Examples

Below are examples for templates and rule definitions using RainerScript.

Templates

Templates define how messages are formatted before being written to a file, forwarded, or otherwise processed.

Traditional syslogd-like format:

template(name="TraditionalFormat" type="list") {
    property(name="timegenerated")         # Add message timestamp
    constant(value=" ")                    # Add a space
    property(name="hostname")              # Add the hostname
    property(name="syslogtag")             # Add the syslog tag
    property(name="msg" droplastlf="on")   # Add the message, removing the trailing LF
    constant(value="\n")                   # End with a newline
}

A template with additional details:

template(name="PreciseFormat" type="list") {
    property(name="syslogpriority")        # Log priority
    constant(value=",")
    property(name="syslogfacility")        # Facility
    constant(value=",")
    property(name="timegenerated")         # Timestamp
    constant(value=",")
    property(name="hostname")              # Hostname
    constant(value=",")
    property(name="syslogtag")             # Syslog tag
    constant(value=",")
    property(name="msg")                   # Message content
    constant(value="\n")
}

RFC 3164 format:

template(name="RFC3164fmt" type="list") {
    constant(value="<")
    property(name="pri")                   # Priority
    constant(value=">")
    property(name="timestamp")             # Timestamp (RFC 3164 format)
    constant(value=" ")
    property(name="hostname")              # Hostname
    constant(value=" ")
    property(name="syslogtag")             # Syslog tag
    property(name="msg")                   # Message content
}

Database insert format (with SQL option):

template(name="MySQLInsert" type="list" option.sql="on") {
    constant(value="insert iut, message, receivedat values ('")
    property(name="iut")                   # Insert iut field
    constant(value="', '")
    property(name="msg" caseconversion="upper")  # Insert message, converted to upper-case
    constant(value="', '")
    property(name="timegenerated" dateformat="mysql")  # Insert timestamp in MySQL format
    constant(value="') into systemevents\n")
}

Rule Examples

The following examples demonstrate how to apply filters and actions with modern RainerScript syntax.

Store critical messages in a dedicated file:

if prifilt("*.crit") and not prifilt("kern.*") then {
    action(type="omfile" file="/var/adm/critical")   # Save critical messages except kernel to /var/adm/critical
}

Store all kernel messages in a file:

if prifilt("kern.*") then {
    action(type="omfile" file="/var/adm/kernel")     # Log all kernel facility messages
}

Forward critical kernel messages (TCP) to a remote server:

if prifilt("kern.crit") then {
    action(
        type="omfwd"
        target="server.example.net"                  # Destination server
        protocol="tcp"                               # Use TCP forwarding
        port="514"                                   # Standard syslog port
        template="RFC3164fmt"                        # Use RFC 3164 format
    )
}

Send emergency messages to all logged-in users:

if prifilt("*.emerg") then {
    action(type="omusrmsg" users="*")                # Send emergencies to all users
}

Forward all logs to a remote server (TCP):

action(
    type="omfwd"
    target="server.example.net"                      # Destination server
    protocol="tcp"                                   # Use TCP
    port="514"                                       # Standard syslog port
)

Filter messages containing “error” and forward them:

if ($msg contains "error") then {
    action(
        type="omfwd"
        target="server.example.net"                  # Destination server
        protocol="udp"                               # Use UDP
    )
}

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.