path: root/source/rainerscript/global.rst

global() configuration object
=============================

The global configuration object permits to set global parameters. Note
that each parameter can only be set once and cannot be re-set
thereafter. If a parameter is set multiple times, the behaviour is
unpredictable. As with other configuration objects, parameters for this
object are case-insensitive.

The following parameters can be set:

-  **action.reportSuspension** - binary, default "on", v7.5.8+

   If enabled ("on") action will log message under `*syslog.\**` when an
   action suspends or resumes itself. This usually happens when there are
   problems connecting to backend systems. If disabled ("off"), these
   messages are not generated. These messages can be useful in detecting
   problems with backend systems. Most importantly, frequent suspension
   and resumption points to a problem area.

- **action.reportSuspensionContinuation** - binary, default "off", v7.6.1+, v8.2.0+

  If enabled ("on") the action will not only report the first suspension but
  each time the suspension is prolonged. Otherwise, the follow-up messages
  are not logged. If this setting is set to "on", action.reportSuspension is
  also automatically turned "on".

- **workDirectory**

  Sets the directory that rsyslog uses for work files, e.g. imfile state
  or queue spool files.

- **umask** available 8.26.0+

  Sets the rsyslogd process' umask.  If not specified, the system-provided default
  is used.  The value given must always be a 4-digit octal number, with the initial
  digit being zero.

- **dropMsgsWithMaliciousDNSPtrRecords**

- **localHostname**
  Permits to overwrite the local host hostname.

- **preserveFQDN**
- **defaultNetstreamDriverCAFile**

  For `TLS syslog <http://www.rsyslog.com/doc/rsyslog_secure_tls.html>`_,
  the CA certificate that can verify the machine keys and certs (see below)

- **defaultNetstreamDriverCRLFile**

  For `TLS syslog <http://www.rsyslog.com/doc/rsyslog_secure_tls.html>`_,
  the CRL File contains a List contains a list of revoked certrificates.

- **defaultNetstreamDriverKeyFile**

  Machine private key

- **defaultNetstreamDriverCertFile**

  Machine public key (certificate)

- **debug.gnutls** (0-10; default:0)

  Any other parameter than 0 enables the debug messages of GnuTLS. The
  amount of messages given depends on the height of the parameter, 0
  being nothing and 10 being very much. Caution! higher parameters may
  give out way more information than needed. We advise you to first use
  small parameters to prevent that from happening.
  **This parameter only has an effect if general debugging is enabled.**

-  **netstreamDriverCaExtraFiles**

   This directive allows to configure multiple additional extra CA files.
   This is intended for SSL certificate chains to work appropriately,
   as the different CA files in the chain need to be specified.
   It must be remarked that this parameter only works with the OpenSSL driver.

- **processInternalMessages** binary (on/off)

  This tells rsyslog if it shall process internal messages itself. The
  default mode of operations ("off") makes rsyslog send messages to the
  system log sink (and if it is the only instance, receive them back from there).
  This also works with systemd journal and will make rsyslog messages show up in the
  systemd status control information.

  If this (instance) of rsyslog is not the main instance and there is another
  main logging system, rsyslog internal messages will be inserted into
  the main instance's syslog stream. In this case, setting to ("on") will
  let you receive the internal messages in the instance they originate from.

  Note that earlier versions of rsyslog worked the opposite way. More
  information about the change can be found in `rsyslog-error-reporting-improved <http://www.rsyslog.com/rsyslog-error-reporting-improved>`_.



- **stdlog.channelspec**

  Permits to set the liblogging-stdlog channel specifier string. This
  in turn permits to send rsyslog log messages to a destination different
  from the system default. Note that this parameter has only effect if
  *processInternalMessages* is set to "off". Otherwise it is silently
  ignored.

- **shutdown.enable.ctlc**

  If set to "on", rsyslogd can be terminated by pressing ctl-c. This is
  most useful for containers. If set to "off" (the default), this is not
  possible.

- **defaultNetstreamDriver**

  Set it to "ossl" or "gtls" to enable TLS.
  This `guide <http://www.rsyslog.com/doc/rsyslog_secure_tls.html>`_
  shows how to use TLS.

- **maxMessageSize**

  Configures the maximum message size allowed for all inputs. Default is 8K.
  Anything above the maximum size will be truncated.

  Note: some modules provide separate parameters that allow overriding this
  setting (e.g., :doc:`imrelp's MaxDataSize parameter <../../configuration/modules/imrelp>`).

.. _global_janitorInterval:

- **janitor.interval** [minutes], available 8.3.3+

  Sets the interval at which the
  :doc:`janitor process <../concepts/janitor>`
  runs.

- **debug.onShutdown** available 7.5.8+

  If enabled ("on"), rsyslog will log debug messages when a system
  shutdown is requested. This can be used to track issues that happen
  only during shutdown. During normal operations, system performance is
  NOT affected.
  Note that for this option to be useful, the debug.logFile parameter
  must also be set (or the respective environment variable).

- **debug.logFile** available 7.5.8+

  This is used to specify the debug log file name. It is used for all
  debug output. Please note that the RSYSLOG\_DEBUGLOG environment
  variable always **overrides** the value of debug.logFile.

- **net.ipprotocol** available 8.6.0+

  This permits to instruct rsyslog to use IPv4 or IPv6 only. Possible
  values are "unspecified", in which case both protocols are used,
  "ipv4-only", and "ipv6-only", which restrict usage to the specified
  protocol. The default is "unspecified".

  Note: this replaces the former *-4* and *-6* rsyslogd command line
  options.

- **net.aclAddHostnameOnFail** available 8.6.0+

  If "on", during ACL processing, hostnames are resolved to IP addresses for
  performance reasons. If DNS fails during that process, the hostname
  is added as wildcard text, which results in proper, but somewhat
  slower operation once DNS is up again.

  The default is "off".

- **net.aclResolveHostname** available 8.6.0+

  If "off", do not resolve hostnames to IP addresses during ACL processing.

  The default is "on".

- **net.enableDNS** [on/off] available 8.6.0+

  **Default:** on

  Can be used to turn DNS name resolution on or off.

- **net.permitACLWarning** [on/off] available 8.6.0+

  **Default:** on

  If "off", suppress warnings issued when messages are received
  from non-authorized machines (those, that are in no AllowedSender list).

- **parser.parseHostnameAndTag** [on/off] available 8.6.0+

  **Default:** on

  This controls whether the parsers try to parse HOSTNAME and TAG fields
  from messages. The default is "on", in which case parsing occurs. If
  set to "off", the fields are not parsed. Note that this usually is
  **not** what you want to have.

  It is highly suggested to change this setting to "off" only if you
  know exactly why you are doing this.

- **parser.permitSlashInProgramName** [on/off] available 8.25.0+

  **Default:** off

  This controls whether slashes in the "programname" property
  (the static part of the tag) are permitted or not. By default
  this is not permitted, but some Linux tools (including most
  importantly the journal) store slashes as part of the program
  name inside the syslogtag. In those cases, the ``programname``
  is truncated at the first slash.

  In other words, if the setting is off, a value of ``app/foo[1234]``
  in the tag will result in a programname of ``app``, and if an
  application stores an absolute path name like ``/app/foo[1234]``,
  the ``programname`` property will be empty ("").
  If set to ``on``, a syslogtag of ``/app/foo[1234]`` will result
  in a ``programname`` value of ``/app/foo`` and a syslogtag of
  ``app/foo[1234]`` will result in a ``programname`` value of
  ``app/foo``.

- **parser.escapeControlCharacterTab** [on/off] available since 8.7.0

  **Default:** on

  If set to "off", the TAB control character (US-ASCII HT) will not be
  escaped. If set to "on", it will be escaped to the sequence "#011".
  Note that escaping is the traditional behavior and existing scripts
  may get into trouble if this is changed to "off".

- **parser.controlCharacterEscapePrefix** [char]

  **Default:** '#'

  This option specifies the prefix character to be used for control
  character escaping (see option
  *parser.escapeControlCharactersOnReceive*).

- **parser.escape8BitCharactersOnReceive** [on/off]

  **Default:** off

  This parameter instructs rsyslogd to replace non US-ASCII characters
  (those that have the 8th bit set) during reception of the message.
  This may be useful for some systems. Please note that this escaping
  breaks Unicode and many other encodings. Most importantly, it can be
  assumed that Asian and European characters will be rendered hardly
  readable by this settings. However, it may still be useful when the
  logs themselves are primarily in English and only occasionally contain
  local script. If this option is turned on, all control-characters are
  converted to a 3-digit octal number and be prefixed with the
  *parser.controlCharacterEscapePrefix* character (being '#' by default).

  **Warning:**

  -  turning on this option most probably destroys non-western character
     sets (like Japanese, Chinese and Korean) as well as European
     character sets.
  -  turning on this option destroys digital signatures if such exists
     inside the message
  -  if turned on, the drop-cc, space-cc and escape-cc `property
     replacer <property_replacer.html>`_ options do not work as expected
     because control characters are already removed upon message
     reception. If you intend to use these property replacer options, you
     must turn off *parser.escape8BitCharactersOnReceive*.

- **parser.escapeControlCharactersOnReceive** [on/off]

  **Default:** on

  This parameter instructs rsyslogd to replace control characters during
  reception of the message. The intent is to provide a way to stop
  non-printable messages from entering the syslog system as whole. If this
  option is turned on, all control-characters are converted to a 3-digit
  octal number and be prefixed with the *parser.controlCharacterEscapePrefix*
  character (being '#' by default). For example, if the BEL character
  (ctrl-g) is included in the message, it would be converted to '#007'.
  To be compatible to sysklogd, this option must be turned on.

  **Warning:**

  -  turning on this option most probably destroys non-western character
     sets (like Japanese, Chinese and Korean)
  -  turning on this option destroys digital signatures if such exists
     inside the message
  -  if turned on, the drop-cc, space-cc and escape-cc `property
     replacer <property_replacer.html>`_ options do not work as expected
     because control characters are already removed upon message
     reception. If you intend to use these property replacer options, you
     must turn off *parser.escapeControlCharactersOnReceive*.


- **senders.keepTrack** [on/off] available 8.17.0+

  **Default:** off

  If turned on, rsyslog keeps track of known senders and also reports
  statistical data for them via the impstats mechanism.

  A list of active senders is kept. When a new sender is detected, an
  informational message is emitted. Senders are purged from the list
  only after a timeout (see *senders.timeoutAfter* parameter). Note
  that we do not intentionally remove a sender when a connection is
  closed. The whole point of this sender-tracking is to have the ability
  to provide longer-duration data. As such, we would not like to drop
  information just because the sender has disconnected for a short period
  of time (e.g. for a reboot).

  Senders are tracked by their hostname (taken at connection establishment).

  Note: currently only imptcp and imtcp support sender tracking.

- **senders.timeoutAfter** [seconds] available 8.17.0+

  **Default:** 12 hours (12*60*60 seconds)

  Specifies after which period a sender is considered to "have gone
  away". For each sender, rsyslog keeps track of the time it least
  received messages from it. When it has not received a message during
  that interval, rsyslog considers the sender to be no longer present.
  It will then a) emit a warning message (if configured) and b) purge
  it from the active senders list. As such, the sender will no longer
  be reported in impstats data once it has timed out.

- **senders.reportGoneAway** [on/off] available 8.17.0+

  **Default:** off

  Emit a warning message when now data has been received from a sender
  within the *senders.timeoutAfter* interval.

- **senders.reportNew** [on/off] available 8.17.0+

  **Default:** off

  If sender tracking is active, report a sender that is not yet inside
  the cache. Note that this means that senders which have been timed out
  due to prolonged inactivity are also reported once they connect again.

- **debug.unloadModules** [on/off] available 8.17.0+

  **Default:** on

  This is primarily a debug setting. If set to "off", rsyslog will never
  unload any modules (including plugins). This usually causes no operational
  problems, but may in extreme cases. The core benefit of this setting is
  that it makes valgrind stack traces readable. In previous versions, the
  same functionality was only available via a special build option.

- **debug.files** [ARRAY of filenames] available 8.29.0+

  **Default:** none

  This can be used to configure rsyslog to only show debug-output generated in
  certain files. If the option is set, but no filename is given, the
  debug-output will behave as if the option is turned off.

  Do note however that due to the way the configuration works, this might not
  effect the first few debug-outputs, while rsyslog is reading in the configuration.
  For optimal results we recommend to put this parameter at the very start of
  your configuration to minimize unwanted output.

  See debug.whitelist for more information.

- **debug.whitelist** [on/off] available 8.29.0+

  **Default:** on

  This parameter is an assisting parameter of  debug.files. If debug.files
  is used in the configuration, debug.whitelist is a switch for the files named
  to be either white- or blacklisted from displaying debug-output. If it is set to
  on, the listed files will generate debug-output, but no other files will.
  The reverse principle applies if the parameter is set to off.

  See debug.files for more information.

- **environment** [ARRAY of environment variable=value strings] available 8.23.0+

  **Default:** none

  This permits to set environment variables via rsyslog.conf. The prime
  motivation for having this is that for many libraries, defaults can be
  set via environment variables, **but** setting them via operating system
  service startup files is cumbersome and different on different platforms.
  So the *environment* parameter provides a handy way to set those
  variables.

  A common example is to set the *http_proxy* variable, e.g. for use with
  KSI signing or ElasticSearch. This can be done as follows::

    global(environment="http_proxy=http://myproxy.example.net")

  Note that an environment variable set this way must contain an equal sign,
  and the variable name must not be longer than 127 characters.

  It is possible to set multiple environment variables in a single
  global statement. This is done in regular array syntax as follows::

    global(environment=["http_proxy=http://myproxy.example.net",
                        "another_one=this string is=ok!"]
          )

  As usual, whitespace is irrelevant in regard to parameter placing. So
  the above sample could also have been written on a single line.

- **internalmsg.ratelimit.interval** [positive integer] available 8.29.0+

  **Default:** 5

   Specifies the interval in seconds onto which rate-limiting is to be
   applied to internal messages generated by rsyslog(i.e. error messages).
   If more than internalmsg.ratelimit.burst messages are read during
   that interval, further messages up to the end of the interval are
   discarded.

- **internalmsg.ratelimit.burst** [positive integer] available 8.29.0+

  **Default:** 500

   Specifies the maximum number of internal messages that can be emitted within
   the ratelimit.interval interval. For further information, see
   description there.


  **Caution:** Environment variables are set immediately when the
  corresponding statement is encountered. Likewise, modules are loaded when
  the module load statement is encountered. This may create **sequence
  dependencies** inside rsyslog.conf. To avoid this, it is highly suggested
  that environment variables are set **right at the top of rsyslog.conf**.
  Also, rsyslog-related environment variables may not apply even when set
  right at the top. It is safest to still set them in operating system
  start files. Note that rsyslog environment variables are usually intended
  only for developers so there should hardly be a need to set them for a
  regular user. Also, many settings (e.g. debug) are also available as
  configuration objects.

- **internalmsg.severity** [syslog severity value] available 8.1905.0+

  **Default:** info

  This permits to limit which internal messages are emitted by rsyslog. This
  is especially useful if internal messages are reported to systemd journal,
  which is the default on journal systems. In that case there is no other
  ability to filter out messages before they are logged by the journal.

  While any syslog severity value can be used, the most useful ones are

  * `error`, to see only error messages but ignore anything else
  * `warn`, to also see warning messages (highly recommended)
  * `info`, to also see informational messages like events generated
     by DA queues status checks. This is the default as the informational
     messages often provide valuable information.
  * `debug`, to see all messages, including only those interesting for
     debugging. While this is still considerably lower volume than a
     rsyslog developer debug log, this can be quite verbose. Selecting
     `debug` without hard need thus is **not** recommended.

  We expect that users are most often interested in limiting verboseness
  to warning messages. This can be done e.g. via::

    global(internalmsg.severity="warn")

- **errorMessagesToStderr.maxNumber** [positive integer] available 8.30.0+

  **Default:** unlimited

  This permits to put a hard limit on the number of messages that can
  go to stderr. If for nothing else, this capability is helpful for the
  testbench. It permits to reduce spamming the test log while still
  providing the ability to see initial error messages. Might also be
  useful for some practical deployments.

- **variables.caseSensitive** [boolean (on/off)] available 8.30.0+

  **Default:** off

  This permits to make variables case-sensitive, what might be required
  for some exotic input data where case is the only difference in
  field names. Note that in rsyslog versions prior to 8.30, the default was
  "on", which very often led to user confusion. There normally should be no
  need to switch it back to "on", except for the case to be mentioned.
  This is also the reason why we switched the default.

- **internal.developeronly.options**

  This is NOT to be used by end users. It provides rsyslog developers the
  ability to do some (possibly strange) things inside rsyslog, e.g. for
  testing. This parameter should never be set, except if instructed by
  a developer. If it is set, rsyslog may misbehave, segfault, or cause
  other strange things. Note that option values are not guaranteed to
  stay the same between releases, so do not be "smart" and apply settings
  that you found via a web search.

  Once again: **users must NOT set this parameter!**

- **oversizemsg.errorfile** [file name] available 8.35.0+

  This parameter is used to specify the name of the oversize message log file.
  Here messages that are longer than maxMessageSize will be gathered.

- **oversizemsg.input.mode** [mode] available 8.35.0+

  With this parameter the behavior for oversized messages can be specified.
  Available modes are:

  - truncate: Oversized messages will be truncated.
  - split: Oversized messages will be split and the rest of the message will
    be sent in another message.
  - accept: Oversized messages will still be accepted.

- **oversizemsg.report** [boolean (on/off)] available 8.35.0+

  This parameter specifies if an error shall be reported when an oversized
  message is seen. The default is "on".

- **abortOnUncleanConfig** [boolean (on/off)] available 8.37.0+

  This parameter permits to prevent rsyslog from running when the
  configuration file is not clean. "Not Clean" means there are errors or
  some other annoyances that rsyslogd reports on startup. This is a
  user-requested feature to have a strict startup mode. Note that with the
  current code base it is not always possible to differentiate between an
  real error and a warning-like condition. As such, the startup will also
  prevented if warnings are present. I consider this a good thing in being
  "strict", but I admit there also currently is no other way of doing it.

- **abortOnFailedQueueStartup** [boolean (on/off)] available 8.2210.0+

  This parameter is similiar to *abortOnUncleanConfig* but makes rsyslog
  abort when there are any problems with queue startup. This is usually
  caused by disk queue settings or disk queue file corruption. Normally,
  rsyslog ignores disk queue definitions in this case and switches the
  queue to emergency mode, which permits in-memory operations. This is
  desired by the fast majority of users, because it permits rsyslog to
  remain operational and process all remaining actions as well as handle
  actions associated with the failed queue decently.
  When this setting is "on", rsyslog aborts immediately when a queue
  problem is detected during startup. If you use this mode, ensure that
  your startup scripts monitor for these type of errors and handle them
  appropriately.
  In our opinion, it is much safer to let rsyslog start and monitor queue
  error messages.

  The **default** for this setting is "off"

- **inputs.timeout.shutdown** [numeric, ms] available 8.37.0+

  This parameter specifies how long input modules are given time to terminate
  when rsyslog is shutdown. The default is 1000ms (1 second). If the input
  requires longer to terminate, it will be cancelled. This is necessary if
  the input is inside a lengthy operation, but should generally be tried to
  avoid. On busy systems it may make sense to increase that timeout. This
  especially seems to be the case with containers.

- **default.action.queue.timeoutshutdown** [numeric] available 8.1901.0+
- **default.action.queue.timeoutactioncompletion** [numeric] available 8.1901.0+
- **default.action.queue.timeoutenqueue** [numeric] available 8.1901.0+
- **default.action.queue.timeoutworkerthreadshutdown** [numeric] available 8.1901.0+

  These parameters set global queue defaults for the respective queue settings.

- **reverselookup.cache.ttl.default** [numeric, seconds] available 8.1904.0+

  Rsyslog includes a cache for ip-address-to-hostname lookups. This is most
  useful for inputs without a connection. imudp is the prime example.
  This settings permits to specify after which period (in seconds) an
  entry expires. Upon expiration the entry will be discarded and re-queried.
  The **default** value is 24 hours.
  To never cache entries, set the parameter to 0, which will make cache
  entries expire immediately. Note that especially with imudp this can
  cause huge performance degradation and potentially also message loss.

  Note: for many years rsyslog did **not** timeout cache entries at all. This
  only occasionally caused issues. We assume that the once-every-24-hrs
  default value is a very good compromise between performance and
  keeping reverse lookup information current.

- **reverselookup.cache.ttl.enable** [boolean (on/off)] available 8.1904.0+

  This configures whether rsyslog expires DNS cache entries (setting "on") or
  not (setting "off", the default). If configured to "off",
  *reverselookup.cache.default.ttl* is not in effect. Note that this is the
  **default**.

- **security.abortOnIDResolutionFail** [boolean (on/off)], default "on", available 8.2002.0+

  This setting controls if rsyslog should error-terminate when an security ID cannot
  be resolved during config file processing at startup. If set to "on" and
  a name ID lookup fails (for user and group names) rsyslog does not start but
  terminate with an error message. This is necessary as a security
  measure, as otherwise the wrong permissions can be assigned or privileges
  are not dropped. This setting is applied whereever security IDs are resolved,
  e.g. when dropping privileges or assigning file permissions or owners.

  The setting should be at the top of the configuration parameters to make sure its
  behavior is correctly applied on all other configuration parameters.

  **CHANGE OF BEHAVIOR**

  The default for this parameter is "on". In versions prior to 8.2002.0, the default
  was "off" (by virtue of this parameter not existing). As such, existing
  configurations may now error out.

  We have decided to accept this change of behavior because of the potential
  security implications.

- **operatingStateFile** [string, filename], default unset, available 8.39.0+

  The operatingStateFile, as the name says, provides information about rsyslog
  operating state. It can be useful for troubleshooting.

  If this parameter is not set, an operating state file will not be written. If
  it is set, the file will be written **and** used to detect unclean shutdown.
  Upon startup, rsyslog checks if the last recorded line contains the "clean
  shutdown notification". If so, the file is deleted and re-written with new
  operating state. If the notification cannot be found, rsyslog assumes unclean
  shutdown and complains about this state. In this case the operating state file
  is renamed to "<configured-name>.previous" and a new file is started under the
  configured name for the current run. This permits the administrator to check the
  previous operating state file for helpful information on why the system shut
  down unclean.

- **reportChildProcessExits** [none|errors|all], default "errors", available
  8.1901.0+

  Tells rsyslog whether and when to log a message (under *syslog.\**) when a
  child process terminates. The available modes are:

  - none: Do not report any child process termination.
  - errors: Only report the termination of child processes that have exited with
    a non-zero exit code, or that have been terminated by a signal.
  - all: Report all child process terminations.

  The logged message will be one of the following:
  
  - "program 'x' (pid n) exited with status s" (with "info" severity if the
    status is zero, and "warning" severity otherwise)
  - "program 'x' (pid n) terminated by signal s" (with "warning" severity)

  In some cases, the program name is not included in the message (but only the PID).

  Normally, if a child process terminates prematurely for some reason, rsyslog will
  also report some specific error message the next time it interacts with the process
  (for example, in the case of a process started by omprog, if omprog cannot send a
  message to the process because the pipe is broken, it will report an error
  indicating this). This specific error message (if any) is not affected by this
  global setting.


- **default.ruleset.queue.timeoutshutdown**
- **default.ruleset.queue.timeoutactioncompletion**
- **default.ruleset.queue.timeoutenqueue**
- **default.ruleset.queue.timeoutworkerthreadshutdown**

  Sets default parameters for ruleset queues. See queue doc for the meaning of
  the individual settings.


- **default.action.queue.timeoutshutdown**
- **default.action.queue.timeoutactioncompletion**
- **default.action.queue.timeoutenqueue**
- **default.action.queue.timeoutworkerthreadshutdown**

  Sets default parameters for action queues. See queue doc for the meaning of
  the individual settings.


- **shutdown.queue.doublesize**

  This setting (default "off") permits to temporarily increase the maximum queue
  size during shutdown processing. This is useful when rsyslog needs to re-enqueue
  some messages at shutdown *and* the queue is already full. Note that the need to
  re-enqueue messages stems back to some failed operations. Note that the maximum
  permitted queue size is doubled, as this ensures in all cases that re-enqueuing
  can be completed. Note also that the increase of the max size is temporary during
  shutdown and also does not requiere any more storage. Except, of course, for
  re-enqueued message.

  The situation addressed by this setting is unlikely to happen, but it could happen.
  To enable the funtionality, set it to "on".

- **parser.supportCompressionExtension** [boolean (on/off)] available 8.2106.0+

  This parameter permits to disable rsyslog's single-message-compression extension on
  reception ("off"). The default is to keep it activated ("on").

  The single-message-compression extension permits senders to zip-compress single
  syslog messages. Such messages start with the letter "z" instead of the usual
  syslog PRI value. For well-formed syslog messages, the extension works as designed.
  However, some users transport non-syslog data via rsyslog, and such messages may
  validly start with "z" for non-compressed data. To support such non-standard
  cases, this option can be used to globally disable support for compression on
  all inputs.

privdrop.group.name
^^^^^^^^^^^^^^^^^^^

.. csv-table::
   :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
   :widths: auto
   :class: parameter-table

   "integer", "", "no", "``$PrivDropToGroup``"

.. versionadded:: 8.2110.0

Name of the group rsyslog should run under after startup. Please
note that this group is looked up in the system tables. If the lookup
fails, privileges are NOT dropped. Thus it is advisable to use the
less convenient `privdrop.group.id` parameter. Note that all
supplementary groups are removed by default from the process if the
`privdrop.group.keepsupplemental` parameter is not specified.
If the group id can be looked up, but can not be set,
rsyslog aborts.

Note: See the :doc:`privilege drop documentation<../configuration/droppriv>`
for more details on dropping privileges on startup.

privdrop.group.id
^^^^^^^^^^^^^^^^^

.. csv-table::
   :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
   :widths: auto
   :class: parameter-table

   "integer", "", "no", "``$PrivDropToGroupID``"

.. versionadded:: 8.2110.0

Numerical user ID of the group rsyslog should run under after startup.
This is more reliable than the `privdrop.group.name` parameter, which
relies on presence of the group name in system tables. The change to
the ID will always happen if the ID is valid.

Note: See the :doc:`privilege drop documentation<../configuration/droppriv>`
for more details on dropping privileges on startup.

privdrop.user.name
^^^^^^^^^^^^^^^^^^

.. csv-table::
   :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
   :widths: auto
   :class: parameter-table

   "integer", "", "no", "``$PrivDropToUser``"

.. versionadded:: 8.2110.0


Name of the user rsyslog should run under after startup. Please note
that this user is looked up in the system tables. If the lookup
fails, privileges are NOT dropped. Thus it is advisable to use the
less convenient `privdrop.user.id` parameter. If the user id can be
looked up, but can not be set, rsyslog aborts.

Note: See the :doc:`privilege drop documentation<../configuration/droppriv>`
for more details on dropping privileges on startup.

privdrop.user.id
^^^^^^^^^^^^^^^^

.. csv-table::
   :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
   :widths: auto
   :class: parameter-table

   "integer", "", "no", "``$PrivDropToUserID``"

.. versionadded:: 8.2110.0

Numerical user ID of the user rsyslog should run under after startup.
This is more reliable than the `privdrop.user.name` parameter, which
relies on presence of the user name in system tables. The change to
the ID will always happen if the ID is valid.

Note: See the :doc:`privilege drop documentation<../configuration/droppriv>`
for more details on dropping privileges on startup.

libcapng.default
^^^^^^^^^^^^^^^^

.. csv-table::
   :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
   :widths: auto
   :class: parameter-table

   "integer", "on", "no", "none"

.. versionadded:: 8.2306.0

The `libcapng.default` global option defines how rsyslog should behave
in case something went wrong when capabilities were to be dropped.
The default value is "on", in which case rsyslog exits on a libcapng
related error. If set to "off", an error message describing the problem
appears at startup, nothing more. Default value is preserved for backwards
compatibility.

libcapng.enable
^^^^^^^^^^^^^^^

.. csv-table::
   :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
   :widths: auto
   :class: parameter-table

   "integer", "on", "no", "none"

.. versionadded:: 8.2310.0

The `libcapng.enable` global option defines whether rsyslog should
drop capabilities at startup or not. By default, it is set to "on".
Until this point, if the project was compiled with --enable-libcap-ng option,
capabilities were automatically dropped. This is configurable now.