/etc/lard.conf - lard configuration file
This configuration file is read by lard(8) on startup.
The configuration file consists of keyword - value pairs describing logfiles and options.
Global options describe parameters that only make sens in a global context, like listen and socket. All other options are default parameters for the logging rules.
The global section is defined as everything up to the first rule. A rule starts with one of the following keywords: file, pipe, command or host. Once any of these keywords is encountered, all keywords are assiciated with this rule-starting keyword, until a new rule-starting keyword is encountered.
- listen {IP address|IP addres:port}
-
Define the IP address and optionally the UDP port where the daemon will listen on in remote reception mode (-r).
- socket {filename}
-
Define an alternative UNIX socket to look for incoming local syslog messages instead of '/dev/log'/
- mark {seconds}
-
Change the default number of seconds that the logging daemon will log a heartbeat timestamp using '-- MARK --'. The default is 20 minutes. Setting this to '0' disabled logging of these marks.
A (new) rule starts with a rule-starting keyword as described above. This rule inherits default values for globally defined parameters such as keep, rotate, and compress. Locally defined options override any globally defined ones. Some of these parameters have system defaults.
- file {filename}
-
Define a new rule that will append messages into a logfile.
- pipe {pipename}
-
Define a new rule that will keep a pipe open and write messages into it.
- command {command}
-
Define a new rule that will spawn a command for every message that matches the logging criteria. The message is passed as commandline parameter to the command. This may be unsafe!
- host {hostname}
-
Define a new rule that sends matching messages to a remote logging host.
- post {command}
-
Define a command to be executed once the target file is rotated. Lard will take care not to run the same command twice in a row and thus you can re-use the command as often as you wish.
The options below (with the exception of log and match) can be specified both globally and in rules:
- domain {domainname}
-
Strip (if applicable) the domainname from the hostname.
- rotate {"hourly"|"daily"|"weekly"|"monthly"|[size]}
-
This option describes when a logfile needs to be rotated and only applies to the file rule.
- keep {number}
-
Define the number of old logfiles to keep before deleting the oldest one during rotation.
- compress {"gzip"|"bzip2"|"none"}
-
Define the type of compression used to compress logfiles when they are rotated. "none" means no compression.
- log {facility.priority}
-
Define which facility and priority must be matched on this rule. A '*' for the priority or facility means "all", such that:
*.*would match all incoming messages of all facilities and priorities.
A facility may be a comma-separated list of multiple facilities:
local0,local1,local3.*And even so for the priority:
*.debug,infoA facility or priority may even be negated with a '!' character, which results in the rule NOT matching that priority/facility:
*.!debugFor a list of facilites and priorities, see syslog(8).
- match {expression}
-
On top of the priority and facility, a message must also match this regular expression. The expression can include perl-like regular expression directly. The following example would match all messages that appear to be coming from the ssh daemon:
match " sshd\[\d+\]: " - filter {expression}
-
Additionally to specifying a certain patter that the message needs to fit to (a regular expression), you can also remove unwanted log messages with one or more filter statements. If any message in the rule matches the filter, it is discarded and not logged.
filter "uninteresting message"Both match and filter may be specified multiple time per rule, and applied as follows: if no match rule is present, of if any match rule matches the message, apply filters, otherwise discard the message. If any filter matches, discard the message as well.
- format {format-string}
-
The format string allows you to specify an alternative message layout. The layout is a string with keywords that will be substituted for every message:
format "%{TIMESTAMP} %{HOSTNAME} %{MSG}\n"The %{keyword} words have specific meaning of course.
%{TIMESTAMP} - the time the message was sent %{HOSTNAME} - the originating hostname of a message %{MSG} - the message data %{facility} - the message facility printed out %{priority} - the message priority printed outThe following fields are also available but should be used with caution:
%{facility_code} - the facility code (binary) %{priority_code} - the priority code (binary) %{raw} - the full raw message %{time_recv} - the time received %{length} - length of the raw message %{HEADER} - the full original header %{peerhost} - the sending hostname %{peerport} - port that the sending host used %{PRI} - encoded priority/facility data %{TIME} - time received in UNIX time - timeformat {timeformat}
-
Define a format to use to print the time in a message. This follows the syntax that date(1) also uses. Example:
# stock syslogd uses: timeformat "%b %e %H:%M:%S"
lard(8), lard.conf(5), [RFC 3164]
lard was written by Auke Kok, http://lard.foo-projects.org/
The author disclaims all copyrights and releases this document into the public domain.