5. Order Matters: Config and Include Files¶

Learn how rsyslog processes configuration in order, why file ordering in /etc/rsyslog.d/ matters, and how earlier rules affect later ones.

5.1. Goal¶

Understand that rsyslog executes rules sequentially. The order of actions and included files can change results.

5.2. Key principle¶

Rules in the same file run top to bottom.
Files in /etc/rsyslog.d/ are processed in lexical order (e.g., 10-first.conf runs before 50-extra.conf).
An earlier rule can discard or modify messages, so later rules may never see them.

5.3. Hands-on example¶

Create /etc/rsyslog.d/10-drop.conf:

if ($programname == "tut05") then {
    stop    # discard these messages, no further actions
}

Create /etc/rsyslog.d/20-log.conf:

if ($programname == "tut05") then {
    action(type="omfile" file="/var/log/tut05.log")
}

Restart rsyslog:

sudo systemctl restart rsyslog

Send a test message:

logger -t tut05 "hello from tutorial 05"

5.3.1. Expected result¶

No file /var/log/tut05.log is created. The first snippet (10-drop.conf) discards the message before the logging rule runs.

5.4. Switch the order¶

Rename the files to reverse order:

sudo mv /etc/rsyslog.d/10-drop.conf /etc/rsyslog.d/50-drop.conf
sudo systemctl restart rsyslog
logger -t tut05 "hello after reorder"

Now /var/log/tut05.log will contain the message, because the logging rule ran first.

5.5. If it’s not working…¶

Still no log file
- Check snippet order with: ls -1 /etc/rsyslog.d/
- Ensure 20-log.conf comes before 50-drop.conf.
File exists but is empty
- Confirm you used the correct tag: logger -t tut05 "…"
Syntax errors
- Validate your config: sudo rsyslogd -N1

5.6. Verification checkpoint¶

By the end of this tutorial you should be able to:

Explain that rsyslog rules run top to bottom, file by file.
Use file naming (10-…, 50-…) to control execution order.
Predict why a later action might never see a message.

5.7. See also / Next steps¶

The Message Pipeline: Inputs → Rulesets → Actions – how messages flow through inputs, rulesets, and actions.
Basic Configuration – reference example of a simple config.
Forwarding Logs – adding network forwarding.

Tip

🎬 Video idea (3 min): show two snippet files, run logger -t tut05 …, then swap the file order and rerun. Visualize how rsyslog processes files in lexical order.

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project