diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/Makefile.am | 4 | ||||
| -rw-r--r-- | doc/features.html | 10 | ||||
| -rw-r--r-- | doc/imgssapi.html | 6 | ||||
| -rw-r--r-- | doc/imklog.html | 74 | ||||
| -rw-r--r-- | doc/imrelp.html | 6 | ||||
| -rw-r--r-- | doc/manual.html | 24 | ||||
| -rw-r--r-- | doc/ommail.html | 10 | ||||
| -rw-r--r-- | doc/property_replacer.html | 46 | ||||
| -rw-r--r-- | doc/queues.html | 12 | ||||
| -rw-r--r-- | doc/rscript_abnf.html | 4 | ||||
| -rw-r--r-- | doc/rsyslog_conf.html | 86 | ||||
| -rw-r--r-- | doc/rsyslog_ng_comparison.html | 24 | ||||
| -rw-r--r-- | doc/rsyslog_reliable_forwarding.html | 152 | ||||
| -rw-r--r-- | doc/status.html | 18 | ||||
| -rw-r--r-- | doc/troubleshoot.html | 35 |
15 files changed, 416 insertions, 95 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am index c1d41cf8..653ed627 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -21,6 +21,7 @@ html_files = \ rsyslog_high_database_rate.html \ rsyslog_php_syslog_ng.html \ rsyslog_recording_pri.html \ + rsyslog_reliable_forwarding.html \ rsyslog_stunnel.html \ syslog-protocol.html \ version_naming.html \ @@ -31,6 +32,9 @@ html_files = \ imfile.html \ imtcp.html \ imgssapi.html \ + imrelp.html \ + imuxsock.html \ + imklog.html \ professional_support.html \ queues.html \ queueWorkerLogic.dia \ diff --git a/doc/features.html b/doc/features.html index 9573030e..13fc34c6 100644 --- a/doc/features.html +++ b/doc/features.html @@ -1,7 +1,5 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html><head><title>rsyslog features</title> - -</head> +<html><head><title>rsyslog features</title></head> <body> <h1>RSyslog - Features</h1> <p><b>This page lists both current features as well as @@ -25,19 +23,19 @@ to MySQL databases</a></li> <li> native support for writing to Postgres databases</li> <li>direct support for Firebird/Interbase, OpenTDS (MS SQL, Sybase), SQLLite, Ingres, Oracle, and mSQL via libdbi, -a database abstraction layer (almost as good as native)</li> +a database abstraction layer (almost as good as native)</li><li>native support for <a href="ommail.html">sending mail messages</a> (first seen in 3.17.0)</li> <li>support for (plain) tcp based syslog - much better reliability</li> <li>support for sending and receiving compressed syslog messages</li> <li>support for on-demand on-disk spooling of messages that can not be processed fast enough (a great feature for <a href="rsyslog_high_database_rate.html">writing massive -amounts of syslog messages to a database</a>)</li> +amounts of syslog messages to a database</a>)</li><li>support for selectively <a href="http://wiki.rsyslog.com/index.php/OffPeakHours">processing messages only during specific timeframes</a> and spooling them to disk otherwise</li> <li>ability to monitor text files and convert their contents into syslog messages (one per line)</li> <li>ability to configure backup syslog/database servers - if the primary fails, control is switched to a prioritized list of backups</li> <li>support for receiving messages via reliable <a href="http://www.monitorware.com/Common/en/glossary/rfc3195.php"> -RFC 3195</a> delivery</li> +RFC 3195</a> delivery (a bit clumpsy to build right now...)</li> <li>ability to generate file names and directories (log targets) dynamically, based on many different properties</li> <li>control of log output format, including ability to present diff --git a/doc/imgssapi.html b/doc/imgssapi.html index af15e59e..cf16eb01 100644 --- a/doc/imgssapi.html +++ b/doc/imgssapi.html @@ -10,7 +10,9 @@ <p><b>Description</b>:</p> <p>Provides the ability to receive syslog messages from the network protected via Kerberos 5 encryption and authentication. This -module also accept plain tcp syslog messages on the same port if configured to do so. If you need just plain tcp, use <a href="imtcp.html">imtcp</a> instead.</p> +module also accept plain tcp syslog messages on the same port if configured to do so. If you need just plain tcp, use <a href="imtcp.html">imtcp</a> instead.</p> +<p>There is also an <a href="gssapi.html">overview of gssapi support in rsyslog</a> available. We recommend reading +it before digging into the configuration parameters.</p> <p><b>Configuration Directives</b>:</p> <ul> <li>InputGSSServerRun <port><br> @@ -47,4 +49,4 @@ Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and <a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL version 3 or higher.</font></p> -</body></html>
\ No newline at end of file +</body></html> diff --git a/doc/imklog.html b/doc/imklog.html new file mode 100644 index 00000000..b5b21e84 --- /dev/null +++ b/doc/imklog.html @@ -0,0 +1,74 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html><head> +<meta http-equiv="Content-Language" content="en"><title>Kernel Log Input Module (imklog)</title> + +</head> +<body> +<h1>Kernel Log Input Module</h1> +<p><b>Module Name: imklog</b></p> +<p><b>Author: </b>Rainer Gerhards +<rgerhards@adiscon.com></p> +<p><b>Description</b>:</p> +<p>Reads messages from the kernel log and submits them to the +syslog engine.</p> +<p><b>Configuration Directives</b>:</p> +<ul> +<li><strong>$KLogInternalMsgFacility +<facility></strong><br> +The facility which messages internally generated by imklog will have. +imklog generates some messages of itself (e.g. on problems, startup and +shutdown) and these do not stem from the kernel. Historically, under +Linux, these too have "kern" facility. Thus, on Linux platforms the +default is "kern" while on others it is "syslogd". You usually do not +need to specify this configuratin directive - it is included primarily +for few limited cases where it is needed for good reason. Bottom line: +if you don't have a good idea why you should use this setting, do not +touch it.</li> +<li><span style="font-weight: bold;">$KLogPermitNonKernelFacility +[on/<span style="font-style: italic;">off</span>]<br> +</span>At least under BSD the kernel log may contain entries +with non-kernel facilities. This setting controls how those are +handled. The default is "off", in which case these messages are +ignored. Switch it to on to submit non-kernel messages to rsyslog +processing.<span style="font-weight: bold;"></span></li> +<li><span style="font-weight: bold;"></span>$DebugPrintKernelSymbols +(imklog) [on/<b>off</b>]<br> +Linux only, ignored on other platforms (but may be specified)</li> +<li>$klogSymbolLookup (imklog) [on/<b>off</b>] -- +disables imklog kernel symbol translation (former klogd -x option). NOTE that +this option is counter-productive on recent kernels (>= 2.6) because the +kernel already does the symbol translation and this option breaks the information.<br> +<b>This option is scheduled for removal, probably with version 4.x.</b> Do not use +it except if you have a very good reason. If you have one, let us know +because otherwise new versions will no longer support it.<br> +Linux only, ignored on other platforms (but may be specified)</li> +<li>$klogUseSyscallInterface (imklog) [on/<b>off</b>] +-- former klogd -s option<br> +Linux only, ignored on other platforms (but may be specified)</li> +<li>$klogSymbolsTwice (imklog) [on/<b>off</b>] -- +former klogd -2 option<br> +Linux only, ignored on other platforms (but may be specified)<br style="font-weight: bold;"> +</li> +</ul> +<b>Caveats/Known Bugs:</b> +<p>This is obviously platform specific and requires platform +drivers. +Currently, imklog functionality is available on Linux and BSD.</p> +<p><b>Sample:</b></p> +<p>The following sample pulls messages from the kernel log. All +parameters are left by default, which is usually a good idea. Please +note that loading the plugin is sufficient to activate it. No directive +is needed to start pulling kernel messages.<br> +</p> +<textarea rows="15" cols="60">$ModLoad imklog +</textarea> +<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] +[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> +<p><font size="2">This documentation is part of the +<a href="http://www.rsyslog.com/">rsyslog</a> +project.<br> +Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer +Gerhards</a> and +<a href="http://www.adiscon.com/">Adiscon</a>. +Released under the GNU GPL version 3 or higher.</font></p> +</body></html> diff --git a/doc/imrelp.html b/doc/imrelp.html index b6f1f2bc..bfdaad84 100644 --- a/doc/imrelp.html +++ b/doc/imrelp.html @@ -35,10 +35,10 @@ Starts a RELP server on selected port</li> <li>see description</li> </ul> <p><b>Sample:</b></p> -<p>This sets up a RELP server on port 2514.<br> +<p>This sets up a RELP server on port 20514.<br> </p> <textarea rows="15" cols="60">$ModLoad imrelp # needs to be done just once -$InputRELPServerRun 2514 +$InputRELPServerRun 20514 </textarea> <p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> @@ -49,4 +49,4 @@ Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and <a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL version 3 or higher.</font></p> -</body></html>
\ No newline at end of file +</body></html> diff --git a/doc/manual.html b/doc/manual.html index 245a6cce..9a017faf 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -16,7 +16,7 @@ relay chains while at the same time being very easy to setup for the novice user. And as we know what enterprise users really need, there is also <a href="professional_support.html">professional rsyslog support</a> available directly from the source!</p> -<p><b>This documentation is for version 3.16.3 (v3-stable branch) of rsyslog.</b> +<p><b>This documentation is for version 3.17.5 (beta branch) of rsyslog.</b> Visit the <i> <a href="http://www.rsyslog.com/doc-status.html">rsyslog status page</a></i></b> to obtain current version information and project status. </p><p><b>If you like rsyslog, you might @@ -31,8 +31,8 @@ if you do not read the doc, but doing so will definitely improve your experience <p><span style="font-weight: bold;"></span><b>Follow the links below for the</b><br></p><ul> -<li><a href="rsyslog_conf.html">configuration file -syntax (rsyslog.conf)</a></li> +<li><a href="troubleshoot.html">troubleshooting rsyslog problems</a></li> +<li><a href="rsyslog_conf.html">configuration file syntax (rsyslog.conf)</a></li> <li> <a href="property_replacer.html">property replacer, an important core component</a></li> <li>a commented <a href="sample.conf.html">sample @@ -50,22 +50,20 @@ modules</a></li><li><a href="man_rsyslogd.html">rsyslogd man page</a> <p><b>We have some in-depth papers on</b></p> <ul> <li><a href="install.html">installing rsyslog</a></li> -<li><a href="ipv6.html">rsyslog and IPv6</a> -(which is fully supported)</li> -<li><a href="rsyslog_stunnel.html">ssl-encrypting -syslog with stunnel</a></li> -<li><a href="rsyslog_mysql.html">writing syslog -messages to MySQL (and other databases as well)</a></li> -<li><a href="rsyslog_high_database_rate.html">writing -massive amounts of syslog messages to a database</a></li> +<li><a href="ipv6.html">rsyslog and IPv6</a> (which is fully supported)</li> +<li><a href="rsyslog_stunnel.html">ssl-encrypting syslog with stunnel</a></li> +<li><a href="rsyslog_mysql.html">writing syslog messages to MySQL (and other databases as well)</a></li> +<li><a href="rsyslog_high_database_rate.html">writing massive amounts of syslog messages to a database</a></li> +<li><a href="rsyslog_reliable_forwarding.html">reliable forwarding to a remote server</a></li> <li><a href="rsyslog_php_syslog_ng.html">using php-syslog-ng with rsyslog</a></li> <li><a href="rsyslog_recording_pri.html">recording the syslog priority (severity and facility) to the log file</a></li> <li><a href="http://www.rsyslog.com/Article19.phtml">preserving -syslog sender over NAT</a> (online only)</li><li><a href="gssapi.html">an overview and howto of rsyslog gssapi support</a></li> +syslog sender over NAT</a> (online only)</li> +<li><a href="gssapi.html">an overview and howto of rsyslog gssapi support</a></li> <li><a href="debug.html">debug support in rsyslog</a></li> -<li><a href="dev_queue.html">the rsyslog message queue object</a></li> +<li><a href="dev_queue.html">the rsyslog message queue object (developer's view)</a></li> </ul> <p>Our <a href="history.html">rsyslog history</a> page is for you if you would like to learn a little more diff --git a/doc/ommail.html b/doc/ommail.html index b6b7c2ad..62ded6d0 100644 --- a/doc/ommail.html +++ b/doc/ommail.html @@ -5,6 +5,7 @@ <body> <h1>Mail Output Module (ommail)</h1> <p><b>Module Name: ommail</b></p> +<p><b>Available since: </b> 3.17.0</p> <p><b>Author: </b>Rainer Gerhards <rgerhards@adiscon.com></p> <p><b>Description</b>:</p> @@ -110,9 +111,8 @@ $ActionMailSubject mailSubject $ActionExecOnlyOnceEveryInterval 21600 # the if ... then ... mailBody mus be on one line! if $msg contains 'hard disk fatal failure' then :ommail:;mailBody -</textarea><br> -<br> -A more advanced example plus a discussion on using the email feature +</textarea> +<p>A more advanced example plus a discussion on using the email feature inside a reliable system can be found in Rainer's blogpost "<a style="font-style: italic;" href="http://rgerhards.blogspot.com/2008/04/why-is-native-email-capability.html">Why is native email capability an advantage for a syslogd?</a>" @@ -121,8 +121,8 @@ is native email capability an advantage for a syslogd?</a>" <p><font size="2">This documentation is part of the <a href="http://www.rsyslog.com/">rsyslog</a> project.<br> -Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer +Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and <a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL version 3 or higher.</font></p> -</body></html>
\ No newline at end of file +</body></html> diff --git a/doc/property_replacer.html b/doc/property_replacer.html index 3484acf2..a2efaede 100644 --- a/doc/property_replacer.html +++ b/doc/property_replacer.html @@ -1,7 +1,5 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html><head><title>The Rsyslogd Property Replacer</title> - -</head> +<html><head><title>The Rsyslogd Property Replacer</title></head> <body> <h1>The Property Replacer</h1> <p><b>The property replacer is a core component in @@ -17,7 +15,7 @@ modified by the property replacer. The full syntax is as follows:</p> <blockquote><b><code>%propname:fromChar:toChar:options%</code></b></blockquote> <h2>Available Properties</h2> <p><b><code>propname</code></b> is the -name of the property to access. It is case-sensitive. +name of the property to access. It is case-insensitive (prior to 3.17.0, they were case-senstive). Currently supported are:</p> <table> <tbody> @@ -31,11 +29,11 @@ Currently supported are:</p> socket. Should be useful for debugging.</td> </tr> <tr> -<td><b>UxTradMsg</b></td> +<td><b>uxtradmsg</b></td> <td>will disappear soon - do NOT use!</td> </tr> <tr> -<td><b>HOSTNAME</b></td> +<td><b>hostname</b></td> <td>hostname from the message</td> </tr> <tr> @@ -43,7 +41,7 @@ socket. Should be useful for debugging.</td> <td>alias for HOSTNAME</td> </tr> <tr> -<td><b>FROMHOST</b></td> +<td><b>fromhost</b></td> <td>hostname of the system the message was received from (in a relay chain, this is the system immediately in front of us and not necessarily the original sender)</td> @@ -59,16 +57,16 @@ BSD syslogd. For example, when TAG is "named[12345]", programname is "named".</td> </tr> <tr> -<td><b>PRI</b></td> +<td><b>pri</b></td> <td>PRI part of the message - undecoded (single value)</td> </tr> <tr> -<td><b>PRI-text</b></td> +<td><b>pri-text</b></td> <td>the PRI part of the message in a textual form (e.g. "syslog.info")</td> </tr> <tr> -<td><b>IUT</b></td> +<td><span style="font-weight: bold;">iut</span></td> <td>the monitorware InfoUnitType - used when talking to a <a href="http://www.monitorware.com">MonitorWare</a> backend (also for <a href="http://www.phplogcon.org/">phpLogCon</a>)</td> @@ -110,67 +108,67 @@ what was provided in the message (in most cases, only seconds)</td> </tr> <tr> -<td><b>TIMESTAMP</b></td> +<td><b>timestamp</b></td> <td>alias for timereported</td> </tr> <tr> -<td><b>PROTOCOL-VERSION</b></td> +<td><b>protocol-version</b></td> <td>The contents of the PROTCOL-VERSION field from IETF draft draft-ietf-syslog-protcol</td> </tr> <tr> -<td><b>STRUCTURED-DATA</b></td> +<td><b>structured-data</b></td> <td>The contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocol</td> </tr> <tr> -<td><b>APP-NAME</b></td> +<td><b>app-name</b></td> <td>The contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol</td> </tr> <tr> -<td><b>PROCID</b></td> +<td><b>procid</b></td> <td>The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol</td> </tr> <tr> -<td height="24"><b>MSGID</b></td> +<td height="24"><b>msgid</b></td> <td height="24">The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol</td> </tr> <tr> -<td><b>$NOW</b></td> +<td><b>$now</b></td> <td>The current date stamp in the format YYYY-MM-DD</td> </tr> <tr> -<td><b>$YEAR</b></td> +<td><b>$year</b></td> <td>The current year (4-digit)</td> </tr> <tr> -<td><b>$MONTH</b></td> +<td><b>$month</b></td> <td>The current month (2-digit)</td> </tr> <tr> -<td><b>$DAY</b></td> +<td><b>$day</b></td> <td>The current day of the month (2-digit)</td> </tr> <tr> -<td><b>$HOUR</b></td> +<td><b>$hour</b></td> <td>The current hour in military (24 hour) time (2-digit)</td> </tr> <tr> -<td><b>$HHOUR</b></td> +<td><b>$hhour</b></td> <td>The current half hour we are in. From minute 0 to 29, this is always 0 while from 30 to 59 it is always 1.</td> </tr> <tr> -<td><b>$QHOUR</b></td> +<td><b>$qhour</b></td> <td>The current quarter hour we are in. Much like $HHOUR, but values range from 0 to 3 (for the four quater hours that are in each hour)</td> </tr> <tr> -<td><b>$MINUTE</b></td> +<td><b>$minute</b></td> <td>The current minute (2-digit)</td> </tr> </tbody> diff --git a/doc/queues.html b/doc/queues.html index 80641d8c..a2074d36 100644 --- a/doc/queues.html +++ b/doc/queues.html @@ -288,7 +288,17 @@ directive allows to specify how long (in microseconds) dequeueing should be delayed. While simple, it still is powerful. For example, using a DequeueSlowdown delay of 1,000 microseconds on a UDP send action ensures that no more than 1,000 messages can be sent within a second (actually less, as there is -also some time needed for the processing itself). </p> +also some time needed for the processing itself).</p><h2>Processing Timeframes</h2><p>Queues +can be set to dequeue (process) messages only during certain +timeframes. This is useful if you, for example, would like to transfer +the bulk of messages only during off-peak hours, e.g. when you have +only limited bandwidth on the network path the the central server.</p><p>Currently, +only a single timeframe is supported and, even worse, it can only be +specified by the hour. It is not hard to extend rsyslog's capabilities +in this regard - it was just not requested so far. So if you need more +fine-grained control, let us know and we'll probably implement it. +There are two configuration directives, both should be used together or +results are unpredictable:" <i>$<object>QueueDequeueTimeBegin <hour></i>" and "<i>$<object>QueueDequeueTimeEnd <hour></i>". The hour parameter must be specified in 24-hour format (so 10pm is 22). A use case for this parameter can be found in the <a href="http://wiki.rsyslog.com/index.php/OffPeakHours">rsyslog wiki</a>. </p> <h2>Terminating Queues</h2> <p>Terminating a process sounds easy, but can be complex. <span style="font-size: 12pt; line-height: 115%; font-family: 'Times New Roman',serif;" lang="EN-US"> diff --git a/doc/rscript_abnf.html b/doc/rscript_abnf.html index 97de7284..278fb59c 100644 --- a/doc/rscript_abnf.html +++ b/doc/rscript_abnf.html @@ -34,8 +34,8 @@ table... values('&$facility&','&$severity&...?]<br> <p><font size="2">This documentation is part of the <a href="http://www.rsyslog.com/">rsyslog</a> project.<br> -Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer +Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and <a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL version 3 or higher.</font></p> -</body></html>
\ No newline at end of file +</body></html> diff --git a/doc/rsyslog_conf.html b/doc/rsyslog_conf.html index 2a0f0c60..9325f73c 100644 --- a/doc/rsyslog_conf.html +++ b/doc/rsyslog_conf.html @@ -26,22 +26,30 @@ number of modules. Here is the entry point to their documentation and what they do (list is currently not complete)</p> <ul> <li><a href="omsnmp.html">omsnmp</a> - SNMP -trap output module</li><li><a href="omrelp.html">omrelp</a> - RELP output module</li> +trap output module</li> +<li><a href="omrelp.html">omrelp</a> - RELP +output module</li> <li>omgss - output module for GSS-enabled syslog</li> <li>ommysql - output module for MySQL</li> <li>ompgsql - output module for PostgreSQL</li> <li><a href="omlibdbi.html">omlibdbi</a> - generic database output module (Firebird/Interbase, MS SQL, Sybase, SQLLite, Ingres, Oracle, mSQL)</li> +<li><a href="ommail.html">ommail</a> - +permits rsyslog to alert folks by mail if something important happens</li> <li><a href="imfile.html">imfile</a> -- input module for text files</li><li><a href="imrelp.html">imrelp</a> - RELP input module</li> +- input module for text files</li> +<li><a href="imrelp.html">imrelp</a> - RELP +input module</li> <li>imudp - udp syslog message input</li> <li><a href="imtcp.html">imtcp</a> - input plugin for plain tcp syslog</li> <li><a href="imgssapi.html">imgssapi</a> - input plugin for plain tcp and GSS-enable syslog</li> <li>immark - support for mark messages</li> -<li>imklog - kernel logging</li><li><a href="imuxsock.html">imuxsock</a> - unix sockets, including the system log socket</li> +<li><a href="imklog.html">imklog</a> - kernel logging</li> +<li><a href="imuxsock.html">imuxsock</a> - +unix sockets, including the system log socket</li> </ul> <p>Please note that each module provides configuration directives, which are NOT necessarily being listed below. Also @@ -64,7 +72,19 @@ unstable...). So you have been warned ;)</p> many parameter settings modify queue parameters. If in doubt, use the default, it is usually well-chosen and applicable in most cases.</p> <ul> -<li><a href="rsconf1_actionexeconlywhenpreviousissuspended.html">$ActionExecOnlyWhenPreviousIsSuspended</a></li><li>$ActionFileDefaultTemplate [templateName] - sets a new default template for file actions</li><li>$ActionFileEnableSync [on/<span style="font-weight: bold;">off</span>] - enables file syncing capability of omfile</li><li>$ActionForwardDefaultTemplate [templateName] - sets a new default template for UDP and plain TCP forwarding action</li><li>$ActionGSSForwardDefaultTemplate [templateName] - sets a new default template for GSS-API forwarding action</li> +<li><a href="rsconf1_actionexeconlywhenpreviousissuspended.html">$ActionExecOnlyWhenPreviousIsSuspended</a></li> +<li>$ActionExecOnlyOnceEveryInterval <seconds> - +execute action only if the last execute is at last +<seconds> seconds in the past (more info in <a href="ommail.html">ommail</a>, +but may be used with any action)</li> +<li>$ActionFileDefaultTemplate [templateName] - sets a new +default template for file actions</li> +<li>$ActionFileEnableSync [on/<span style="font-weight: bold;">off</span>] - enables file +syncing capability of omfile</li> +<li>$ActionForwardDefaultTemplate [templateName] - sets a new +default template for UDP and plain TCP forwarding action</li> +<li>$ActionGSSForwardDefaultTemplate [templateName] - sets a +new default template for GSS-API forwarding action</li> <li>$ActionQueueCheckpointInterval <number></li> <li>$ActionQueueDequeueSlowdown <number> [number is timeout in <i> micro</i>seconds (1000000us is 1sec!), @@ -98,12 +118,13 @@ default 60000 (1 minute)]</li> worker threads, default 1, recommended 1</li> <li>$ActionQueueWorkerThreadMinumumMessages <number>, default 100</li> -<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li><li>$ActionResumeRetryCount <number> [default 0, +<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li> +<li>$ActionResumeRetryCount <number> [default 0, -1 means eternal]</li> <li><a href="rsconf1_allowedsender.html">$AllowedSender</a></li> <li><a href="rsconf1_controlcharacterescapeprefix.html">$ControlCharacterEscapePrefix</a></li> <li><a href="rsconf1_debugprintcfsyslinehandlerlist.html">$DebugPrintCFSyslineHandlerList</a></li> -<li>$DebugPrintKernelSymbols (imklog) [on/<b>off</b>]</li> + <li><a href="rsconf1_debugprintmodulelist.html">$DebugPrintModuleList</a></li> <li><a href="rsconf1_debugprinttemplatelist.html">$DebugPrintTemplateList</a></li> <li><a href="rsconf1_dircreatemode.html">$DirCreateMode</a></li> @@ -120,14 +141,7 @@ worker threads, default 1, recommended 1</li> <li><a href="rsconf1_gssforwardservicename.html">$GssForwardServiceName</a></li> <li><a href="rsconf1_gsslistenservicename.html">$GssListenServiceName</a></li> <li><a href="rsconf1_gssmode.html">$GssMode</a></li> -<li><a href="rsconf1_includeconfig.html">$IncludeConfig</a></li> -<li>$klogSymbolLookup (imklog) [<b>on</b>/off] -- -former klogd -x option</li> -<li>$klogUseSyscallInterface (imklog) [on/<b>off</b>] --- former klogd -2 option</li> -<li>$klogSymbolsTwice (imklog) [on/<b>off</b>] -- -former klogd -s option</li> -<li>$MainMsgQueueCheckpointInterval <number></li> +<li><a href="rsconf1_includeconfig.html">$IncludeConfig</a></li><li>MainMsgQueueCheckpointInterval <number></li> <li>$MainMsgQueueDequeueSlowdown <number> [number is timeout in <i> micro</i>seconds (1000000us is 1sec!), default 0 (no delay). Simple rate-limiting!]</li> @@ -166,11 +180,11 @@ worker threads, default 1, recommended 1</li> (immark)</li> <li><a href="rsconf1_moddir.html">$ModDir</a></li> <li><a href="rsconf1_modload.html">$ModLoad</a></li> - <li><a href="rsconf1_repeatedmsgreduction.html">$RepeatedMsgReduction</a></li> <li><a href="rsconf1_resetconfigvariables.html">$ResetConfigVariables</a></li> <li>$WorkDirectory <name> (directory for spool -and other work files)</li><li>$UDPServerAddress <IP> (imudp) -- local IP +and other work files)</li> +<li>$UDPServerAddress <IP> (imudp) -- local IP address (or name) the UDP listens should bind to</li> <li>$UDPServerRun <port> (imudp) -- former -r<port> option, default 514, start UDP server on this @@ -302,18 +316,29 @@ template:</p> DynFile,"/var/log/system-%HOSTNAME%.log"</code></blockquote> <p>This template can then be used when defining an output selector line. It will result in something like -"/var/log/system-localhost.log"</p><p>Template +"/var/log/system-localhost.log"</p> +<p>Template names beginning with "RSYSLOG_" are reserved for rsyslog use. Do NOT use them if, otherwise you may receive a conflict in the future (and quite unpredictable behaviour). There is a small set of pre-defined -templates that you can use without the need to define it:</p><ul><li><span style="font-weight: bold;">RSYSLOG_TraditionalFileFormat</span> - the "old style" default log file format with low-precision timestamps</li><li><span style="font-weight: bold;">RSYSLOG_FileFormat</span> - a modern-style logfile format similar to TraditionalFileFormat, buth with high-precision timestamps and timezone information</li><li><span style="font-weight: bold;">RSYSLOG_TraditionalForwardFormat</span> +templates that you can use without the need to define it:</p> +<ul> +<li><span style="font-weight: bold;">RSYSLOG_TraditionalFileFormat</span> +- the "old style" default log file format with low-precision timestamps</li> +<li><span style="font-weight: bold;">RSYSLOG_FileFormat</span> +- a modern-style logfile format similar to TraditionalFileFormat, buth +with high-precision timestamps and timezone information</li> +<li><span style="font-weight: bold;">RSYSLOG_TraditionalForwardFormat</span> - the traditional forwarding format with low-precision timestamps. Most -useful if you send messages to other syslogd's or rsyslogd below -version 3.12.5.</li><li><span style="font-weight: bold;">RSYSLOG_ForwardFormat</span> +useful if you send messages to other syslogd's or rsyslogd +below +version 3.12.5.</li> +<li><span style="font-weight: bold;">RSYSLOG_ForwardFormat</span> - a new high-precision forwarding format very similar to the traditional one, but with high-precision timestamps and timezone information. Recommended to be used when sending messages to rsyslog -3.12.5 or above.</li><li><span style="font-weight: bold;">RSYSLOG_SyslogProtocol23Format</span> +3.12.5 or above.</li> +<li><span style="font-weight: bold;">RSYSLOG_SyslogProtocol23Format</span> - the format specified in IETF's internet-draft ietf-syslog-protocol-23, which is assumed to be come the new syslog standard RFC. This format includes several improvements. The rsyslog @@ -321,7 +346,8 @@ message parser understands this format, so you can use it together with all relatively recent versions of rsyslog. Other syslogd's may get hopelessly confused if receiving that format, so check before you use it. Note that the format is unlikely to change when the final RFC comes -out, but this may happen.</li></ul> +out, but this may happen.</li> +</ul> <h2>Output Channels</h2> <p>Output Channels are a new concept first introduced in rsyslog 0.9.0. <b>As of this writing, it is most likely that they will @@ -524,7 +550,8 @@ once they are implemented, it can make very much sense </tr> <tr> <td>regex</td> -<td>Compares the property against the provided POSIX regular +<td>Compares the property against the provided POSIX +regular expression.</td> </tr> </tbody> @@ -567,10 +594,12 @@ code), this can be done easily by:</p> "ID-4711". Please note that the comparison is case-sensitive, so it would not match if "id-4711" would be contained in the message.</p> <p><code><b>:msg, regex, "fatal .* error"</b></code></p> -<p>This filter uses a POSIX regular expression. It matches when the +<p>This filter uses a POSIX regular expression. It matches when +the string contains the words "fatal" and "error" with anything in between (e.g. "fatal net error" and "fatal lib error" but not "fatal error" as -two spaces are required by the regular expression!).</p><p>Getting property-based filters right can sometimes be +two spaces are required by the regular expression!).</p> +<p>Getting property-based filters right can sometimes be challenging. In order to help you do it with as minimal effort as possible, rsyslogd spits out debug information for all property-based filters during their evaluation. To enable this, run rsyslogd in @@ -635,9 +664,12 @@ startswith 'DEVNAME' and <span style="font-weight: bold;">not</span> ($msg contains 'error1' or $msg contains 'error0') then /var/log/somelog<br> </code> -<br>If you would like to do case-insensitive comparisons, use +<br> +If you would like to do case-insensitive comparisons, use "contains_i" instead of "contains" and "startswith_i" instead of -"startswith".<br><br>Note that regular expressions are currently NOT +"startswith".<br> +<br> +Note that regular expressions are currently NOT supported in expression-based filters. These will be added later when function support is added to the expression engine (the reason is that regular expressions will be a separate loadable module, which requires diff --git a/doc/rsyslog_ng_comparison.html b/doc/rsyslog_ng_comparison.html index 2a1d15bd..28413337 100644 --- a/doc/rsyslog_ng_comparison.html +++ b/doc/rsyslog_ng_comparison.html @@ -1,12 +1,11 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html><head> -<meta content="de" http-equiv="Content-Language"><title>rsyslog vs. syslog-ng - a comparison</title> +<html><head><title>rsyslog vs. syslog-ng - a comparison</title> </head> <body> <h1>rsyslog vs. syslog-ng</h1> <p><small><i>Written by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> -(2008-02-28)</i></small></p> +(2008-04-08)</i></small></p> <p>We have often been asked about a comparison sheet between rsyslog and syslog-ng. Unfortunately, I do not know much about syslog-ng, I did not even use it once. Also, there seems to be no @@ -122,7 +121,9 @@ based framing on syslog/tcp connections</td> <td valign="top">yes</td> </tr> <tr> -<td valign="top">syslog over RELP<br>this is a truely reliable solution (plain tcp syslog can lose messages!)</td> +<td valign="top">syslog over RELP<br> +truly reliable message delivery (<a href="http://rgerhards.blogspot.com/2008/04/on-unreliability-of-plain-tcp-syslog.html">Why +is plain tcp syslog not reliable?</a>)</td> <td valign="top">yes</td> <td valign="top">no</td> </tr> @@ -337,6 +338,15 @@ be placed on different disk</td> <td valign="top">no</td> </tr> <tr> +<td valign="top">ability to process spooled +messages only during a configured timeframe (e.g. process messages only +during off-peak hours, during peak hours they are enqueued only)</td> +<td valign="top"><a href="http://wiki.rsyslog.com/index.php/OffPeakHours">yes</a><br> +(can independently be configured for the main queue and each action +queue)</td> +<td valign="top">no</td> +</tr> +<tr> <td valign="top">ability to configure backup syslog/database servers </td> <td valign="top">yes</td> @@ -416,6 +426,10 @@ including ability to present channel and priority as visible log data</td> <td valign="top">yes</td> <td valign="top">not sure...</td> </tr> +<tr><td valign="top">native ability to send mail messages</td> +<td valign="top">yes (<a href="ommail.html">ommail</a>, introduced in 3.17.0)</td> +<td valign="top">not sure...</td> +</tr> <tr> <td valign="top">good timestamp format control; at a minimum, ISO 8601/RFC 3339 second-resolution UTC zone</td> @@ -564,6 +578,6 @@ feature sheet. I have not yet been able to fully work through it. In the mean time, you may want to read it in parallel. It is available at <a href="http://www.balabit.com/network-security/syslog-ng/features/detailed/">Balabit's site</a>.</p> -<p>This document is current as of 2008-02-28 and definitely +<p>This document is current as of 2008-04-08 and definitely incomplete (I did not yet manage to complete it!).</p> </body></html>
\ No newline at end of file diff --git a/doc/rsyslog_reliable_forwarding.html b/doc/rsyslog_reliable_forwarding.html new file mode 100644 index 00000000..870ca9b7 --- /dev/null +++ b/doc/rsyslog_reliable_forwarding.html @@ -0,0 +1,152 @@ +<html><head> +<title>Reliable Forwarding of syslog Messages (via plain TCP syslog)</title> +</head> +<body> +<h1>Reliable Forwarding of syslog Messages with Rsyslog</h1> + <P><small><i>Written by + <a href="http://www.gerhards.net/rainer">Rainer + Gerhards</a> (2008-06-27)</i></small></P> +<h2>Abstract</h2> +<p><i><b>In this paper, I describe how to forward +<a href="http://www.monitorware.com/en/topics/syslog/">syslog</a> + + messages (quite) reliable to a central rsyslog server.</b> +This depends on rsyslog being installed on the client system and +it is recommended to have it installed on the server system. Please note +that industry-standard +<a href="http://blog.gerhards.net/2008/04/on-unreliability-of-plain-tcp-syslog.html">plain TCP syslog protocol is not fully reliable</a> +(thus the "quite reliable"). If you need a truely reliable solution, you need +to look into RELP (natively supported by rsyslog).</i></p> + +<h2>The Intention</h2> +<p>Whenever two systems talk over a network, something can go wrong. +For example, the communications link may go down, or a client or server may abort. +Even in regular cases, the server may be offline for a short period of time +because of routine maintenance. +<p>A logging system should be capable of avoiding message loss in situations where the +server is not reachable. To do so, unsent data needs to be buffered at the client while the +server is offline. Then, once the server is up again, this data is to be sent. +<p>This can easily be acomplished by rsyslog. In rsyslog, every action runs on its own queue +and each queue can be set to buffer data if the action is not ready. Of course, +you must be able to detect that "the action is not ready", which means the remote +server is offline. This can be detected with plain TCP syslog and RELP, but not with UDP. +So you need to use either of the two. In this howto, we use plain TCP syslog. +<p>Please note that we are using rsyslog-specific features. The are required on the +client, but not on the server. So the client system must run rsyslog (at least version 3.12.0), while on the +server another syslogd may be running, as long as it supports plain tcp syslog. +<p><b>The rsyslog queueing subsystem tries to buffer to memory. So even if the +remote server goes +offline, no disk file is generated.</b> File on disk are created only if there is +need to, for example if rsyslog runs out of (configured) memory queue space or needs +to shutdown (and thus persist yet unsent messages). Using main memory and going to the +disk when needed is a huge performance benefit. You do not need to care about it, +because, all of it is handled automatically and transparently by rsyslog.</p> +<h2>How To Setup</h2> +<p>First, you need to create a working directory for rsyslog. This is where it +stores its queue files (should need arise). You may use any location on your +local system. +<p>Next, you need to do is instruct rsyslog to use a +disk queue and then configure your action. There is nothing else to do. With the +following simple config file, you forward anything you receive to a remote server +and have buffering applied automatically when it goes down. This must be done on the +client machine.</p> +<textarea rows="9" cols="80"> +$ModLoad imuxsock # local message reception + +$WorkDirectory /rsyslog/work # default location for work (spool) files + +$ActionQueueType LinkedList # use asynchronous processing +$ActionQueueFileName srvrfwd # set file name, also enables disk mode +$ActionResumeRetryCount -1 # infinite retries on insert failure +$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down +*.* @@server:port +</textarea> +<p>The port given above is optional. It may not be specified, in which case you only +provide the server name. The "$ActionQueueFileName" is used to create queue files, should need +arise. This value must be unique inside rsyslog.conf. No two rules must use the same queue file. +Also, for obvious reasons, it must only contain those characters that can be used inside a +valid file name. Rsyslog possibly adds some characters in front and/or at the end of that name +when it creates files. So that name should not be at the file size name length limit (which +should not be a problem these days). +<p>Please note that actual spool files are only created if the remote server is down +<b>and</b> there is no more space in the in-memory queue. By default, a short failure +of the remote server will never result in the creation of a disk file as a couple of +hundered messages can be held in memory by default. [These parameters can be fine-tuned. However, +then you need to either fully understand how the queue works +(<a href="http://www.rsyslog.com/doc-queues.html">read elaborate doc</a>) or +use <a href="http://www.rsyslog.com/doc-professional_support.html">professional services</a> +to have it done based on +your specs ;) - what that means is that fine-tuning queue parameters is far from +being trivial...] +<p>If you would like to test if your buffering scenario works, you need to +stop, wait a while and restart you central server. Do <b>not</b> watch for files being created, +as this usually does not happen and never happens immediately. + +<h3>Forwarding to More than One Server</h3> +<p>If you have more than one server you would like to forward to, that's quickly done. +Rsyslog has no limit on the number or type of actions, so you can define as many targets +as you like. What is important to know, however, is that the full set of directives make +up an action. So you can not simply add (just) a second forwarding rule, but need to +duplicate the rule configuration as well. Be careful that you use different queue +file names for the second action, else you will mess up your system. +<p>A sample for forwarding to two hosts looks like this: +<p> +<textarea rows="20" cols="80"> +$ModLoad imuxsock.so # local message reception + +$WorkDirectory /rsyslog/work # default location for work (spool) files + +# start forwarding rule 1 +$ActionQueueType LinkedList # use asynchronous processing +$ActionQueueFileName srvrfwd1 # set file name, also enables disk mode +$ActionResumeRetryCount -1 # infinite retries on insert failure +$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down +*.* @@server1:port +# end forwarding rule 1 + +# start forwarding rule 2 +$ActionQueueType LinkedList # use asynchronous processing +$ActionQueueFileName srvrfwd2 # set file name, also enables disk mode +$ActionResumeRetryCount -1 # infinite retries on insert failure +$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down +*.* @@server2 +# end forwarding rule 2 +</textarea> +<p>Note the filename used for the first rule it is "srvrfwd1" and for the second it +is "srvrfwd2". I have used a server without port name in the second forwarding rule. +This was just to illustrate how this can be done. You can also specify a port there +(or drop the port from server1). +<p>When there are multiple action queues, they all work independently. Thus, if server1 +goes down, server2 still receives data in real-time. The client will <b>not</b> block +and wait for server1 to come back online. Similarily, server1's operation will not +be affected by server2's state. + +<h2>Some Final Words on Reliability ...</h2> +<p>Using plain TCP syslog provides a lot of reliability over UDP syslog. However, +plain TCP syslog is <b>not</b> a fully reliable transport. In order to get full reliability, +you need to use the RELP protocol. +<p>Folow the next link to learn more about +<a href="http://blog.gerhards.net/2008/04/on-unreliability-of-plain-tcp-syslog.html">the +problems you may encounter with plain tcp syslog</a>. +<h3>Feedback requested</h3> +<P>I would appreciate feedback on this tutorial. If you have additional ideas, +comments or find bugs (I *do* bugs - no way... ;)), please +<a href="mailto:rgerhards@adiscon.com">let me know</a>.</P> +<h2>Revision History</h2> +<ul> + <li>2008-06-27 * + <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> * Initial Version created</li> +</ul> +<h2>Copyright</h2> +<p>Copyright (c) 2008 +<a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and +<a href="http://www.adiscon.com/en/">Adiscon</a>.</p> +<p> Permission is granted to copy, distribute and/or modify this document + under the terms of the GNU Free Documentation License, Version 1.2 + or any later version published by the Free Software Foundation; + with no Invariant Sections, no Front-Cover Texts, and no Back-Cover + Texts. A copy of the license can be viewed at +<a href="http://www.gnu.org/copyleft/fdl.html"> +http://www.gnu.org/copyleft/fdl.html</a>.</p> +</body> +</html> diff --git a/doc/status.html b/doc/status.html index d7111a50..63a3f588 100644 --- a/doc/status.html +++ b/doc/status.html @@ -2,19 +2,23 @@ <html><head><title>rsyslog status page</title></head> <body> <h2>rsyslog status page</h2> -<p>This page reflects the status as of 2008-04-04.</p> +<p>This page reflects the status as of 2008-04-15.</p> <h2>Current Releases</h2> -<p><b>development:</b> 3.15.0 - -<a href="http://www.rsyslog.com/Article203.phtml">change log</a> - -<a href="http://www.rsyslog.com/Downloads-index-req-getit-lid-93.phtml">download</a></p> +<p><b>development:</b> 3.17.1 - +<a href="http://www.rsyslog.com/Article213.phtml">change log</a> - +<a href="http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-98.phtml">download</a> -<p><b>v3 stable:</b> 3.14.0 - <a href="http://www.rsyslog.com/Article205.phtml">change log</a> - -<a href="http://www.rsyslog.com/Downloads-index-req-getit-lid-94.phtml">download</a> +<br><b>beta:</b> 3.15.1 - +<a href="http://www.rsyslog.com/Article210.phtml">change log</a> - +<a href="http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-97.phtml">download</a></p> + +<p><b>v3 stable:</b> 3.14.2 - <a href="http://www.rsyslog.com/Article209.phtml">change log</a> - +<a href="http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-96.phtml">download</a> <br><b>v2 stable:</b> 2.0.4 - <a href="http://www.rsyslog.com/Article197.phtml">change log</a> - <a href="http://www.rsyslog.com/Downloads-index-req-getit-lid-90.phtml">download</a> -<br>v0 and v1 are depricated and no longer supported. If you absolutely do not like to +<br>v0 and v1 are deprecated and no longer supported. If you absolutely do not like to upgrade, you may consider purchasing a <a href="professional_support.html">commercial rsyslog support package</a>. Just let us point out that it is really not a good idea to still run a v0 version. diff --git a/doc/troubleshoot.html b/doc/troubleshoot.html new file mode 100644 index 00000000..f2e9206b --- /dev/null +++ b/doc/troubleshoot.html @@ -0,0 +1,35 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html><head><title>troubleshooting rsyslog</title></head> +<body> +<h2>troubleshooting rsyslog</h2> +<p><b>Having trouble with <a href="http://www.rsyslog.com">rsyslog</a>?</b> +This page provides some tips on where to look for help and what to do +if you need to ask for assistance. This page is continously being expanded. +<p>Useful troublehshooting ressources are: +<ul> +<li>The <a href="http://www.rsyslog.com/doc">rsyslog documentation</a> - note that the online version always covers +the most recent development version. However, there is a version-specific +doc set in each tarball. If you installed rsyslog from a package, there usually +is a rsyslog-doc package, that often needs to be installed separately. +<li>The <a href="http://wiki.rsyslog.com">rsyslog wiki</a> provides user tips and experiences. +</ul> +<p><b>Asking for Help</b> +<p>If you can't find the answer yourself, you should look at these places for +community help. +<ul> +<li>The <a href="http://kb.monitorware.com/rsyslog-f40.html">rsyslog forum</a>. This is +the preferred method of obtaining support. +<li>The <a href="http://lists.adiscon.net/mailman/listinfo/rsyslog">rsyslog mailing list</a>. +This is a low-volume list which occasional gets traffic spikes. +The mailing list is probably a good place for complex questions. +</ul> +<p>[<a href="manual.html">manual index</a>] +[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> +<p><font size="2">This documentation is part of the +<a href="http://www.rsyslog.com/">rsyslog</a> project.<br> +Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and +<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL +version 2 or higher.</font></p> +</body> +</html> + |