5 UNIX / Linux rsyslogd Command Examples For Message Logging

rsyslogd is used to log messages and it is based on syslogd but with several additional features.

Apart from supporting logging on local systems, it also supports logging on remote systems.

1. Change Default Config file using -f

When rsyslogd starts, it reads /etc/rsyslog.conf file by default for configuration information. If you like to change this behavior, you can specify your own configuration file using -f option as shown below. Please note that comment entries in the configuration files start with #.

# rsyslogd -f /etc/myrsyslogd.conf

2. Change Default PID file using -i

As you see below, by default rsyslogd will store the PID of the running process in the /var/run/syslogd.pid file. This information is used when the service is stopped.

# cat /var/run/syslogd.pid
22455

# ps -ef | grep rsyslog
root  22455 1  0 09:01 ?  00:00:00 rsyslogd -f /etc/myrsyslogd.conf

You can specify your own PID file using the -i option as shown below. Please note that this helps you to run two different rsyslogd process in parallel if you are doing some testing, this is helpful.

When you try to start a 2nd rsyslogd, you’ll get the following error message.

# rsyslogd -f /etc/myrsyslogd.conf
 Already running. If you want to run multiple instances, you need to specify different pid files (use -i option)

But, you can start a 2nd rsyslogd, if you give a different PID file as shown below.

# rsyslogd -f /etc/myrsyslogd.conf -i /var/run/myrsyslogd.pid

# ps -ef | grep rsyslogd
root  22538  1  0 09:05 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
root  22554  1  0 09:06 rsyslogd -f /etc/myrsyslogd.conf -i /var/run/myrsyslogd.pid

3. Specify Compatibility Mode

You’ll notice that the default rsyslogd runs in the compatibility mode “5” as shown below in the “-c 5” option.

# ps -ef | grep rsyslogd
root  22538  1  0 09:05 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5

You can change this to a particular version of the rsyslogd for backward compatibility:
-c3 will be backward compatible with rsyslog v3 native interface.
-c0 will be backward compatible with command-line of sysklogd (this is default behavior if no “-c” option is given).

You can view the current version of your rsyslogd as shown below.

# rsyslogd -v
rsyslogd 5.8.10, compiled with:
        FEATURE_REGEXP:                         Yes
        FEATURE_LARGEFILE:                      No
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        Runtime Instrumentation (slow code):    No

In the following example, it will run in the backward compatible mode for version 3

rsyslogd -f /etc/myrsyslogd.conf -c3

4. Listen Only on IPv4 or IPv6

By default rsyslogd listens on all configured ip-address of the system. You can specify rsyslogd to listen either only on IPv4 or IPv6 using -4 and -6 option correspondingly as shown below.

rsyslogd -4

rsyslogd -6 -i /var/log/myrsyslogd.pid

5. Turn on Debugging

You can turn on debug mode using -d option. This will write the debug information to the stdout when you are executing the rsyslogd in the foreground.

# rsyslogd -d
2514.5700: rsyslogd 5.8.10 startup, compatibility mode 0, module path '', cwd:/etc
2514.5700: caller requested object 'net', not found (iRet -3003)
2514.5700: Requested to load module 'lmnet'
2514.5700: loading module '/lib64/rsyslog/lmnet.so'
2514.5700: module of type 2 being loaded.
...
...
2514.5700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd:
2514.5700: Checking pidfile.

If you want the rsyslogd debug information to go to a different file, you can specify that file name in the RSYSLOG_DEBUGLOG environment variable.

# export RSYSLOG_DEBUGLOG=/tmp/rsyslogdebug.log

# rsyslogd -d

# cat /tmp/rsyslogdebug.log
2514.5700: rsyslogd 5.8.10 startup, compatibility mode 0, module path '', cwd:/etc
2514.5700: caller requested object 'net', not found (iRet -3003)
2514.5700: Requested to load module 'lmnet'
2514.5700: loading module '/lib64/rsyslog/lmnet.so'
2514.5700: module of type 2 being loaded.
...
...
2514.5700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd:
2514.5700: Checking pidfile.

You can also specify the level of debugging using the RSYSLOG_DEBUG environment variable.

6. Specify Hostlist and Domainlist

Using -l option, you can specify list of hostnames which will be logged only using the hostname and not their FQDN. When you have multiple values separate them using : as shown below.

rsyslogd -l devdb:proddb

Using -s option, you can specify list of domainnames which should be stripped off from the logging. Just like hostnames you can specify multiple domain names using : as shown below.

rsyslogd -s linux.101hacks.net:redhat.com

You can combine both -l and -s option in a single rsyslogd.

7. Check the Config File

You can verify your configuration file using -N option. You can specify a particular level of check. The following checks the configuration in level 2. By default, it checks the /etc/rsyslog.conf

# rsyslogd -N 2
rsyslogd: version 5.8.10, config validation run (level 2), master config /etc/rsyslog.conf
rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option.
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad immark
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: MarkMessagePeriod 1200
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock
rsyslogd: End of config validation run. Bye.

If you want to check your own configuration file, use the -f option as shown below.

# rsyslogd -N 5 -f /etc/myrsyslogd.conf

Please note that when you perform a configuration check, it doesn’t start the rsyslogd, it just checks the configuration file and returns the output to the stdout.