Logging Configuration Reference

The /etc/rsyslog.conf file is divided into three main sections.

Important:

The format to configure parameters in /etc/rsyslog.conf can change between major versions. The following formats enable backward compatibility with previous configurations:

  • Basic or sysklogd format. This has been used since the beginning of system logging.
  • Legacy format, where directives are defined on their own specific lines in the file, with each directive being preceded by the dollar ($) sign, such as $MainMsgQueueSize.
  • Advanced format, which uses the RainerScript scripting language for configuring rsyslog.

For more information about these formats, see the relevant sections in https://www.rsyslog.com/doc/.

Modules

Modules contain configuration parameters for processing messages. The processed or transformed messages can then be transmitted to various targets as required. Modules are classified into different categories, such as output, input, parser, library, and so on. For a complete list of these module classes, see the appropriate section in https://www.rsyslog.com/doc/. For a list of the modules, see the rsyslog.conf(5) manual page.

Modules enable different rsyslog functionalities to become operative, so long as those modules are loaded. Modules are loaded through the module load directive as follows: 

module(load="module-name")

Note:

The directive uses the advanced format for loading a module and replaces the $ModLoad module-name legacy format.

Global Directives

Global directives specify configuration options that apply to the rsyslogd daemon. A directive might specify the location of auxiliary files. A directive can also be a module(load" ") statement that applies global settings, such as the timestamp format to use for all messages, as shown in the following example: 

module(load="builtin:omfile" Template=RSYSLOG_TraditionalFileFormat")

Because the module applies to all messages, the directive is specified under the Global Directives section.

Rules

Rules or rule sets configure how logged messages are managed.

A rule consists of two fields: a selector field and an action field. The two fields are separated by one more spaces or tabs.

The selector field has two parts, separated by a period, which are a facility keyword and a priority keyword. Facility keywords include auth, authpriv, cron, daemon, kern, and so on. Priority keywords include debug, info, notice, warning, and so on. Therefore kern.* selects kernel messages of all priority levels, but kern.emerg selects emergency kernel messages only.

For a list of both facility and priority selectors, see the rsyslog.conf(5) manual page.

The action field typically indicates to which log file the message content is written. For example, the following rule indicates that cron messages are stored in log files in the /var/log/cron directory: 

cron.*   /var/log/cron