SYSLOG Output Format Configuration Files
Messages generated by the SYSLOG output format can be forwarded to any of the following three possible destinations:
- A Syslog server;
- A text file;
- A user, through the Windows alerter and messenger services.
The conf parameter of the SYSLOG output format
allows users to specify a configuration file resembling the standard
"syslog.conf" file that describes the rules used to forward messages to
different destinations.
These rules associate values of the
facility and
severity message fields with
specific Syslog servers, text files, or users.
Each line in a configuration file is either a comment beginning with the pound
character ("#"), or a configuration entry.
Configuration entries have the following syntax:
| <config_entry> | ::= | <selector> <action> |
| <selector> | ::= | <facilities>.<severity> |
| <facilities> | ::= | <facility>[,<facility> ... ] |
| <facility> | ::= | kern | user | mail | daemon | auth | mark | lpr | news | uucp | cron | auth2 | ftp | ntp | logaudit | logalert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | * |
| <severity> | ::= | emerg | alert | crit | err | warning | notice | info | debug |
| <action> | ::= |
<send_server> | <send_file> | <send_user> |
| <send_server> | ::= | @<server_name>[:<port>] |
| <send_file> | ::= |
<filepath> | STDOUT |
| <send_user> | ::= | <user_name> |
A selector is a comma-separated list of facility names followed by a dot (".") and followed by a severity name. The special "*" wildcard means "all facilities".
Messages whose facility is included in the selector's set of facilities and whose severity is greater than or equal to the selector's severity are forwarded to the destination specified in the action.
An action can specify any of the following destinations:
- The name or address of a Syslog server, preceded by an at character ("@") and optionally followed by a port number; when no port number is specified, the SYSLOG output format will use port 514;
- The path of an output filename;
- The STDOUT keyword, which specifies that the output data is to be written to the output stream (the console output);
- The name of a user.
The following example shows a SYSLOG output format configuration file:
# # Sample SYSLOG output format configuration file # auth.err @MYSERVER01 *.debug STDOUT *.info C:\MyLogs\Infos.txt kern.emerg MYUSER local0,local1.emerg @192.168.1.100:515This configuration file defines the following rules:
- Messages from the "auth" facility with a severity greater than or equal to "err" are forwarded to the "MYSERVER01" Syslog server on port 514;
- All messages having a severity greater than or equal to "debug" are displayed in the console output;
- All messages having a severity greater than or equal to "info" are written to the "C:\MyLogs\Infos.txt" text file;
- Messages from the "kern" facility with a severity greater than or equal to "emerg" are sent to the "MYUSER" user;
- Messages from the "local0" or "local1" facilities with a severity greater than or equal to "emerg" are forwarded to the Syslog server with address 192.168.1.100 on port 515.
Actions can also be specified in the into-entity
of the query.
These actions are processed as rules having a selector that matches all messages,
with a "*" facility value and an "emerg" severity value.