From SpectLog
(Redirected from Package rsyslog)
Jump to: navigation, search

The following sections sumarizes information from old syslog.conf man-page (the syntax largely supported by the new rsyslogd service).

Historical note

Service sysklogd with /etc/syslog.conf configuration file was replaced by package rsyslogd with /etc/rsyslog.conf configuration file since Fedora 8 and RHEL6 [1].


Old package sysklogd has two log daemons:

  • The klogd kernel log daemon service for kernel messages and events.
  • The sysklogd daemon logs all other process activity.

Both are controlled by the /etc/init.d/syslog script.


New package with rsyslogd daemon replaces both sysklogd and klogd. It is subject to configuration, but most of the messages logged through either sysklogd or rsyslogd are written to files in the /var/log directory. For example, the two key log files in conventional configuration are:

  • /var/log/messages
  • /var/log/secure

See also

Log rules

Example (see /etc/syslog.conf or /etc/rsyslog.conf file):

authpriv.* /var/log/secure

Every rule consists of two fields separated by whitespaces:

Selector ActionField

Selector: Facility and Priority

The Selector field itself again consists of two case insensitive parts separated by a period (.):

Facility.Priority

In C program both values can be specified numerically according to syslog.h file.

The Facility argument is used to specify what type of program is logging the message. This lets the configuration file specify that messages from different facilities will be handled differently.

The Priority defines the severity of the message (in ascending order according to syslog.h file):

debug
info
notice
warn
err
crit
alert
emerg

Priority none logs all messages at all levels for the facility.

Selector: Patterns

In most cases anyone can log to any facility (except kern facility which is not allowed by software) - facility is just a convention. Each Selector (combination of exact Facility.Priority) in the selector field overwrites the preceding ones which allows overwriting specific case from previous pattern.

An asterisk * stands for all facilities or all priorities.

mail.*
*.warning

You can specify multiple facilities with the same priority pattern in one statement using the comma (,) operator.

mail,ftp,kern.notice

Multiple selectors may be specified for a single action using the semicolon (;) separator.

kern.info;kern.!err

You may precede every priority with an equation sign (=) to specify that syslogd should only refer to this single priority and not this priority and all higher priorities.

*.=warning;kern.none

You may also precide the priority with an exclamation mark (!) if you want syslogd to ignore this priority and all higher priorities.

kern.info;kern.!err

You may even use both, the exclamation mark and the equation sign if you want syslogd to ignore only this single priority.

mail.*;mail.!=info

Action Field

The action field of a rule describes the abstract term "logfile". A "log file" need not to be a real file.

Regular File

The file has to be specified with full pathname, beginning with a slash /. You may prefix each entry with the minus sign - to omit syncing the file after every logging.

mail.*                 -/var/log/maillog
cron.*                 /var/log/cron

Remote Machine

To forward messages to another host, prepend the hostname with the at sign (@).

*.*                    @master

The remote host won't forward the message again, it will just log them locally. Note that rsyslogd service has more detailed configuration to forward logs on remote host.