He,YuanHui —— 业精于勤荒于嬉,行成于思毁于随

如果你喜欢一个事,又有这样的才干,那就把整个人都投入进去,就要象一把刀直扎下去直到刀柄一样,不要问为什么,也不要管会碰到什么。

  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::
# A commented quick reference and sample configuration
# WARNING: This is not a manual, the full manual of rsyslog configuration is in
# rsyslog.conf (5) manpage
#
# "$" starts lines that contain new directives. The full list of directives
# can be found in /usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html or online
# at http://www.rsyslog.com/doc if you do not have (or find) a local copy.
#
# Set syslogd options

#                 Some global directives
#                 ----------------------

# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd
# --------------
$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com

# $UMASK - specifies the rsyslogd processes' umask
# ------
$umask 0000

# $FileGroup - Set the group for dynaFiles newly created
# ----------
$FileGroup loggroup

# $FileOwner - Set the file owner for dynaFiles newly created.
# ----------
$FileOwner loguser

# $IncludeConfig - include other files into the main configuration file
# --------------
$IncludeConfig /etc/some-included-file.conf    # one file
$IncludeConfig /etc/rsyslog.d/                 # whole directory (must contain the final slash)

# $ModLoad - Dynamically loads a plug-in and activates it
# --------
$ModLoad MySQL  # load MySQL functionality
$ModLoad /rsyslog/modules/somemodule.so # load a module via absolute path



#                       Templates
#                       ---------

# Templates allow to specify any format a user might want.
# They MUST be defined BEFORE they are used.

# A template consists of a template directive, a name, the actual template text
# and optional options. A sample is:
#
$template MyTemplateName,"\7Text %property% some more text\n",

#  where:
#   * $template - tells rsyslog that this line contains a template.
#   * MyTemplateName - template name. All other config lines refer to this name.
#   * "\7Text %property% some more text\n" - templage text

# The backslash is an escape character, i.e. \7 rings the bell, \n is a new line.
# To escape:
# % = \%
# \ = \\

# Template options are case-insensitive. Currently defined are:
# sql      format the string suitable for a SQL statement. This will replace single
#          quotes ("'") by two single quotes ("''") to prevent the SQL injection 
#          (NO_BACKSLASH_ESCAPES turned off)
# stdsql - format the string suitable for a SQL statement that is to
#          be sent  to  a standards-compliant sql server. 
#          (NO_BACKSLASH_ESCAPES turned on)



#               Properties inside templates
#               ---------------------------

# Properties can be modified by the property replacer. They are accessed
# inside the template by putting them between percent signs. The full syntax is as follows:

#     %propname:fromChar:toChar:options%

# FromChar and toChar are used to build substrings. 
# If you need to obtain the first 2 characters of the
# message text, you can use this syntax: 
"%msg:1:2%".
# If you do not whish to specify from and to, but you want to
# specify options, you still need to include the colons. 

# For example, to convert the full message text to lower case only, use 
#     "%msg:::lowercase%".

# The full list of property options can be found in rsyslog.conf(5) manpage



#               Samples of template definitions
#               -------------------------------

# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"

# A more verbose template:
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"

# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"

# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"

# The template below emulates winsyslog format, but we need to check the time
# stamps used. It is also a good sampleof the property replacer in action.
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"

# A template used for database writing (notice it *is* an actual
# sql-statement):
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql



#                       Samples of rules
#                       ----------------
# Regular file
# ------------
*.*     /var/log/traditionalfile.log;TraditionalFormat      # log to a file in the traditional format

# Forwarding to remote machine
# ----------------------------
*.* @172.19.2.16 # udp (standard for syslog)
*.* @@172.19.2.17 # tcp

# Database action
# ---------------
# (you must have rsyslog-mysql package installed)
# !!! Don't forget to set permission of rsyslog.conf to 600 !!!
*.* >hostname,dbname,userid,password # (default Monitorware schema, can be created by /usr/share/doc/rsyslog-mysql-1.19.6/createDB.sql)

# And this one uses the template defined above:
*.* >hostname,dbname,userid,password;dbFormat

# Program to execute
# ------------------
*.* ^alsaunmute # set default volume to soundcard

# Filter using regex
# ------------------
# if the user logges word rulez or rulezz or rulezzz or..., then we will shut down his pc
# (note, that + have to be double backslashed...)
:msg, regex, "rulez\\+" ^poweroff

# A more complex example
# ----------------------
$template bla_logged,"%timegenerated% the BLA was logged"
:msg, contains, "bla"    ^logger;bla_logged

# Pipes
# -----
# first we need to create pipe by # mkfifo /a_big_pipe
*.* |/a_big_pipe

# Discarding
# ----------
*.* ~      # discards everything

posted on 2010-12-31 13:15  He,YuanHui  阅读(1403)  评论(0编辑  收藏  举报

Add to Google