Use this documentation with care! It describes
the outdated version 7, which was actively
developed around 2014 and is considered dead by the
This documentation reflects the latest update of the v7-stable branch. It describes the 7.6.8 version, which was never released. As such, it contains some content that does not apply to any released version.
To obtain the doc that properly matches your installed v7 version, obtain the doc set from your distro. Each version of rsyslog contained the version that exactly matches it.
As general advise, it is strongly suggested to upgrade to the current version supported by the rsyslog project. The current version can always be found on the right-hand side info box on the rsyslog web site.
Note that there is only limited rsyslog community support available for the outdated v7 version (officially we do not support it at all, but we usually are able to answer simple questions). If you need to stick with v7, it probably is best to ask your distribution for support.
libgcrypt Log Crypto Provider (gcry)¶
Crypto Provider Name: gcry
Author: Rainer Gerhards <email@example.com>
Supported Since: since 7.3.10
Provides encryption support to rsyslog.
Crypto providers are loaded by omfile, when the provider is selected in its “cry.providerName” parameter. Parameters for the provider are given in the omfile action instance line.
This provider creates an encryption information file with the same base name but the extension “.encinfo” for each log file (both for fixed-name files as well as dynafiles). Both files together form a set. So you need to archive both in order to prove integrity.
cry.algo <Encryption Algorithm> The algorithm (cipher) to be used for encryption. The default algorithm is “AES128”. Currently, the following Algorithms are supported:
The actual availability of an algorithms depends on which ones are compiled into libgcrypt. Note that some versions of libgcrypt simply abort the process (rsyslogd in this case!) if a supported algorithm is select but not available due to libgcrypt build settings. There is nothing rsyslog can do against this. So in order to avoid production downtime, always check carefully when you change the algorithm.
cry.mode <Algorithm Mode> The encryption mode to be used. Default ist Cipher Block Chaining (CBC). Note that not all encryption modes can be used together with all algorithms. Currently, the following modes are supported:
cry.key <encryption key> TESTING AID, NOT FOR PRODUCTION USE. This uses the KEY specified inside rsyslog.conf. This is the actual key, and as such this mode is highly insecure. However, it can be useful for intial testing steps. This option may be removed in the future.
cry.keyfile <filename> Reads the key from the specified file. The file must contain the key, only, no headers or other meta information. Keyfiles can be generated via the rscrytool utility.
cry.keyprogram <path to program> If given, the key is provided by a so-called “key program”. This program is executed and must return the key (as well as some meta information) via stdout. The core idea of key programs is that using this interface the user can implement as complex (and secure) method to obtain keys as desired, all without the need to make modifications to rsyslog.
- currently none known
This encrypts a log file. Default parameters are used, they key is provided via a keyfile.
action(type="omfile" file="/var/log/somelog" cry.provider="gcry" cry.keyfile="/secured/path/to/keyfile")
Note that the keyfile can be generated via the rscrytool utility (see its documentation for how to actually do that).