SYSLOG Output Format Configuration Files

Messages generated by the SYSLOG output format can be forwarded to any of the following three possible destinations:

A Syslog server;
A text file;
A user, through the Windows alerter and messenger services.

The conf parameter of the SYSLOG output format allows users to specify a configuration file resembling the standard "syslog.conf" file that describes the rules used to forward messages to different destinations.
These rules associate values of the facility and severity message fields with specific Syslog servers, text files, or users.

Each line in a configuration file is either a comment beginning with the pound character ("#"), or a configuration entry.
Configuration entries have the following syntax:

<config_entry>	::=	<selector> <action>
<selector>	::=	<facilities>.<severity>
<facilities>	::=	<facility>[,<facility> ... ]
<facility>	::=	kern \| user \| mail \| daemon \| auth \| mark \| lpr \| news \| uucp \| cron \| auth2 \| ftp \| ntp \| logaudit \| logalert \| clock \| local0 \| local1 \| local2 \| local3 \| local4 \| local5 \| local6 \| local7 \| *
<severity>	::=	emerg \| alert \| crit \| err \| warning \| notice \| info \| debug
<action>	::=	<send_server> \| <send_file> \| <send_user>
<send_server>	::=	@<server_name>[:<port>]
<send_file>	::=	<filepath> \| STDOUT
<send_user>	::=	<user_name>

A configuration entry is composed of a selector and an action, separated by spaces or tab characters.
A selector is a comma-separated list of facility names followed by a dot (".") and followed by a severity name. The special "*" wildcard means "all facilities".
Messages whose facility is included in the selector's set of facilities and whose severity is greater than or equal to the selector's severity are forwarded to the destination specified in the action.

An action can specify any of the following destinations:

The name or address of a Syslog server, preceded by an at character ("@") and optionally followed by a port number; when no port number is specified, the SYSLOG output format will use port 514;
The path of an output filename;
The STDOUT keyword, which specifies that the output data is to be written to the output stream (the console output);
The name of a user.

The following example shows a SYSLOG output format configuration file:

#
# Sample SYSLOG output format configuration file
#
auth.err				@MYSERVER01
*.debug				 STDOUT
*.info				C:\MyLogs\Infos.txt
kern.emerg			MYUSER
local0,local1.emerg	 @192.168.1.100:515

This configuration file defines the following rules:

Messages from the "auth" facility with a severity greater than or equal to "err" are forwarded to the "MYSERVER01" Syslog server on port 514;
All messages having a severity greater than or equal to "debug" are displayed in the console output;
All messages having a severity greater than or equal to "info" are written to the "C:\MyLogs\Infos.txt" text file;
Messages from the "kern" facility with a severity greater than or equal to "emerg" are sent to the "MYUSER" user;
Messages from the "local0" or "local1" facilities with a severity greater than or equal to "emerg" are forwarded to the Syslog server with address 192.168.1.100 on port 515.

Messages matching more than one rule are forwarded to all the specified destinations. For example, with the above configuration file, messages having a severity greater than or equal to "debug" are both displayed in the console output and written to the "C:\MyLogs\Infos.txt" text file.

Actions can also be specified in the into-entity of the query.
These actions are processed as rules having a selector that matches all messages, with a "*" facility value and an "emerg" severity value.