pmrfc3164: Parse RFC3164-formatted messages

Module Name:

pmrfc3164

Author:

Rainer Gerhards <rgerhards@adiscon.com>

Purpose

This parser module is for parsing messages according to the traditional/legacy syslog standard RFC 3164

It is part of the default parser chain.

Note

pmrfc3164 is built into rsyslog and must not be loaded with module(load="pmrfc3164"). Configure parameters via the parser directive.

The parser can also be customized to allow the parsing of specific formats, if they occur.

Configuration Parameters

Note

Parameter names are case-insensitive; CamelCase is recommended for readability.

Parser Parameters

Parameter

Summary

permit.squareBracketsInHostname

Accept hostnames enclosed in [].

permit.slashesInHostname

Allow / in hostnames, useful for syslog-ng relay chains.

permit.AtSignsInHostname

Allow @ in hostnames, typically from syslog-ng relays.

force.tagEndingByColon

Require tags to end with a colon or set the tag to -.

remove.msgFirstSpace

Remove the first space after the tag to improve RFC3164/RFC5424 interoperability.

detect.YearAfterTimestamp

Treat a year following the timestamp as part of the timestamp instead of the hostname.

detect.headerless

Enable detection of messages lacking standard syslog headers.

headerless.hostname

Override the hostname assigned to headerless messages.

headerless.tag

Set the tag used for headerless messages.

headerless.ruleset

Route headerless messages to a specific ruleset.

headerless.errorfile

Append raw headerless input to a file before other processing.

headerless.drop

Discard headerless messages after optional logging.

Signal Handling

HUP Signal Support

This parser module supports the HUP signal for log rotation when using the headerless.errorfile parameter. When rsyslog receives a HUP signal, the module will:

  1. Close the current headerless error file

  2. Automatically reopen it on the next write operation

This allows external log rotation tools (like logrotate) to safely rotate the headerless error file by moving/renaming it and then sending a HUP signal to rsyslog.

Example log rotation configuration:

/var/log/rsyslog-headerless.log {
    daily
    rotate 7
    compress
    delaycompress
    postrotate
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

Examples

Receiving malformed RFC3164 messages

We assume a scenario where some of the devices send malformed RFC3164 messages. The parser module will automatically detect the malformed sections and parse them accordingly.

module(load="imtcp")

input(type="imtcp" port="514" ruleset="customparser")

parser(name="custom.rfc3164"
      type="pmrfc3164"
      permit.squareBracketsInHostname="on"
      detect.YearAfterTimestamp="on")

ruleset(name="customparser" parser="custom.rfc3164") {
 ... do processing here...
}

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.