Skip to content

Instantly share code, notes, and snippets.

@selivan selivan/rsyslog.conf
Last active Aug 1, 2018

Embed
What would you like to do?
config for rsyslog/rsyslog issue 2899
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog" PermitNonKernelFacility="on") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
module(load="omrelp") # provides support for RELP protocol
module(load="imfile") # provides support for reading logs from files. Default mode: inotify.
###########################
#### GLOBAL DIRECTIVES ####
###########################
# Use traditional timestamp format.
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# High precision timestamps and timezoone information
# https://www.rsyslog.com/doc/v8-stable/configuration/templates.html#reserved-template-names
$ActionFileDefaultTemplate RSYSLOG_FileFormat
# Filter duplicated messages
# rsyslog guys do not recommend this feature: https://www.rsyslog.com/doc/v8-stable/configuration/action/rsconf1_repeatedmsgreduction.html#description
#$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
###################
#### TEMPLATES ####
###################
# Used for forwarding logs over network
# Support tags longer than 32 characters
# $.suffix variable is used to add file path if required
template (name="LongTagForwardFormat" type="string"
string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%$.suffix%%msg:::sp-if-no-1st-sp%%msg%")
# Template to output only the message
template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")
##################
#### RULESETS ####
##################
# Ruleset to send messages to logserver
# Queue is used to save logs when the server is unavailable:
# http://www.rsyslog.com/doc/v8-stable/concepts/queues.html#disk-assisted-memory-queues
# Warning: message relative order can be disrupted on message transfer from queue after resuming network connectivity
# Disk-Assisted Memory Queue: queue.type="LinkedList" + queue.filename
# queue.size - max elements in memory
# queue.highwatermark - when to start saving to disk
# queue.lowwatermark - when to stop saving to disk
# queue.saveonshutdown - save on disk between rsyslog shutdown
# action.resumeInterval - interval to suspend action if destination can not be connected
# action.resumeRetryCount - number of retries for action, -1 = eternal
# action.reportSuspension
# action.reportSuspensionContinuation
# After each 10 retries, the interval is extended: (numRetries / 10 + 1) * Action.ResumeInterval
ruleset(name="sendToLogserver") {
action(type="omrelp" Target="logserver.internal" Port="5140" Template="LongTagForwardFormat"
queue.type="LinkedList" queue.size="10000" queue.filename="q_sendToLogserver"
queue.highwatermark="9000" queue.lowwatermark="50" queue.maxdiskspace="500m" queue.saveonshutdown="on"
action.resumeInterval="10" action.resumeRetryCount="-1"
action.reportSuspension="on" action.reportSuspensionContinuation="on")
# Failover server
#$ActionExecOnlyWhenPreviousIsSuspended on
#action(type="omrelp" Target="" Port="" Template="LongTagForwardFormat"
#action.execOnlyWhenPreviousIsSuspended="on" queue.dequeuebatchsize="1")
#$ActionExecOnlyWhenPreviousIsSuspended off
}
##################
#### INCLUDES ####
##################
$IncludeConfig /etc/rsyslog.d/*.conf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.