rsyslogd

rsyslogd [OPTIONS]

-f
    Specify an alternative configuration file to use instead of the default.

-i
    Specify an alternative PID file to use instead of the default /var/run/rsyslogd.pid.

-N
    Check configuration file syntax and exit. The level determines the verbosity of the check (e.g., 1 for warnings, 2 for verbose errors).

-C
    Do not daemonize. Forces rsyslogd to stay in the foreground, useful for debugging.

-D
    Enable debug mode, producing extensive diagnostic output to standard error.

-M
    Load a specific rsyslog module at startup. This option can be specified multiple times.

-v
    Print the version information and exit.

rsyslogd is the Rocket-fast SYStem LOGger daemon, a modern and highly configurable replacement for the traditional syslogd. It's designed to provide robust and secure message logging capabilities for Unix-like systems. rsyslogd collects log messages from various sources, including the kernel, system processes, applications, and remote machines.

Its primary function is to process these messages according to a set of rules defined in its configuration file, typically /etc/rsyslog.conf. This processing can involve writing logs to local files, forwarding them to remote log servers (over TCP, UDP, or encrypted TLS connections), writing to databases, or even sending them to message queues. rsyslogd supports advanced filtering, content modification, and a modular architecture, making it suitable for high-performance and secure log management in complex environments.

Configuring rsyslogd can be complex due to its extensive features and rule-based processing. Improper configuration might lead to performance issues, security vulnerabilities (especially with remote logging), or loss of critical log data.

Ensure proper file permissions on log directories and files to prevent unauthorized access or modification. When forwarding logs over the network, strong encryption (TLS) should be used for sensitive information.

The primary configuration for rsyslogd is typically located at /etc/rsyslog.conf. This file uses a directive-based syntax to define input sources, processing rules, output destinations, and other system-wide parameters for log management. It can also include additional configuration files from a directory like /etc/rsyslog.d/.

rsyslogd is built with a highly modular architecture, allowing it to support various input (e.g., imuxsock for Unix sockets, imudp for UDP, imtcp for TCP) and output modules (e.g., omfile for files, ommydb for databases, omelasticsearch for Elasticsearch). This modularity extends its functionality significantly beyond basic logging.

rsyslogd supports a variety of log formats, including the traditional BSD syslog protocol (RFC 3164), the more modern and structured IETF syslog protocol (RFC 5424), and various custom templates. It can also output logs in structured data formats like JSON, often used for integration with centralized logging systems.

The original syslogd daemon has been a staple of Unix-like systems for decades, providing basic message logging. However, its limitations in terms of reliability, security, and advanced filtering led to the development of modern alternatives.

rsyslog (Rocket-fast SYStem LOGger) was created by Rainer Gerhards as a high-performance, enterprise-class logging solution. It started gaining prominence in the mid-2000s, offering features like reliable TCP transport, TLS encryption, database output, and sophisticated filtering capabilities. Due to its robustness and flexibility, rsyslogd has become the default syslog daemon on many major Linux distributions, including Debian, Ubuntu, and Red Hat Enterprise Linux/CentOS, replacing the older syslogd and sysklogd implementations.

syslogd(8), logger(1), logrotate(8), journalctl(1), rsyslog.conf(5)