man pages section 1M: System Administration Commands

Exit Print View

Updated: July 2014

rsyslogd (1m)


rsyslogd - reliable and extended syslogd


rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
[ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
[ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w
] [ -x ]


System Administration Commands                       RSYSLOGD(1M)

     rsyslogd - reliable and extended syslogd

     rsyslogd [ -4 ] [ -6 ] [ -A ] [ -d ] [ -f config file ]
     [ -i pid file ] [ -l hostlist ] [ -n ] [ -N level ]
     [ -q ] [ -Q ] [ -s domainlist ] [ -u userlevel ] [ -v ] [ -w
     ] [ -x ]

     Rsyslogd is a system utility providing support  for  message
     logging.   Support  of both internet and unix domain sockets
     enables this utility to support both local and  remote  log-

     To  use rsyslog's advanced features, you need to look at the
     online documentation, because the man pages only cover basic
     aspects  of  operation.  For details and configuration exam-
     ples, see man page and the online documentation

     rsyslogd(1M) is derived from the sysklogd package  which  in
     turn is derived from the stock BSD sources.

     Rsyslogd  provides  a  kind of logging that many modern pro-
     grams use.  Every logged message contains at  least  a  time
     and  a  hostname  field, normally a program name field, too,
     but that depends on how trusty the logging program  is.  The
     rsyslog  package  supports free definition of output formats
     via templates. It also supports precise timestamps and writ-
     ing  directly  to databases. If the database option is used,
     tools like phpLogCon can be used to view the log data.

     While the rsyslogd sources have been heavily modified a cou-
     ple  of  notes  are in order.  First of all there has been a
     systematic attempt  to  ensure  that  rsyslogd  follows  its
     default,  standard  BSD behavior. Of course, some configura-
     tion file changes are necessary in order to support the tem-
     plate  system.  However,  rsyslogd  should  be able to use a
     standard syslog.conf and act like the original syslogd. How-
     ever,  an  original  syslogd  will not work correctly with a
     rsyslog-enhanced configuration file. At best, it will gener-
     ate  funny looking file names.  The second important concept
     to note is that this version of rsyslogd interacts transpar-
     ently  with  the  version  of  syslog  found in the standard
     libraries.  If  a  binary  linked  to  the  standard  shared
     libraries fails to function correctly we would like an exam-
     ple of the anomalous behavior.

     The main configuration file /etc/rsyslog.conf or an alterna-
     tive  file,  given  with  the -f option, is read at startup.
     Any lines that begin with the hash mark  (``#'')  and  empty
     lines  are  ignored.   If an error occurs during parsing the

Version 6.2.0        Last change: 16 May 2012                   1

System Administration Commands                       RSYSLOGD(1M)

     error element is ignored. It is tried to parse the  rest  of
     the line.

     Note  that in version 3 of have been deprecated and replaced
     with -c option controls the backward compatibility

     -A   When sending UDP messages, there are potentially multi-
          ple  paths to the target destination. By default, rsys-
          logd only sends to the first target it can successfully
          send  to. If -A is given, messages are sent to all tar-
          gets. This may improve reliability, but may also  cause
          message duplication. This option should be enabled only
          if it is fully understood.

     -4   Causes rsyslogd to listen to IPv4 addresses  only.   If
          neither  -4  nor  -6  is given, rsyslogd listens to all
          configured addresses of the system.

     -6   Causes rsyslogd to listen to IPv6 addresses  only.   If
          neither  -4  nor  -6  is given, rsyslogd listens to all
          configured addresses of the system.

     -c version
          Selects the desired  backward  compatibility  mode.  It
          must always be the first option on the command line, as
          it influences processing of the other options.  To  use
          the  rsyslog  v3  native interface, specify -c3. To use
          compatibility mode , either do not use -c at all or use
          -c<version>  where  version is the rsyslog version that
          it shall be compatible with. Using -c0 tells rsyslog to
          be  command-line  compatible  to sysklogd, which is the
          default if -c is not given.  Please note that  rsyslogd
          issues  warning command line option is not given.  This
          is to alert you that your are running in  compatibility
          mode.  Compatibility  mode  interferes  with your rsys-
          log.conf commands and may cause  some  undesired  side-
          effects.  It is meant to be used with a plain old rsys-
          log.conf - if  you  use  new  features,  things  become
          messy. So the best advice is to work through this docu-
          ment, convert your options and config file and then use
          rsyslog  in  native  mode.  In order to aid you in this
          process, rsyslog logs every  compatibility-mode  config
          file directive it has generated. So you can simply copy
          them from your logfile and paste them to the config.

     -d   Turns on debug mode.  Using this the  daemon  will  not
          proceed  a fork(2) to set itself in the background, but
          opposite to that stay in the foreground and write  much
          debug  information  on the current tty.  See the DEBUG-
          GING section for more information.

Version 6.2.0        Last change: 16 May 2012                   2

System Administration Commands                       RSYSLOGD(1M)

     -f config file
          Specify an alternative configuration  file  instead  of
          /etc/rsyslog.conf, which is the default.

     -i pid file
          Specify  an alternative pid file instead of the default
          one.  This option must be used if multiple instances of
          rsyslogd should run on a single machine.

     -l hostlist
          Specify  a hostname that should be logged only with its
          simple hostname and not the fqdn.  Multiple  hosts  may
          be specified using the colon (``:'') separator.

     -n   Avoid auto-backgrounding.  This is needed especially if
          the rsyslogd is started  and  controlled  by  init(1M),
          which is not the case on Solaris.

     -N  level
          Do  a  coNfig  check.  Do NOT run in regular mode, just
          check configuration file correctness.  This  option  is
          meant  to  verify a config file. To do so, run rsyslogd
          interactively in  foreground,  specifying  -f  <config-
          file> and -N level.  The level argument modifies behav-
          iour. Currently, 0 is the same as not specifying the -N
          option at all (so this makes limited sense) and 1 actu-
          ally activates the code. Later, higher levels will mean
          more   verbosity   (this   is  a  forward-compatibility

     -q add hostname if DNS fails during ACL processing
          During ACL processing, hostnames  are  resolved  to  IP
          addresses  for performance reasons. If DNS fails during
          that process, the hostname is added as  wildcard  text,
          which  results in proper, but somewhat slower operation
          once DNS is up again.

     -Q do not resolve hostnames during ACL processing
          Do not resolve hostnames to  IP  addresses  during  ACL

     -s domainlist
          Specify a domainname that should be stripped off before
          logging.  Multiple domains may be specified  using  the
          colon  (``:'')  separator.   Please  be advised that no
          sub-domains may be specified but only  entire  domains.
          For  example  if  -s is specified and the host
          logging resolves to  no  domain
          would  be  cut,  you  will  have to specify two domains
          like: -s

     -u userlevel

Version 6.2.0        Last change: 16 May 2012                   3

System Administration Commands                       RSYSLOGD(1M)

          This is a "catch all" option for  some  very  seldomly-
          used  user  settings.  The "userlevel" variable selects
          multiple things. Add the specific  values  to  get  the
          combined  effect  of them.  A value of 1 prevents rsys-
          logd from parsing hostnames and tags  inside  messages.
          A  value  of  2  prevents rsyslogd from changing to the
          root directory. This is almost never  a  good  idea  in
          production  use.  This option was introduced in support
          of the internal testbed.  To  combine  these  two  fea-
          tures,  use a userlevel of 3 (1+2). Whenever you use an
          -u option, make sure you really understand what you  do
          and why you do it.

     -v   Print version and exit.

     -w   Suppress  warnings  issued  when  messages are received
          from non-authorized machines (those,  that  are  in  no
          AllowedSender list).

     -x   Disable DNS for remote messages.

     Rsyslogd  reacts to a set of signals.  You may easily send a
     signal to rsyslogd using the following:

          kill -SIGNAL $(cat /var/run/

     Note that -SIGNAL must be replaced with  the  actual  signal
     you are trying to send, e.g. with HUP. So it then becomes:

          kill -HUP $(cat /var/run/

     HUP  This lets rsyslogd perform close all open files.  Also,
          in v3 a full restart will be  done  in  order  to  read
          changed  configuration  files.   Note that this means a
          full rsyslogd restart is done. This has, among  others,
          the consequence that TCP and other connections are torn
          down. Also, if any  queues  are  not  running  in  disk
          assisted  mode  or are not set to persist data on shut-
          down,  queue  data  is  lost.  HUPing  rsyslogd  is  an
          extremely  expensive  operation and should only be done
          when actually necessary. Actually,  it  is  a  rsyslgod
          stop immediately followed by a restart. Future versions
          will remove this restart functionality of HUP (it  will
          go  away  in  v5). So it is advised to use HUP only for
          closing  files,  and  a  "real  restart"  (e.g.  svcadm
          restart   svc:/system/system-log:rsyslog)  to  activate
          configuration changes.

     TERM ,  INT ,  QUIT

Version 6.2.0        Last change: 16 May 2012                   4

System Administration Commands                       RSYSLOGD(1M)

          Rsyslogd will die.

     USR1 Switch debugging on/off.  This option can only be  used
          if rsyslogd is started with the -d debug option.

     CHLD Wait  for childs if some were born, because of wall'ing

     There is the potential for the rsyslogd daemon to be used as
     a  conduit  for  a  denial  of service attack.  A rogue pro-
     gram(mer) could very easily flood the rsyslogd  daemon  with
     syslog messages resulting in the log files consuming all the
     remaining space on the filesystem.  Activating logging  over
     the  inet  domain  sockets will of course expose a system to
     risks outside  of  programs  or  individuals  on  the  local

     There are a number of methods of protecting a machine:

     1.   Implement  kernel  firewalling  to limit which hosts or
          networks have access to the 514/UDP socket.

     2.   Logging can be directed  to  an  isolated  or  non-root
          filesystem  which,  if  filled,  will  not  impair  the

     3.   The ext2 filesystem can be used which can be configured
          to  limit a certain percentage of a filesystem to usage
          by root only.  NOTE that this will require rsyslogd  to
          be run as a non-root process.  ALSO NOTE that this will
          prevent usage of remote logging  on  the  default  port
          since  rsyslogd  will  be unable to bind to the 514/UDP

     4.   Disabling inet domain sockets will limit  risk  to  the
          local machine.

  Message replay and spoofing
     If remote logging is enabled, messages can easily be spoofed
     and replayed.  As the messages  are  transmitted  in  clear-
     text,  an  attacker  might use the information obtained from
     the packets for malicious things. Also,  an  attacker  might
     replay  recorded  messages  or  spoof a sender's IP address,
     which could lead to a wrong perception of  system  activity.
     These  can  be prevented by using GSS-API authentication and
     encryption. Be sure to think about syslog  network  security
     before enabling it.

     When  debugging  is  turned on using -d option then rsyslogd
     will be very verbose by writing much  of  what  it  does  on

Version 6.2.0        Last change: 16 May 2012                   5

System Administration Commands                       RSYSLOGD(1M)


          Configuration  file  for rsyslogd.  See rsyslog.conf(5)
          for exact information.
          The Unix domain socket to from where local syslog  mes-
          sages are read.
          The file containing the process id of rsyslogd.
          Default directory for rsyslogd modules.
          Controls  runtime  debug  support.It contains an option
          string with the following  options  possible  (all  are
          case insensitive):

               Print  out the logical flow of functions (entering
               and exiting them)
               Specifies which files to trace LogFuncFlow. If not
               set (the default), a LogFuncFlow trace is provided
               for all files. Set to limit it to the files speci-
               fied.FileTrace  may  be  specified multiple times,
               one file  each  (e.g.  export  RSYSLOG_DEBUG="Log-
               FuncFlow FileTrace=vm.c FileTrace=expr.c"
               Print  the  content of the debug function database
               whenever debug information is printed (e.g.  abort
               Print  all  debug  information  immediately before
               rsyslogd exits (currently not implemented!)
               Print mutex action as it happens. Useful for find-
               ing deadlocks and such.
               Do  not prefix log lines with a timestamp (default
               is to do that).
               Do not emit debug messages  to  stdout.  If  RSYS-
               LOG_DEBUGLOG  is  not  set, this means no messages
               will be displayed at all.
          Help Display a very short list of commands -  hopefully
               a  life  saver  if you can't access the documenta-

          If set,  writes  (almost)  all  debug  message  to  the

Version 6.2.0        Last change: 16 May 2012                   6

System Administration Commands                       RSYSLOGD(1M)

          specified log file in addition to stdout.
          Provides  the  default directory in which loadable mod-
          ules reside.

Further Information
     Please  visit   for   additional
     information, tutorials and a support forum.

     See   attributes(5)   for   descriptions  of  the  following

     |      ATTRIBUTE TYPE         |       ATTRIBUTE VALUE         |
     |Availability                 |pkg:/system/rsyslog            |
     |Service                      |svc:/system/system-log:rsyslog |

Solaris Usage
     The rsyslog  instance  of  the  system-log  service  is  not
     enabled  by  default.   To  enable it, first "svcadm disable
     svc:/system/system-log:default",   then    "svcadm    enable
     svc:/system/system-log:rsyslog".   If you wish to enable log
     rotation, then add each file referenced  in  rsyslog.conf(4)
     to /etc/logadm.conf.

     rsyslog.conf(4),    logger(1),    syslog(3C),    services(4)

     rsyslogd is derived from sysklogd sources, which in turn was
     taken from the BSD sources. Special thanks to Greg Wettstein
     ( and Martin Schulze  (
     for the fine sysklogd package.

     Rainer Gerhards
     Adiscon GmbH
     Grossrinderfeld, Germany

Version 6.2.0        Last change: 16 May 2012                   7