rsyslog.conf - rsyslogd(8) configuration file
The rsyslog.conf file is the main configuration file for the
rsyslogd(8) which logs system messages on *nix systems. This file
specifies rules for logging. For special features see the rsyslogd(8)
manpage. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf file.
So if you migrate from sysklogd you can rename it and it should work.
Note that this version of rsyslog ships with extensive
documentation in HTML format. This is provided in the ./doc subdirectory
and probably in a separate package if you installed rsyslog via a packaging
system. To use rsyslog's advanced features, you need to look at the
HTML documentation, because the man pages only cover basic aspects of
Rsyslog has a modular design. Consequently, there is a growing number of
modules. See the HTML documentation for their full description.
- Input module for Solaris/illumos/OmniOS kernel logging.
- SNMP trap output module
- Output module for GSS-enabled syslog
- Output module for MySQL
- Output module for the reliable RELP protocol (prevents message loss). For
details, see below at imrelp and the HTML documentation. It can be used
- *.* :omrelp:server:port
- *.* :omrelp:192.168.0.1:2514 # actual sample
- Output module for PostgreSQL
- Generic database output module (Firebird/Interbase, MS SQL, Sybase,
SQLite, Ingres, Oracle, mSQL)
- Input module for text files
- Input plugin for UDP syslog. Replaces the deprecated -r option. Can be
used like this:
- $ModLoad imudp
- $UDPServerRun 514
- Input plugin for plain TCP syslog. Replaces the deprecated -t option. Can
be used like this:
- $ModLoad imtcp
- $InputTCPServerRun 514
- Input plugin for the RELP protocol. RELP can be used instead of UDP or
plain TCP syslog to provide reliable delivery of syslog messages. Please
note that plain TCP syslog does NOT provide truly reliable delivery, with
it messages may be lost when there is a connection problem or the server
shuts down. RELP prevents message loss in those cases. It can be used like
- $ModLoad imrelp
- $InputRELPServerRun 2514
- Input plugin for plain TCP and GSS-enable syslog
- Support for mark messages
- Kernel logging. To include kernel log messages, you need to do
- $ModLoad imklog
Please note that the klogd daemon is no longer necessary and
consequently no longer provided by the rsyslog package.
- Unix sockets, including the system log socket. You need to specify
Lines starting with a hash mark ('#') and empty lines are ignored. Rsyslog.conf
should contain following sections (sorted by recommended order in file):
- $ModLoad imuxsock
in order to receive log messages from local system processes.
This config directive should only left out if you know exactly what you
The selector field itself again consists of two parts, a facility and a
priority, separated by a period ('.'). Both parts are case insensitive and can
also be specified as decimal numbers, but don't do that, you have been warned.
Both facilities and priorities are described in syslog(3). The names mentioned
below correspond to the similar LOG_-values in /usr/include/syslog.h.
- Global directives
- Global directives set some global properties of whole rsyslog daemon, for
example size of main message queue ($MainMessageQueueSize), loading
external modules ($ModLoad) and so on. All global directives need to be
specified on a line by their own and must start with a dollar-sign. The
complete list of global directives can be found in HTML documentation in
doc directory or online on web pages.
- Templates allow you to specify format of the logged message. They are also
used for dynamic file name generation. They have to be defined before they
are used in rules. For more info about templates see TEMPLATES section of
- Output channels
- Output channels provide an umbrella for any type of output that the user
might want. They have to be defined before they are used in rules. For
more info about output channels see OUTPUT CHANNELS section of this
- Rules (selector + action)
- Every rule line consists of two fields, a selector field and an action
field. These two fields are separated by one or more spaces or tabs. The
selector field specifies a pattern of facilities and priorities belonging
to the specified action.
The facility is one of the following keywords: auth, authpriv,
cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog,
user, uucp and local0 through local7. The keyword security should not be
used anymore and mark is only for internal use and therefore should not be
used in applications. Anyway, you may want to specify and redirect these
messages here. The facility specifies the subsystem that produced the
message, i.e. all mail programs log with the mail facility (LOG_MAIL) if
they log using syslog.
The priority is one of the following keywords, in ascending order:
debug, info, notice, warning, warn (same as warning), err, error (same as
err), crit, alert, emerg, panic (same as emerg). The keywords error, warn
and panic are deprecated and should not be used anymore. The priority
defines the severity of the message.
The behavior of the original BSD syslogd is that all messages of
the specified priority and higher are logged according to the given action.
Rsyslogd behaves the same, but has some extensions.
In addition to the above mentioned names the rsyslogd(8)
understands the following extensions: An asterisk ('*') stands for all
facilities or all priorities, depending on where it is used (before or after
the period). The keyword none stands for no priority of the given
You can specify multiple facilities with the same priority pattern
in one statement using the comma (',') operator. You may specify as much
facilities as you want. Remember that only the facility part from such a
statement is taken, a priority part would be skipped.
Multiple selectors may be specified for a single action using the
semicolon (';') separator. Remember that each selector in the selector field
is capable to overwrite the preceding ones. Using this behavior you can
exclude some priorities from the pattern.
Rsyslogd has a syntax extension to the original BSD source, that
makes its use more intuitively. You may precede every priority with an
equals sign ('=') to specify only this single priority and not any of the
above. You may also (both is valid, too) precede the priority with an
exclamation mark ('!') to ignore all that priorities, either exact this one
or this and any higher priority. If you use both extensions then the
exclamation mark must occur before the equals sign, just use it
However, please note that there are some restrictions over the
traditional BSD syslog behaviour. These restrictions stem back to sysklogd,
exist probably since at least the 1990's and as such have always been in
Namely, in BSD syslogd you can craft a selector like this:
The intent is to log all facilities at debug or higher, except for
local6, which should only log at err or higher.
Unfortunately, local6.err will permit error severity and higher,
but will not exclude lower severity messages from facility local6.
As an alternative, you can explicitly exclude all severities that
you do not want to match. For the above case, this selector is equivalent to
the BSD syslog selector:
An easier approach is probably to do if ... then based matching in
The action field of a rule describes what to do with the message. In general,
message content is written to a kind of "logfile". But also other
actions might be done, like writing to a database table or forwarding to
Typically messages are logged to real files. The file has to be specified with
full pathname, beginning with a slash ('/').
/var/log/traditionalfile.log;RSYSLOG_TraditionalFileFormat # log to a file in
the traditional format
Note: if you would like to use high-precision timestamps in your
log files, just remove the ";RSYSLOG_TraditionalFormat". That will
select the default template, which, if not changed, uses RFC 3339
*.* /var/log/file.log # log to a file with RFC3339
By default, files are not synced after each write. To enable
syncing of log files globally, use either the
"$ActionFileEnableSync" directive or the "sync"
parameter to omfile. Enabling this option degrades performance and it is
advised not to enable syncing unless you know what you are doing. To
selectively disable syncing for certain files, you may prefix the file path
with a minus sign ("-").
This version of rsyslogd(8) has support for logging output to named pipes
(fifos). A fifo or named pipe can be used as a destination for log messages by
prepending a pipe symbol ('|') to the name of the file. This is handy for
debugging. Note that the fifo must be created with the mkfifo(1) command
before rsyslogd(8) is started.
If the file you specified is a tty, special tty-handling is done, same with
There are three ways to forward message: the traditional UDP transport, which is
extremely lossy but standard, the plain TCP based transport which loses
messages only during certain situations but is widely available and the RELP
transport which does not lose messages but is currently available only as part
of rsyslogd 3.15.0 and above.
To forward messages to another host via UDP, prepend the hostname
with the at sign ("@"). To forward it via plain tcp, prepend two
at signs ("@@"). To forward via RELP, prepend the string
":omrelp:" in front of the hostname.
In the example above, messages are forwarded via UDP to the
machine 192.168.0.1, the destination port defaults to 514. Due to the nature
of UDP, you will probably lose some messages in transit. If you expect high
traffic volume, you can expect to lose a quite noticeable number of messages
(the higher the traffic, the more likely and severe is message loss).
Sockets for forwarded messages can be bound to a specific device
using the "device" option for the omfwd module.
Target="192.168.0.1" Device="eth0" Port=514
In the example above, messages are forwarded via UDP to the
machine 192.168.0.1 at port 514 over the device eth0. TCP can be used by
setting Protocol to "tcp" in the above example.
For Linux with VRF support, the device option is used to specify
the VRF to send messages.
If you would like to prevent message loss, use RELP:
Note that a port number was given as there is no standard port for
Keep in mind that you need to load the correct input and output
plugins (see "Modules" above).
Please note that rsyslogd offers a variety of options in regarding
to remote forwarding. For full details, please see the HTML
Usually critical messages are also directed to ``root'' on that machine. You can
specify a list of users that shall get the message by simply writing
":omusrmsg:" followed by the login name. You may specify more than
one user by separating them with commas (','). If they're logged in they get
the message (for example: ":omusrmsg:root,user1,user2").
Emergency messages often go to all users currently online to notify them that
something strange is happening with the system. To specify this
wall(1)-feature use an ":omusrmsg:*".
This allows logging of the message to a database table. By default, a
MonitorWare-compatible schema is required for this to work. You can create
that schema with the createDB.SQL file that came with the rsyslog package. You
can also use any other schema of your liking - you just need to define a
proper template and assign this template to the action.
See the HTML documentation for further details on database
If the discard action is carried out, the received message is immediately
discarded. Discard can be highly effective if you want to filter out some
annoying messages that otherwise would fill your log files. To do that, place
the discard actions early in your log files. This often plays well with
property-based filters, giving you great freedom in specifying what you do not
Discard is just the single 'stop' command with no further
*.* stop # discards everything.
Binds an output channel definition (see there for details) to this action.
Output channel actions must start with a $-sign, e.g. if you would like to
bind your output channel definition "mychannel" to the action, use
"$mychannel". Output channels support template definitions like all
all other actions.
This executes a program in a subshell. The program is passed the
template-generated message as the only command line parameter. Rsyslog waits
until the program terminates and only then continues to run.
The program-to-execute can be any valid executable. It receives
the template string as a single parameter (argv).
Rsyslog offers three different types "filter conditions":
* "traditional" severity and facility based selectors
* property-based filters
* expression-based filters
Selectors are the traditional way of filtering syslog messages. They have
been kept in rsyslog with their original syntax, because it is well-known,
highly effective and also needed for compatibility with stock syslogd
configuration files. If you just need to filter based on priority and
facility, you should do this with selector lines. They are not second-class
citizens in rsyslog and offer the best performance for this job.
Property-based filters are unique to rsyslogd. They allow one to filter on any
property, like HOSTNAME, syslogtag and msg.
A property-based filter must start with a colon in column 0. This
tells rsyslogd that it is the new filter type. The colon must be followed by
the property name, a comma, the name of the compare operation to carry out,
another comma and then the value to compare against. This value must be
quoted. There can be spaces and tabs between the commas. Property names and
compare operations are case-sensitive, so "msg" works, while
"MSG" is an invalid property name. In brief, the syntax is as
:property, [!]compare-operation, "value"
The following compare-operations are currently supported:
See the HTML documentation for this feature.
Every output in rsyslog uses templates - this holds true for files, user
messages and so on. Templates compatible with the stock syslogd formats are
hardcoded into rsyslogd. If no template is specified, we use one of these
hardcoded templates. Search for "template_" in syslogd.c and you
will find the hardcoded ones.
Checks if the string provided in value is contained in
Compares the "value" string provided and the
property contents. These two values must be exactly equal to match.
Checks if the value is found exactly at the beginning of
the property value
Compares the property against the provided regular
A template consists of a template directive, a name, the actual
template text and optional options. A sample is:
$template MyTemplateName,"\7Text %property% some
more text ,<options>
The "$template" is the template directive. It tells
rsyslog that this line contains a template. The backslash is an escape
character. For example, \7 rings the bell (this is an ASCII value), \n is a
new line. The set in rsyslog is a bit restricted currently.
All text in the template is used literally, except for things
within percent signs. These are properties and allow you access to the
contents of the syslog message. Properties are accessed via the property
replacer and it can for example pick a substring or do date-specific
formatting. More on this is the PROPERTY REPLACER section of this
% = \%
\ = \\ --> '\' is used to escape (as in C)
$template TraditionalFormat,"%timegenerated% %HOSTNAME%
Properties can be accessed by the property replacer (see there for
Please note that templates can also by used to generate
selector lines with dynamic file names. For example, if you would like
to split syslog messages from different hosts to different files (one per
host), you can define the following template:
This template can then be used when defining an output selector
line. It will result in something like
The <options> part is optional. It carries options influencing the
template as whole. See details below. Be sure NOT to mistake template options
with property options - the later ones are processed by the property replacer
and apply to a SINGLE property, only (and not the whole template).
Template options are case-insensitive. Currently defined are:
- format the string suitable for a SQL statement in MySQL format. This will
replace single quotes ("'") and the backslash character by their
backslash-escaped counterpart ("´" and "\")
inside each field. Please note that in MySQL configuration, the
NO_BACKSLASH_ESCAPES mode must be turned off for this format to work (this
is the default).
- format the string suitable for a SQL statement that is to be sent to a
standards-compliant sql server. This will replace single quotes
("'") by two single quotes ("''") inside each field.
You must use stdsql together with MySQL if in MySQL configuration the
NO_BACKSLASH_ESCAPES is turned on.
Either the sql or stdsql option MUST be
specified when a template is used for writing to a database, otherwise
injection might occur. Please note that due to the unfortunate fact that
several vendors have violated the sql standard and introduced their own
escape methods, it is impossible to have a single option doing all the work.
So you yourself must make sure you are using the right format. If you
choose the wrong one, you are still vulnerable to sql injection.
Please note that the database writer *checks* that the sql option
is present in the template. If it is not present, the write database action
is disabled. This is to guard you against accidental forgetting it and then
becoming vulnerable to SQL injection. The sql option can also be useful with
files - especially if you want to import them into a database on another
machine for performance reasons. However, do NOT use it if you do not have a
real need for it - among others, it takes some toll on the processing time.
Not much, but on a really busy system you might notice it ;)
The default template for the write to database action has the sql
Please note that the samples are split across multiple lines. A template MUST
NOT actually be split across multiple lines.
A template that resembles traditional syslogd file output:
A template that tells you a little more about the message:
A template for RFC 3164 format:
A template for the format traditionally used for user
And a template with the traditional wall-message format:
$template wallmsg,"\r\n\7Message from
syslogd@%HOSTNAME% at %timegenerated%"
A template that can be used for writing to a database (please
note the SQL template option)
Output Channels are a new concept first introduced in rsyslog 0.9.0. As of this
writing, it is most likely that they will be replaced by something different
in the future. So if you use them, be prepared to change you configuration
file syntax when you upgrade to a later release.
$template MySQLInsert,"insert iut, message,
receivedat values ('%iut%', '%msg:::UPPERCASE%',
'%timegenerated:::date-mysql%') into systemevents\r\n", SQL
NOTE 1: This template is embedded into core application under name
StdDBFmt , so you don't need to define it.
NOTE 2: You have to have MySQL module installed to use this
Output channels are defined via an $outchannel directive. It's
syntax is as follows:
name is the name of the output channel (not the file), file-name
is the file name to be written to, max-size the maximum allowed size and
action-on-max-size a command to be issued when the max size is reached. This
command always has exactly one parameter. The binary is that part of
action-on-max-size before the first space, its parameter is everything
behind that space.
Keep in mind that $outchannel just defines a channel with
"name". It does not activate it. To do so, you must use a selector
line (see below). That selector line includes the channel name plus
":omfile:$" in front of it. A sample might be:
The property replacer is a core component in rsyslogd's output system. A syslog
message has a number of well-defined properties (see below). Each of this
properties can be accessed and manipulated by the property replacer. With it,
it is easy to use only part of a property value or manipulate the value, e.g.
by converting all characters to lower case.
Syslog message properties are used inside templates. They are accessed by
putting them between percent signs. Properties can be modified by the property
replacer. The full syntax is as follows:
propname is the name of the property to access. It is
- the MSG part of the message (aka "the message" ;))
- the message exactly as it was received from the socket. Should be useful
- hostname from the message
- hostname of the system the message was received from (in a relay chain,
this is the system immediately in front of us and not necessarily the
- TAG from the message
- the "static" part of the tag, as defined by BSD syslogd. For
example, when TAG is "named", programname is
- PRI part of the message - undecoded (single value)
- the PRI part of the message in a textual form (e.g.
- the monitorware InfoUnitType - used when talking to a MonitorWare backend
(also for phpLogCon)
- the facility from the message - in numerical form
- the facility from the message - in text form
- severity from the message - in numerical form
- severity from the message - in text form
- timestamp when the message was RECEIVED. Always in high resolution
- timestamp from the message. Resolution depends on what was provided in the
message (in most cases, only seconds)
- alias for timereported
- The contents of the PROTOCOL-VERSION field from IETF draft
- The contents of the STRUCTURED-DATA field from IETF draft
- The contents of the APP-NAME field from IETF draft
- The contents of the PROCID field from IETF draft
- The contents of the MSGID field from IETF draft
- The current date stamp in the format YYYY-MM-DD
- The current year (4-digit)
- The current month (2-digit)
- The current day of the month (2-digit)
- The current hour in military (24 hour) time (2-digit)
- The current minute (2-digit)
Properties starting with a $-sign are so-called system properties.
These do NOT stem from the message but are rather internally-generated.
FromChar and toChar are used to build substrings. They specify the offset within
the string that should be copied. Offset counting starts at 1, so if you need
to obtain the first 2 characters of the message text, you can use this syntax:
"%msg:1:2%". If you do not wish to specify from and to, but you want
to specify options, you still need to include the colons. For example, if you
would like to convert the full message text to lower case, use
"%msg:::lowercase%". If you would like to extract from a position
until the end of the string, you can place a dollar-sign ("$") in
toChar (e.g. %msg:10:$%, which will extract from position 10 to the end of the
There is also support for regular expressions. To use them,
you need to place a "R" into FromChar. This tells rsyslog that a
regular expression instead of position-based extraction is desired. The
actual regular expression must then be provided in toChar. The
regular expression must be followed by the string "--end". It
denotes the end of the regular expression and will not become part of it. If
you are using regular expressions, the property replacer will return the
part of the property text that matches the regular expression. An example
for a property replacer sequence with a regular expression is:
"%msg:R:.*Sev:. \(.*\) \[.*--end%"
Also, extraction can be done based on so-called
"fields". To do so, place a "F" into FromChar. A field
in its current definition is anything that is delimited by a delimiter
character. The delimiter by default is TAB (US-ASCII value 9). However, if
can be changed to any other US-ASCII character by specifying a comma and the
decimal US-ASCII value of the delimiter immediately after the "F".
For example, to use comma (",") as a delimiter, use this field
specifier: "F,44". If your syslog data is delimited, this is a
quicker way to extract than via regular expressions (actually, a *much*
quicker way). Field counting starts at 1. Field zero is accepted, but will
always lead to a "field not found" error. The same happens if a
field number higher than the number of fields in the property is requested.
The field number must be placed in the "ToChar" parameter. An
example where the 3rd field (delimited by TAB) from the msg property is
extracted is as follows: "%msg:F:3%". The same example with
semicolon as delimiter is "%msg:F,59:3%".
Please note that the special characters "F" and
"R" are case-sensitive. Only upper case works, lower case will
return an error. There are no white spaces permitted inside the sequence
(that will lead to error messages and will NOT provide the intended
Property options are case-insensitive. Currently, the following options are
Rsyslogd supports queued operations to handle offline outputs (like remote
syslogd's or database servers being down). When running in queued mode,
rsyslogd buffers messages to memory and optionally to disk (on an as-needed
basis). Queues survive rsyslogd restarts.
- convert property to lowercase only
- convert property text to uppercase only
- The last LF in the message (if any), is dropped. Especially useful for
- format as mysql date
- format as RFC 3164 date
- format as RFC 3339 date
- replace control characters (ASCII value 127 and values less then 32) with
an escape sequence. The sequence is "#<charval>" where
charval is the 3-digit decimal value of the control character. For
example, a tabulator would be replaced by "#009".
- replace control characters by spaces
- drop control characters - the resulting string will neither contain
control characters, escape sequences nor any other replacement character
It is highly suggested to use remote forwarding and database
writing in queued mode, only.
To learn more about queued operations, see the HTML
rsyslogd(8), logger(1), syslog(3)
- Configuration file for rsyslogd
The complete documentation can be found in the doc folder of the
rsyslog distribution or online at
Please note that the man page reflects only a subset of the configuration
options. Be sure to read the HTML documentation for all features and details.
This is especially vital if you plan to set up a more-then-extremely-simple
rsyslogd is taken from sysklogd sources, which have been heavily modified
by Rainer Gerhards (firstname.lastname@example.org) and others.