rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
       [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
       [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w ] [ -x ]

       Rsyslogd  is  a  system  utility providing support for message logging.
       Support of both internet and unix domain sockets enables  this  utility
       to support both local and remote logging.

       Note that this version of rsyslog ships with extensive documentation in
       html format.  This is provided in the ./doc subdirectory  and  probably
       in  a separate package if you installed rsyslog via a packaging system.
       To use rsyslog's advanced features, you need to look at the html  docu-
       mentation, because the man pages only cover basic aspects of operation.
       For details and configuration examples, see the  rsyslog.conf  (5)  man
       page and the online documentation at

       Rsyslogd(8)  is  derived  from  the  sysklogd  package which in turn is
       derived from the stock BSD sources.

       Rsyslogd provides a kind of logging  that  many  modern  programs  use.
       Every  logged  message  contains  at least a time and a hostname field,
       normally a program name field, too, but that depends on how trusty  the
       logging  program  is.  The  rsyslog package supports free definition of
       output formats via templates. It also supports precise  timestamps  and
       writing  directly  to  databases. If the database option is used, tools
       like phpLogCon can be used to view the log data.

       While the rsyslogd sources have been heavily modified a couple of notes
       are  in  order.   First  of  all there has been a systematic attempt to
       ensure that rsyslogd follows its default,  standard  BSD  behavior.  Of
       course,  some configuration file changes are necessary in order to sup-
       port the template system. However, rsyslogd should be  able  to  use  a
       standard  syslog.conf  and  act  like the original syslogd. However, an
       original syslogd will not work correctly with a  rsyslog-enhanced  con-
       figuration  file.  At  best, it will generate funny looking file names.
       The second important concept to note is that this version  of  rsyslogd
       interacts  transparently  with the version of syslog found in the stan-
       dard libraries.  If a binary linked to the  standard  shared  libraries
       fails  to  function correctly we would like an example of the anomalous

       The main configuration file /etc/rsyslog.conf or an  alternative  file,
       given  with  the  -f  option, is read at startup.  Any lines that begin
       with the hash mark (``#'') and empty lines are ignored.   If  an  error
       occurs  during  parsing  the  error  element is ignored. It is tried to
       parse the rest of the line.

       Note that in version 3 of rsyslog a number of command line options have
       been deprecated and replaced with config file directives. The -c option

       -6     Causes rsyslogd to listen to IPv6 addresses only.  If neither -4
              nor -6 is given, rsyslogd listens to all configured addresses of
              the system.

       -c version
              Selects  the desired backward compatibility mode. It must always
              be the first option on the command line, as it  influences  pro-
              cessing  of  the  other  options.  To  use the rsyslog v3 native
              interface, specify -c3. To use compatibility mode  ,  either  do
              not  use -c at all or use -c<version> where version is the rsys-
              log version that it shall be compatible with.  Using  -c0  tells
              rsyslog  to be command-line compatible to sysklogd, which is the
              default if -c is not given.  Please note  that  rsyslogd  issues
              warning  messages  if  the -c3 command line option is not given.
              This is to alert you that  your  are  running  in  compatibility
              mode.  Compatibility mode interferes with your rsyslog.conf com-
              mands and may cause some undesired side-effects. It is meant  to
              be used with a plain old rsyslog.conf - if you use new features,
              things become messy. So the best advice is to work through  this
              document,  convert  your  options  and  config file and then use
              rsyslog in native mode. In order to aid  you  in  this  process,
              rsyslog  logs  every compatibility-mode config file directive it
              has generated. So you can simply copy them from your logfile and
              paste them to the config.

       -d     Turns  on  debug mode.  Using this the daemon will not proceed a
              fork(2) to set itself in the background, but  opposite  to  that
              stay  in  the foreground and write much debug information on the
              current tty.  See the DEBUGGING section for more information.

       -f config file
              Specify an alternative configuration file instead of  /etc/rsys-
              log.conf, which is the default.

       -i pid file
              Specify  an  alternative  pid  file  instead of the default one.
              This option must be  used  if  multiple  instances  of  rsyslogd
              should run on a single machine.

       -l hostlist
              Specify  a  hostname  that should be logged only with its simple
              hostname and not the fqdn.   Multiple  hosts  may  be  specified
              using the colon (``:'') separator.

       -n     Avoid  auto-backgrounding.   This  is  needed  especially if the
              rsyslogd is started and controlled by init(8).

       -N  level
              Do a coNfig check. Do NOT run in regular mode, just  check  con-
              figuration  file  correctness.  This option is meant to verify a
              config file. To do so, run rsyslogd interactively in foreground,
              specifying  -f  <config-file>  and -N level.  The level argument
              modifies behaviour. Currently, 0 is the same as  not  specifying
              Do not resolve hostnames to IP addresses during ACL processing.

       -s domainlist
              Specify a domainname that should be stripped off before logging.
              Multiple domains may be specified using the colon (``:'')  sepa-
              rator.   Please  be advised that no sub-domains may be specified
              but only entire domains.  For example if -s  is  speci-
              fied  and the host logging resolves to no
              domain would be cut, you will have to specify two domains  like:

       -u userlevel
              This  is  a  "catch all" option for some very seldomly-used user
              settings.  The "userlevel" variable selects multiple things. Add
              the specific values to get the combined effect of them.  A value
              of 1 prevents rsyslogd from parsing hostnames  and  tags  inside
              messages.   A  value of 2 prevents rsyslogd from changing to the
              root directory. This is almost never a good idea  in  production
              use. This option was introduced in support of the internal test-
              bed.  To combine these two features, use a userlevel of 3 (1+2).
              Whenever  you  use an -u option, make sure you really understand
              what you do and why you do it.

       -v     Print version and exit.

       -w     Suppress warnings issued when messages are  received  from  non-
              authorized machines (those, that are in no AllowedSender list).

       -x     Disable DNS for remote messages.

       Rsyslogd  reacts  to a set of signals.  You may easily send a signal to
       rsyslogd using the following:

              kill -SIGNAL $(cat /var/run/

       Note that -SIGNAL must be replaced with the actual signal you are  try-
       ing to send, e.g. with HUP. So it then becomes:

              kill -HUP $(cat /var/run/

       HUP    This  lets rsyslogd perform close all open files.  Also, in v3 a
              full restart will be done in order to read changed configuration
              files.   Note  that  this means a full rsyslogd restart is done.
              This has, among others, the consequence that TCP and other  con-
              nections  are  torn down. Also, if any queues are not running in
              disk assisted mode or are not set to persist data  on  shutdown,
              queue  data  is  lost. HUPing rsyslogd is an extremely expensive
              operation and should only be done when actually necessary. Actu-
              ally,  it  is a rsyslgod stop immediately followed by a restart.
              Future versions will remove this restart  functionality  of  HUP
              (it  will  go  away in v5). So it is advised to use HUP only for
              closing files, and a  "real  restart"  (e.g.  /etc/rc.d/rsyslogd
              restart) to activate configuration changes.

       flood the rsyslogd daemon with syslog messages  resulting  in  the  log
       files  consuming all the remaining space on the filesystem.  Activating
       logging over the inet domain sockets will of course expose a system  to
       risks outside of programs or individuals on the local machine.

       There are a number of methods of protecting a machine:

       1.     Implement  kernel  firewalling  to limit which hosts or networks
              have access to the 514/UDP socket.

       2.     Logging can be directed to an isolated  or  non-root  filesystem
              which, if filled, will not impair the machine.

       3.     The ext2 filesystem can be used which can be configured to limit
              a certain percentage of a filesystem  to  usage  by  root  only.
              NOTE  that  this  will  require rsyslogd to be run as a non-root
              process.  ALSO NOTE that this will prevent usage of remote  log-
              ging  on  the default port since rsyslogd will be unable to bind
              to the 514/UDP socket.

       4.     Disabling inet domain sockets  will  limit  risk  to  the  local

   Message replay and spoofing
       If  remote  logging  is  enabled,  messages  can  easily be spoofed and
       replayed.  As the messages are transmitted in clear-text,  an  attacker
       might  use  the  information  obtained  from  the packets for malicious
       things. Also, an attacker might replay recorded  messages  or  spoof  a
       sender's  IP  address, which could lead to a wrong perception of system
       activity. These can be prevented by using  GSS-API  authentication  and
       encryption.  Be  sure  to  think  about  syslog network security before
       enabling it.

       When debugging is turned on using -d option then rsyslogd will be  very
       verbose by writing much of what it does on stdout.

              Configuration  file for rsyslogd.  See rsyslog.conf(5) for exact
              The Unix domain socket to from where local syslog  messages  are
              The file containing the process id of rsyslogd.
              Default  directory for rsyslogd modules. The prefix is specified
              during compilation (e.g. /usr/local).
              Controls runtime debug support.It contains an option string with
              the following options possible (all are case insensitive):

                     debug information is printed (e.g. abort case)!
                     Print all debug information immediately  before  rsyslogd
                     exits (currently not implemented!)
                     Print  mutex  action  as  it  happens. Useful for finding
                     deadlocks and such.
                     Do not prefix log lines with a timestamp (default  is  to
                     do that).
                     Do not emit debug messages to stdout. If RSYSLOG_DEBUGLOG
                     is not set, this means no messages will be  displayed  at
              Help   Display  a very short list of commands - hopefully a life
                     saver if you can't access the documentation...

              If set, writes (almost) all debug message to the  specified  log
              file in addition to stdout.
              Provides the default directory in which loadable modules reside.

       Please  review  the  file BUGS for up-to-date information on known bugs
       and annoyances.

Further Information
       Please visit  for  additional  information,
       tutorials and a support forum.

       rsyslog.conf(5),    logger(1),   syslog(2),   syslog(3),   services(5),

       rsyslogd is derived from sysklogd sources, which in turn was taken from
       the  BSD  sources.  Special  thanks to Greg Wettstein (greg@wind.enjel- and Martin Schulze ( for the fine sysklogd pack-

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld, Germany

Version 3.21.1                   29 July 2008                      RSYSLOGD(8)
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2017 Hurricane Electric. All Rights Reserved.