# rsyslogd.conf # # if you experience problems, check: # http://www.rsyslog.com/troubleshoot #### MODULES #### module(load="imuxsock") # local system logging support (e.g. via logger command) #module(load="imklog") # kernel logging support (previously done by rklogd) module(load="immark") # --MARK-- message support module(load="imudp") # UDP listener support input(type="imudp" port="514") # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* action(type="omfile" file="/dev/console") # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none action(type="omfile" file="/var/log/messages") # The authpriv file has restricted access. authpriv.* action(type="omfile" file="/var/log/secure") # Log all the mail messages in one place. mail.* action(type="omfile" file="/dev/console") # Log cron stuff cron.* action(type="omfile" file="/var/log/cron") # Everybody gets emergency messages *.emerg action(type="omusrmsg" users="*") # Save news errors of level crit and higher in a special file. uucp,news.crit action(type="omfile" file="/var/log/spooler") # Save boot messages also to boot.log local7.* action(type="omfile" file="/var/log/boot.log") # log every host in its own directory if $fromhost-ip then /var/log/$fromhost-ip/messages # Include all .conf files in /etc/rsyslog.d $IncludeConfig /etc/rsyslog.d/*.conf $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" *.info;mail.none;authpriv.none;cron.none;*.* @@graylog:514;GRAYLOGRFC5424 # forward everything to remote server