Understanding rsyslog.conf

rsyslog is the logging daemon used by CentOS and RedHat. A number of Linux applications use rsyslog to send logging output to, including the Linux kernel. Rsyslog runs as /sbin/rsyslogd and it’s configuration file is /etc/rsyslog.conf.
Rsyslog is a full replacement of syslog and is more fully featured.

rsyslog has a modular design which supports over a dozen modules, the two most common ones are specified in /etc/rsyslog.conf as:

#UDP logging
$ModLoad imudp 
$UDPServerRun 514

#TCP logging
$ModLoad imtcp
$InputTCPServerRun 514

Lines starting with ‘#’ are ignored in /etc/rsyslog.conf.
Global directives start with $ on their own line.
Templates allow you to specify the format of the logged message. By default rsyslog logs output in the standard syslog format. To change the format use the template directive as in ‘$template RFC3164fmt,”%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%”‘. This will output syslog messages in the format specified in RFC3164. The RFC3164ftm is the name given to this template, although you can call it anything else you want, what matters is the actual format in double quotes.

Rules are specified on what action to take with a selector and an action in rsyslog.conf. A selector is a combination of facility and priority.

Facility can be any of the following: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp and local0 through local7. Facility is the subsystem that produced the log, for instance kern is the kernel produced log messages.

Priority in ascending order can be: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg). Severity of the message is defined with priority.

Action is what to do with the message, for instance to output to a log file. An example of selector and action would be ‘kern.* /dev/console’ which means send all kernel messages with any priority to /dev/console.

I have only covered some of the options of rsyslog, for more information you many want to run ‘man rsyslog.conf’.

Have you done anything fancy with rsyslog or do you use the stock config? Share your comments in this blog.