarts.

       It  is  highly  suggested  to use remote forwarding and database
       writing in queued mode, only.

       To learn more about queued operations, see the  html  documenta-
       tion.


FILES
       /etc/rsyslog.conf
	      Configuration file for rsyslogd

SEE ALSO
       rsyslogd(8), logger(1), syslog(3)

       The complete documentation can be found in the doc folder of the
       rsyslog distribution or online at

	      http://www.rsyslog.com/doc

       Please note that the man page reflects only a subset of the con-
       figuration  options.  Be sure to read the html documentation for
       all features and details. This is especially vital if  you  plan
       to set up a more-then-extremely-simple system.

AUTHORS
       rsyslogd is taken from sysklogd sources, which have been heavily
       modified by Rainer Gerhards (rgerhards@adiscon.com) and others.



Version 3.18.0			 11 July 2008		       RSYSLOG.CONF(5)