summaryrefslogtreecommitdiffstats
path: root/source/rainerscript/global.rst
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--source/rainerscript/global.rst811
1 files changed, 811 insertions, 0 deletions
diff --git a/source/rainerscript/global.rst b/source/rainerscript/global.rst
new file mode 100644
index 0000000..a55f54a
--- /dev/null
+++ b/source/rainerscript/global.rst
@@ -0,0 +1,811 @@
+global() configuration object
+=============================
+
+The global configuration object permits to set global parameters. Note
+that each parameter can only be set once and cannot be re-set
+thereafter. If a parameter is set multiple times, the behaviour is
+unpredictable. As with other configuration objects, parameters for this
+object are case-insensitive.
+
+The following parameters can be set:
+
+- **action.reportSuspension** - binary, default "on", v7.5.8+
+
+ If enabled ("on") action will log message under `*syslog.\**` when an
+ action suspends or resumes itself. This usually happens when there are
+ problems connecting to backend systems. If disabled ("off"), these
+ messages are not generated. These messages can be useful in detecting
+ problems with backend systems. Most importantly, frequent suspension
+ and resumption points to a problem area.
+
+- **action.reportSuspensionContinuation** - binary, default "off", v7.6.1+, v8.2.0+
+
+ If enabled ("on") the action will not only report the first suspension but
+ each time the suspension is prolonged. Otherwise, the follow-up messages
+ are not logged. If this setting is set to "on", action.reportSuspension is
+ also automatically turned "on".
+
+- **workDirectory**
+
+ Sets the directory that rsyslog uses for work files, e.g. imfile state
+ or queue spool files.
+
+- **umask** available 8.26.0+
+
+ Sets the rsyslogd process' umask. If not specified, the system-provided default
+ is used. The value given must always be a 4-digit octal number, with the initial
+ digit being zero.
+
+- **dropMsgsWithMaliciousDNSPtrRecords**
+
+- **localHostname**
+ Permits to overwrite the local host hostname.
+
+- **preserveFQDN**
+- **defaultNetstreamDriverCAFile**
+
+ For `TLS syslog <http://www.rsyslog.com/doc/rsyslog_secure_tls.html>`_,
+ the CA certificate that can verify the machine keys and certs (see below)
+
+- **defaultNetstreamDriverCRLFile**
+
+ For `TLS syslog <http://www.rsyslog.com/doc/rsyslog_secure_tls.html>`_,
+ the CRL File contains a List contains a list of revoked certrificates.
+
+- **defaultNetstreamDriverKeyFile**
+
+ Machine private key
+
+- **defaultNetstreamDriverCertFile**
+
+ Machine public key (certificate)
+
+- **debug.gnutls** (0-10; default:0)
+
+ Any other parameter than 0 enables the debug messages of GnuTLS. The
+ amount of messages given depends on the height of the parameter, 0
+ being nothing and 10 being very much. Caution! higher parameters may
+ give out way more information than needed. We advise you to first use
+ small parameters to prevent that from happening.
+ **This parameter only has an effect if general debugging is enabled.**
+
+- **netstreamDriverCaExtraFiles**
+
+ This directive allows to configure multiple additional extra CA files.
+ This is intended for SSL certificate chains to work appropriately,
+ as the different CA files in the chain need to be specified.
+ It must be remarked that this parameter only works with the OpenSSL driver.
+
+- **processInternalMessages** binary (on/off)
+
+ This tells rsyslog if it shall process internal messages itself. The
+ default mode of operations ("off") makes rsyslog send messages to the
+ system log sink (and if it is the only instance, receive them back from there).
+ This also works with systemd journal and will make rsyslog messages show up in the
+ systemd status control information.
+
+ If this (instance) of rsyslog is not the main instance and there is another
+ main logging system, rsyslog internal messages will be inserted into
+ the main instance's syslog stream. In this case, setting to ("on") will
+ let you receive the internal messages in the instance they originate from.
+
+ Note that earlier versions of rsyslog worked the opposite way. More
+ information about the change can be found in `rsyslog-error-reporting-improved <http://www.rsyslog.com/rsyslog-error-reporting-improved>`_.
+
+
+
+- **stdlog.channelspec**
+
+ Permits to set the liblogging-stdlog channel specifier string. This
+ in turn permits to send rsyslog log messages to a destination different
+ from the system default. Note that this parameter has only effect if
+ *processInternalMessages* is set to "off". Otherwise it is silently
+ ignored.
+
+- **shutdown.enable.ctlc**
+
+ If set to "on", rsyslogd can be terminated by pressing ctl-c. This is
+ most useful for containers. If set to "off" (the default), this is not
+ possible.
+
+- **defaultNetstreamDriver**
+
+ Set it to "ossl" or "gtls" to enable TLS.
+ This `guide <http://www.rsyslog.com/doc/rsyslog_secure_tls.html>`_
+ shows how to use TLS.
+
+- **maxMessageSize**
+
+ Configures the maximum message size allowed for all inputs. Default is 8K.
+ Anything above the maximum size will be truncated.
+
+ Note: some modules provide separate parameters that allow overriding this
+ setting (e.g., :doc:`imrelp's MaxDataSize parameter <../../configuration/modules/imrelp>`).
+
+.. _global_janitorInterval:
+
+- **janitor.interval** [minutes], available 8.3.3+
+
+ Sets the interval at which the
+ :doc:`janitor process <../concepts/janitor>`
+ runs.
+
+- **debug.onShutdown** available 7.5.8+
+
+ If enabled ("on"), rsyslog will log debug messages when a system
+ shutdown is requested. This can be used to track issues that happen
+ only during shutdown. During normal operations, system performance is
+ NOT affected.
+ Note that for this option to be useful, the debug.logFile parameter
+ must also be set (or the respective environment variable).
+
+- **debug.logFile** available 7.5.8+
+
+ This is used to specify the debug log file name. It is used for all
+ debug output. Please note that the RSYSLOG\_DEBUGLOG environment
+ variable always **overrides** the value of debug.logFile.
+
+- **net.ipprotocol** available 8.6.0+
+
+ This permits to instruct rsyslog to use IPv4 or IPv6 only. Possible
+ values are "unspecified", in which case both protocols are used,
+ "ipv4-only", and "ipv6-only", which restrict usage to the specified
+ protocol. The default is "unspecified".
+
+ Note: this replaces the former *-4* and *-6* rsyslogd command line
+ options.
+
+- **net.aclAddHostnameOnFail** available 8.6.0+
+
+ If "on", during ACL processing, hostnames are resolved to IP addresses for
+ performance reasons. If DNS fails during that process, the hostname
+ is added as wildcard text, which results in proper, but somewhat
+ slower operation once DNS is up again.
+
+ The default is "off".
+
+- **net.aclResolveHostname** available 8.6.0+
+
+ If "off", do not resolve hostnames to IP addresses during ACL processing.
+
+ The default is "on".
+
+- **net.enableDNS** [on/off] available 8.6.0+
+
+ **Default:** on
+
+ Can be used to turn DNS name resolution on or off.
+
+- **net.permitACLWarning** [on/off] available 8.6.0+
+
+ **Default:** on
+
+ If "off", suppress warnings issued when messages are received
+ from non-authorized machines (those, that are in no AllowedSender list).
+
+- **parser.parseHostnameAndTag** [on/off] available 8.6.0+
+
+ **Default:** on
+
+ This controls whether the parsers try to parse HOSTNAME and TAG fields
+ from messages. The default is "on", in which case parsing occurs. If
+ set to "off", the fields are not parsed. Note that this usually is
+ **not** what you want to have.
+
+ It is highly suggested to change this setting to "off" only if you
+ know exactly why you are doing this.
+
+- **parser.permitSlashInProgramName** [on/off] available 8.25.0+
+
+ **Default:** off
+
+ This controls whether slashes in the "programname" property
+ (the static part of the tag) are permitted or not. By default
+ this is not permitted, but some Linux tools (including most
+ importantly the journal) store slashes as part of the program
+ name inside the syslogtag. In those cases, the ``programname``
+ is truncated at the first slash.
+
+ In other words, if the setting is off, a value of ``app/foo[1234]``
+ in the tag will result in a programname of ``app``, and if an
+ application stores an absolute path name like ``/app/foo[1234]``,
+ the ``programname`` property will be empty ("").
+ If set to ``on``, a syslogtag of ``/app/foo[1234]`` will result
+ in a ``programname`` value of ``/app/foo`` and a syslogtag of
+ ``app/foo[1234]`` will result in a ``programname`` value of
+ ``app/foo``.
+
+- **parser.escapeControlCharacterTab** [on/off] available since 8.7.0
+
+ **Default:** on
+
+ If set to "off", the TAB control character (US-ASCII HT) will not be
+ escaped. If set to "on", it will be escaped to the sequence "#011".
+ Note that escaping is the traditional behavior and existing scripts
+ may get into trouble if this is changed to "off".
+
+- **parser.controlCharacterEscapePrefix** [char]
+
+ **Default:** '#'
+
+ This option specifies the prefix character to be used for control
+ character escaping (see option
+ *parser.escapeControlCharactersOnReceive*).
+
+- **parser.escape8BitCharactersOnReceive** [on/off]
+
+ **Default:** off
+
+ This parameter instructs rsyslogd to replace non US-ASCII characters
+ (those that have the 8th bit set) during reception of the message.
+ This may be useful for some systems. Please note that this escaping
+ breaks Unicode and many other encodings. Most importantly, it can be
+ assumed that Asian and European characters will be rendered hardly
+ readable by this settings. However, it may still be useful when the
+ logs themselves are primarily in English and only occasionally contain
+ local script. If this option is turned on, all control-characters are
+ converted to a 3-digit octal number and be prefixed with the
+ *parser.controlCharacterEscapePrefix* character (being '#' by default).
+
+ **Warning:**
+
+ - turning on this option most probably destroys non-western character
+ sets (like Japanese, Chinese and Korean) as well as European
+ character sets.
+ - turning on this option destroys digital signatures if such exists
+ inside the message
+ - if turned on, the drop-cc, space-cc and escape-cc `property
+ replacer <property_replacer.html>`_ options do not work as expected
+ because control characters are already removed upon message
+ reception. If you intend to use these property replacer options, you
+ must turn off *parser.escape8BitCharactersOnReceive*.
+
+- **parser.escapeControlCharactersOnReceive** [on/off]
+
+ **Default:** on
+
+ This parameter instructs rsyslogd to replace control characters during
+ reception of the message. The intent is to provide a way to stop
+ non-printable messages from entering the syslog system as whole. If this
+ option is turned on, all control-characters are converted to a 3-digit
+ octal number and be prefixed with the *parser.controlCharacterEscapePrefix*
+ character (being '#' by default). For example, if the BEL character
+ (ctrl-g) is included in the message, it would be converted to '#007'.
+ To be compatible to sysklogd, this option must be turned on.
+
+ **Warning:**
+
+ - turning on this option most probably destroys non-western character
+ sets (like Japanese, Chinese and Korean)
+ - turning on this option destroys digital signatures if such exists
+ inside the message
+ - if turned on, the drop-cc, space-cc and escape-cc `property
+ replacer <property_replacer.html>`_ options do not work as expected
+ because control characters are already removed upon message
+ reception. If you intend to use these property replacer options, you
+ must turn off *parser.escapeControlCharactersOnReceive*.
+
+
+- **senders.keepTrack** [on/off] available 8.17.0+
+
+ **Default:** off
+
+ If turned on, rsyslog keeps track of known senders and also reports
+ statistical data for them via the impstats mechanism.
+
+ A list of active senders is kept. When a new sender is detected, an
+ informational message is emitted. Senders are purged from the list
+ only after a timeout (see *senders.timeoutAfter* parameter). Note
+ that we do not intentionally remove a sender when a connection is
+ closed. The whole point of this sender-tracking is to have the ability
+ to provide longer-duration data. As such, we would not like to drop
+ information just because the sender has disconnected for a short period
+ of time (e.g. for a reboot).
+
+ Senders are tracked by their hostname (taken at connection establishment).
+
+ Note: currently only imptcp and imtcp support sender tracking.
+
+- **senders.timeoutAfter** [seconds] available 8.17.0+
+
+ **Default:** 12 hours (12*60*60 seconds)
+
+ Specifies after which period a sender is considered to "have gone
+ away". For each sender, rsyslog keeps track of the time it least
+ received messages from it. When it has not received a message during
+ that interval, rsyslog considers the sender to be no longer present.
+ It will then a) emit a warning message (if configured) and b) purge
+ it from the active senders list. As such, the sender will no longer
+ be reported in impstats data once it has timed out.
+
+- **senders.reportGoneAway** [on/off] available 8.17.0+
+
+ **Default:** off
+
+ Emit a warning message when now data has been received from a sender
+ within the *senders.timeoutAfter* interval.
+
+- **senders.reportNew** [on/off] available 8.17.0+
+
+ **Default:** off
+
+ If sender tracking is active, report a sender that is not yet inside
+ the cache. Note that this means that senders which have been timed out
+ due to prolonged inactivity are also reported once they connect again.
+
+- **debug.unloadModules** [on/off] available 8.17.0+
+
+ **Default:** on
+
+ This is primarily a debug setting. If set to "off", rsyslog will never
+ unload any modules (including plugins). This usually causes no operational
+ problems, but may in extreme cases. The core benefit of this setting is
+ that it makes valgrind stack traces readable. In previous versions, the
+ same functionality was only available via a special build option.
+
+- **debug.files** [ARRAY of filenames] available 8.29.0+
+
+ **Default:** none
+
+ This can be used to configure rsyslog to only show debug-output generated in
+ certain files. If the option is set, but no filename is given, the
+ debug-output will behave as if the option is turned off.
+
+ Do note however that due to the way the configuration works, this might not
+ effect the first few debug-outputs, while rsyslog is reading in the configuration.
+ For optimal results we recommend to put this parameter at the very start of
+ your configuration to minimize unwanted output.
+
+ See debug.whitelist for more information.
+
+- **debug.whitelist** [on/off] available 8.29.0+
+
+ **Default:** on
+
+ This parameter is an assisting parameter of debug.files. If debug.files
+ is used in the configuration, debug.whitelist is a switch for the files named
+ to be either white- or blacklisted from displaying debug-output. If it is set to
+ on, the listed files will generate debug-output, but no other files will.
+ The reverse principle applies if the parameter is set to off.
+
+ See debug.files for more information.
+
+- **environment** [ARRAY of environment variable=value strings] available 8.23.0+
+
+ **Default:** none
+
+ This permits to set environment variables via rsyslog.conf. The prime
+ motivation for having this is that for many libraries, defaults can be
+ set via environment variables, **but** setting them via operating system
+ service startup files is cumbersome and different on different platforms.
+ So the *environment* parameter provides a handy way to set those
+ variables.
+
+ A common example is to set the *http_proxy* variable, e.g. for use with
+ KSI signing or ElasticSearch. This can be done as follows::
+
+ global(environment="http_proxy=http://myproxy.example.net")
+
+ Note that an environment variable set this way must contain an equal sign,
+ and the variable name must not be longer than 127 characters.
+
+ It is possible to set multiple environment variables in a single
+ global statement. This is done in regular array syntax as follows::
+
+ global(environment=["http_proxy=http://myproxy.example.net",
+ "another_one=this string is=ok!"]
+ )
+
+ As usual, whitespace is irrelevant in regard to parameter placing. So
+ the above sample could also have been written on a single line.
+
+- **internalmsg.ratelimit.interval** [positive integer] available 8.29.0+
+
+ **Default:** 5
+
+ Specifies the interval in seconds onto which rate-limiting is to be
+ applied to internal messages generated by rsyslog(i.e. error messages).
+ If more than internalmsg.ratelimit.burst messages are read during
+ that interval, further messages up to the end of the interval are
+ discarded.
+
+- **internalmsg.ratelimit.burst** [positive integer] available 8.29.0+
+
+ **Default:** 500
+
+ Specifies the maximum number of internal messages that can be emitted within
+ the ratelimit.interval interval. For further information, see
+ description there.
+
+
+ **Caution:** Environment variables are set immediately when the
+ corresponding statement is encountered. Likewise, modules are loaded when
+ the module load statement is encountered. This may create **sequence
+ dependencies** inside rsyslog.conf. To avoid this, it is highly suggested
+ that environment variables are set **right at the top of rsyslog.conf**.
+ Also, rsyslog-related environment variables may not apply even when set
+ right at the top. It is safest to still set them in operating system
+ start files. Note that rsyslog environment variables are usually intended
+ only for developers so there should hardly be a need to set them for a
+ regular user. Also, many settings (e.g. debug) are also available as
+ configuration objects.
+
+- **internalmsg.severity** [syslog severity value] available 8.1905.0+
+
+ **Default:** info
+
+ This permits to limit which internal messages are emitted by rsyslog. This
+ is especially useful if internal messages are reported to systemd journal,
+ which is the default on journal systems. In that case there is no other
+ ability to filter out messages before they are logged by the journal.
+
+ While any syslog severity value can be used, the most useful ones are
+
+ * `error`, to see only error messages but ignore anything else
+ * `warn`, to also see warning messages (highly recommended)
+ * `info`, to also see informational messages like events generated
+ by DA queues status checks. This is the default as the informational
+ messages often provide valuable information.
+ * `debug`, to see all messages, including only those interesting for
+ debugging. While this is still considerably lower volume than a
+ rsyslog developer debug log, this can be quite verbose. Selecting
+ `debug` without hard need thus is **not** recommended.
+
+ We expect that users are most often interested in limiting verboseness
+ to warning messages. This can be done e.g. via::
+
+ global(internalmsg.severity="warn")
+
+- **errorMessagesToStderr.maxNumber** [positive integer] available 8.30.0+
+
+ **Default:** unlimited
+
+ This permits to put a hard limit on the number of messages that can
+ go to stderr. If for nothing else, this capability is helpful for the
+ testbench. It permits to reduce spamming the test log while still
+ providing the ability to see initial error messages. Might also be
+ useful for some practical deployments.
+
+- **variables.caseSensitive** [boolean (on/off)] available 8.30.0+
+
+ **Default:** off
+
+ This permits to make variables case-sensitive, what might be required
+ for some exotic input data where case is the only difference in
+ field names. Note that in rsyslog versions prior to 8.30, the default was
+ "on", which very often led to user confusion. There normally should be no
+ need to switch it back to "on", except for the case to be mentioned.
+ This is also the reason why we switched the default.
+
+- **internal.developeronly.options**
+
+ This is NOT to be used by end users. It provides rsyslog developers the
+ ability to do some (possibly strange) things inside rsyslog, e.g. for
+ testing. This parameter should never be set, except if instructed by
+ a developer. If it is set, rsyslog may misbehave, segfault, or cause
+ other strange things. Note that option values are not guaranteed to
+ stay the same between releases, so do not be "smart" and apply settings
+ that you found via a web search.
+
+ Once again: **users must NOT set this parameter!**
+
+- **oversizemsg.errorfile** [file name] available 8.35.0+
+
+ This parameter is used to specify the name of the oversize message log file.
+ Here messages that are longer than maxMessageSize will be gathered.
+
+- **oversizemsg.input.mode** [mode] available 8.35.0+
+
+ With this parameter the behavior for oversized messages can be specified.
+ Available modes are:
+
+ - truncate: Oversized messages will be truncated.
+ - split: Oversized messages will be split and the rest of the message will
+ be sent in another message.
+ - accept: Oversized messages will still be accepted.
+
+- **oversizemsg.report** [boolean (on/off)] available 8.35.0+
+
+ This parameter specifies if an error shall be reported when an oversized
+ message is seen. The default is "on".
+
+- **abortOnUncleanConfig** [boolean (on/off)] available 8.37.0+
+
+ This parameter permits to prevent rsyslog from running when the
+ configuration file is not clean. "Not Clean" means there are errors or
+ some other annoyances that rsyslogd reports on startup. This is a
+ user-requested feature to have a strict startup mode. Note that with the
+ current code base it is not always possible to differentiate between an
+ real error and a warning-like condition. As such, the startup will also
+ prevented if warnings are present. I consider this a good thing in being
+ "strict", but I admit there also currently is no other way of doing it.
+
+- **abortOnFailedQueueStartup** [boolean (on/off)] available 8.2210.0+
+
+ This parameter is similiar to *abortOnUncleanConfig* but makes rsyslog
+ abort when there are any problems with queue startup. This is usually
+ caused by disk queue settings or disk queue file corruption. Normally,
+ rsyslog ignores disk queue definitions in this case and switches the
+ queue to emergency mode, which permits in-memory operations. This is
+ desired by the fast majority of users, because it permits rsyslog to
+ remain operational and process all remaining actions as well as handle
+ actions associated with the failed queue decently.
+ When this setting is "on", rsyslog aborts immediately when a queue
+ problem is detected during startup. If you use this mode, ensure that
+ your startup scripts monitor for these type of errors and handle them
+ appropriately.
+ In our opinion, it is much safer to let rsyslog start and monitor queue
+ error messages.
+
+ The **default** for this setting is "off"
+
+- **inputs.timeout.shutdown** [numeric, ms] available 8.37.0+
+
+ This parameter specifies how long input modules are given time to terminate
+ when rsyslog is shutdown. The default is 1000ms (1 second). If the input
+ requires longer to terminate, it will be cancelled. This is necessary if
+ the input is inside a lengthy operation, but should generally be tried to
+ avoid. On busy systems it may make sense to increase that timeout. This
+ especially seems to be the case with containers.
+
+- **default.action.queue.timeoutshutdown** [numeric] available 8.1901.0+
+- **default.action.queue.timeoutactioncompletion** [numeric] available 8.1901.0+
+- **default.action.queue.timeoutenqueue** [numeric] available 8.1901.0+
+- **default.action.queue.timeoutworkerthreadshutdown** [numeric] available 8.1901.0+
+
+ These parameters set global queue defaults for the respective queue settings.
+
+- **reverselookup.cache.ttl.default** [numeric, seconds] available 8.1904.0+
+
+ Rsyslog includes a cache for ip-address-to-hostname lookups. This is most
+ useful for inputs without a connection. imudp is the prime example.
+ This settings permits to specify after which period (in seconds) an
+ entry expires. Upon expiration the entry will be discarded and re-queried.
+ The **default** value is 24 hours.
+ To never cache entries, set the parameter to 0, which will make cache
+ entries expire immediately. Note that especially with imudp this can
+ cause huge performance degradation and potentially also message loss.
+
+ Note: for many years rsyslog did **not** timeout cache entries at all. This
+ only occasionally caused issues. We assume that the once-every-24-hrs
+ default value is a very good compromise between performance and
+ keeping reverse lookup information current.
+
+- **reverselookup.cache.ttl.enable** [boolean (on/off)] available 8.1904.0+
+
+ This configures whether rsyslog expires DNS cache entries (setting "on") or
+ not (setting "off", the default). If configured to "off",
+ *reverselookup.cache.default.ttl* is not in effect. Note that this is the
+ **default**.
+
+- **security.abortOnIDResolutionFail** [boolean (on/off)], default "on", available 8.2002.0+
+
+ This setting controls if rsyslog should error-terminate when an security ID cannot
+ be resolved during config file processing at startup. If set to "on" and
+ a name ID lookup fails (for user and group names) rsyslog does not start but
+ terminate with an error message. This is necessary as a security
+ measure, as otherwise the wrong permissions can be assigned or privileges
+ are not dropped. This setting is applied whereever security IDs are resolved,
+ e.g. when dropping privileges or assigning file permissions or owners.
+
+ The setting should be at the top of the configuration parameters to make sure its
+ behavior is correctly applied on all other configuration parameters.
+
+ **CHANGE OF BEHAVIOR**
+
+ The default for this parameter is "on". In versions prior to 8.2002.0, the default
+ was "off" (by virtue of this parameter not existing). As such, existing
+ configurations may now error out.
+
+ We have decided to accept this change of behavior because of the potential
+ security implications.
+
+- **operatingStateFile** [string, filename], default unset, available 8.39.0+
+
+ The operatingStateFile, as the name says, provides information about rsyslog
+ operating state. It can be useful for troubleshooting.
+
+ If this parameter is not set, an operating state file will not be written. If
+ it is set, the file will be written **and** used to detect unclean shutdown.
+ Upon startup, rsyslog checks if the last recorded line contains the "clean
+ shutdown notification". If so, the file is deleted and re-written with new
+ operating state. If the notification cannot be found, rsyslog assumes unclean
+ shutdown and complains about this state. In this case the operating state file
+ is renamed to "<configured-name>.previous" and a new file is started under the
+ configured name for the current run. This permits the administrator to check the
+ previous operating state file for helpful information on why the system shut
+ down unclean.
+
+- **reportChildProcessExits** [none|errors|all], default "errors", available
+ 8.1901.0+
+
+ Tells rsyslog whether and when to log a message (under *syslog.\**) when a
+ child process terminates. The available modes are:
+
+ - none: Do not report any child process termination.
+ - errors: Only report the termination of child processes that have exited with
+ a non-zero exit code, or that have been terminated by a signal.
+ - all: Report all child process terminations.
+
+ The logged message will be one of the following:
+
+ - "program 'x' (pid n) exited with status s" (with "info" severity if the
+ status is zero, and "warning" severity otherwise)
+ - "program 'x' (pid n) terminated by signal s" (with "warning" severity)
+
+ In some cases, the program name is not included in the message (but only the PID).
+
+ Normally, if a child process terminates prematurely for some reason, rsyslog will
+ also report some specific error message the next time it interacts with the process
+ (for example, in the case of a process started by omprog, if omprog cannot send a
+ message to the process because the pipe is broken, it will report an error
+ indicating this). This specific error message (if any) is not affected by this
+ global setting.
+
+
+- **default.ruleset.queue.timeoutshutdown**
+- **default.ruleset.queue.timeoutactioncompletion**
+- **default.ruleset.queue.timeoutenqueue**
+- **default.ruleset.queue.timeoutworkerthreadshutdown**
+
+ Sets default parameters for ruleset queues. See queue doc for the meaning of
+ the individual settings.
+
+
+- **default.action.queue.timeoutshutdown**
+- **default.action.queue.timeoutactioncompletion**
+- **default.action.queue.timeoutenqueue**
+- **default.action.queue.timeoutworkerthreadshutdown**
+
+ Sets default parameters for action queues. See queue doc for the meaning of
+ the individual settings.
+
+
+- **shutdown.queue.doublesize**
+
+ This setting (default "off") permits to temporarily increase the maximum queue
+ size during shutdown processing. This is useful when rsyslog needs to re-enqueue
+ some messages at shutdown *and* the queue is already full. Note that the need to
+ re-enqueue messages stems back to some failed operations. Note that the maximum
+ permitted queue size is doubled, as this ensures in all cases that re-enqueuing
+ can be completed. Note also that the increase of the max size is temporary during
+ shutdown and also does not requiere any more storage. Except, of course, for
+ re-enqueued message.
+
+ The situation addressed by this setting is unlikely to happen, but it could happen.
+ To enable the funtionality, set it to "on".
+
+- **parser.supportCompressionExtension** [boolean (on/off)] available 8.2106.0+
+
+ This parameter permits to disable rsyslog's single-message-compression extension on
+ reception ("off"). The default is to keep it activated ("on").
+
+ The single-message-compression extension permits senders to zip-compress single
+ syslog messages. Such messages start with the letter "z" instead of the usual
+ syslog PRI value. For well-formed syslog messages, the extension works as designed.
+ However, some users transport non-syslog data via rsyslog, and such messages may
+ validly start with "z" for non-compressed data. To support such non-standard
+ cases, this option can be used to globally disable support for compression on
+ all inputs.
+
+privdrop.group.name
+^^^^^^^^^^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "integer", "", "no", "``$PrivDropToGroup``"
+
+.. versionadded:: 8.2110.0
+
+Name of the group rsyslog should run under after startup. Please
+note that this group is looked up in the system tables. If the lookup
+fails, privileges are NOT dropped. Thus it is advisable to use the
+less convenient `privdrop.group.id` parameter. Note that all
+supplementary groups are removed by default from the process if the
+`privdrop.group.keepsupplemental` parameter is not specified.
+If the group id can be looked up, but can not be set,
+rsyslog aborts.
+
+Note: See the :doc:`privilege drop documentation<../configuration/droppriv>`
+for more details on dropping privileges on startup.
+
+privdrop.group.id
+^^^^^^^^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "integer", "", "no", "``$PrivDropToGroupID``"
+
+.. versionadded:: 8.2110.0
+
+Numerical user ID of the group rsyslog should run under after startup.
+This is more reliable than the `privdrop.group.name` parameter, which
+relies on presence of the group name in system tables. The change to
+the ID will always happen if the ID is valid.
+
+Note: See the :doc:`privilege drop documentation<../configuration/droppriv>`
+for more details on dropping privileges on startup.
+
+privdrop.user.name
+^^^^^^^^^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "integer", "", "no", "``$PrivDropToUser``"
+
+.. versionadded:: 8.2110.0
+
+
+Name of the user rsyslog should run under after startup. Please note
+that this user is looked up in the system tables. If the lookup
+fails, privileges are NOT dropped. Thus it is advisable to use the
+less convenient `privdrop.user.id` parameter. If the user id can be
+looked up, but can not be set, rsyslog aborts.
+
+Note: See the :doc:`privilege drop documentation<../configuration/droppriv>`
+for more details on dropping privileges on startup.
+
+privdrop.user.id
+^^^^^^^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "integer", "", "no", "``$PrivDropToUserID``"
+
+.. versionadded:: 8.2110.0
+
+Numerical user ID of the user rsyslog should run under after startup.
+This is more reliable than the `privdrop.user.name` parameter, which
+relies on presence of the user name in system tables. The change to
+the ID will always happen if the ID is valid.
+
+Note: See the :doc:`privilege drop documentation<../configuration/droppriv>`
+for more details on dropping privileges on startup.
+
+libcapng.default
+^^^^^^^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "integer", "on", "no", "none"
+
+.. versionadded:: 8.2306.0
+
+The `libcapng.default` global option defines how rsyslog should behave
+in case something went wrong when capabilities were to be dropped.
+The default value is "on", in which case rsyslog exits on a libcapng
+related error. If set to "off", an error message describing the problem
+appears at startup, nothing more. Default value is preserved for backwards
+compatibility.
+
+libcapng.enable
+^^^^^^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "integer", "on", "no", "none"
+
+.. versionadded:: 8.2310.0
+
+The `libcapng.enable` global option defines whether rsyslog should
+drop capabilities at startup or not. By default, it is set to "on".
+Until this point, if the project was compiled with --enable-libcap-ng option,
+capabilities were automatically dropped. This is configurable now.
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-24 17:19:41 +0000