rsyslog Properties

Data items in rsyslog are called “properties”. They can have different origin. The most important ones are those that stem from received messages. But there are also others. Whenever you want to access data items, you need to access the respective property.

Properties are used in

• templates

• conditional statements

The property name is case-insensitive (prior to 3.17.0, they were case-sensitive).

Note: many users refer to “rsyslog properties” as “rsyslog variables”. You can treat them as synonymous. Read how rsyslog lead author Rainer Gerhards explains the naming difference.

Message Properties

These are extracted by rsyslog parsers from the original message. All message properties start with a letter.

The following message properties exist:

Note

Property names are case-insensitive. Use the spelling from headings in prose and examples.

Property	Summary
msg	Returns the MSG part of the processed syslog message.
rawmsg	Provides the received message exactly as rsyslog stored it.
rawmsg-after-pri	Contains the raw message content with the syslog PRI removed when present.
hostname	Captures the hostname transmitted within the syslog message.
source	Provides the same hostname value as hostname.
fromhost	Reports the hostname of the system from which the message was received.
fromhost-ip	Provides the message source as an IP address just like fromhost.
fromhost-port	Reports the numeric source port of the sender in line with fromhost.
syslogtag	Returns the TAG field extracted from the syslog message header.
programname	Extracts the static program name portion from the syslog tag.
pri	Provides the undecoded PRI header value defined by RFC 5424 Section 6.2.1.
pri-text	Formats the RFC 5424 PRI header as facility.severity with the numeric PRI appended.
iut	Holds the monitorware InfoUnitType value when present.
syslogfacility	Contains the numeric syslog facility extracted from the message.
syslogfacility-text	Returns the textual syslog facility defined in RFC 5424 Table 1.
syslogseverity	Provides the numeric syslog severity extracted from the message.
syslogseverity-text	Returns the textual syslog severity defined in RFC 5424 Table 2.
syslogpriority	Provides the same numeric value as syslogseverity for historical reasons.
syslogpriority-text	Returns the same textual severity string as syslogseverity-text.
timegenerated	Records when rsyslog received the message with high resolution.
timereported	Captures the timestamp present in the original message header.
timestamp	Provides the same value as timereported from the message header.
protocol-version	Carries the VERSION header field defined by RFC 5424 Section 6.2.2.
structured-data	Provides the STRUCTURED-DATA field defined in RFC 5424 Section 6.3.
app-name	Carries the APP-NAME header field defined in RFC 5424 Section 6.2.5.
procid	Carries the PROCID header field defined in RFC 5424 Section 6.2.6.
msgid	Carries the MSGID header field defined in RFC 5424 Section 6.2.7.
inputname	Identifies the rsyslog input module instance that produced the message.
uuid	Exposes a per-message UUID generated on first access when enabled.
jsonmesg	Provides the entire message object as a JSON representation.

System Properties

These properties are provided by the rsyslog core engine. They are not related to the message. All system properties start with a dollar-sign.

Special care needs to be taken in regard to time-related system variables:

• timereported contains the timestamp that is contained within the message header. Ideally, it resembles the time when the message was created at the original sender. Depending on how long the message was in the relay chain, this can be quite old.

• timegenerated contains the timestamp when the message was received by the local system. Here “received” actually means the point in time when the message was handed over from the OS to rsyslog’s reception buffers, but before any actual processing takes place. This also means a message is “received” before it is placed into any queue. Note that depending on the input, some minimal processing like extraction of the actual message content from the receive buffer can happen. If multiple messages are received via the same receive buffer (a common scenario for example with TCP-based syslog), they bear the same timegenerated stamp because they actually were received at the same time.

• $now is not from the message. It is the system time when the message is being processed. There is always a small difference between timegenerated and $now because processing always happens after reception. If the message is sitting inside a queue on the local system, the time difference between the two can be some seconds (e.g. due to a message burst and in-memory queueing) up to several hours in extreme cases where a message is sitting inside a disk queue (e.g. due to a database outage). The timereported property is usually older than timegenerated, but may be totally different due to differences in time and time zone configuration between systems.

The following system properties exist:

Property	Summary
$bom	Emits the UTF-8 byte-order mark for use in templates when required.
$myhostname	Returns the local host name as rsyslog knows it.

Time-Related System Properties

All of these system properties exist in a local time variant (e.g. $now) and a variant that emits UTC (e.g. $now-utc). The UTC variant is always available by appending “-utc”. Note that within a single template, only the localtime or UTC variant should be used. While it is possible to mix both variants within a single template, it is not guaranteed that they will provide exactly the same time. The technical reason is that rsyslog needs to re-query system time when the variant is changed. Because of this, we strongly recommend not mixing both variants in the same template.

Note that use in different templates will generate a consistent timestamp within each template. However, as $now always provides local system time at time of using it, time may advance and consequently different templates may have different time stamp. To avoid this, use timegenerated instead.

Property	Summary
$now	Yields the current local date stamp when the message is processed.
$year	Returns the current year as a four-digit number.
$month	Provides the current month as a two-digit number.
$day	Returns the current day of the month as a two-digit number.
$wday	Returns the current weekday number as defined by gmtime().
$hour	Returns the current hour in 24-hour format.
$hhour	Indicates whether the current minute is in the first or second half of the hour.
$qhour	Indicates the current quarter-hour within the hour.
$minute	Returns the current minute as a two-digit number.
$now-unixtimestamp	Exposes the current time as a monotonically increasing Unix timestamp.

---

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.