Contents Menu Expand Light mode Dark mode Auto light/dark, in light mode Auto light/dark, in dark mode Skip to content
rsyslog documentation
rsyslog documentation
  • Installation
    • Installing rsyslog from Package
    • Using Rsyslog Docker Containers
    • Installing rsyslog from Source
    • Installing rsyslog from the source repository
  • Configuration
    • Configuration Formats
    • Converting older formats to advanced
    • sysklogd format
    • Basic Structure
    • Templates
    • rsyslog Properties
    • The Property Replacer
      • Property Replacer nomatch mode
    • Filter Conditions
    • RainerScript
      • Data Types
      • Expressions
      • Functions
        • Built-in Functions
          • cnum()
          • cstr()
          • dyn_inc()
          • exec_template()
          • exists()
          • field()
          • format_time()
          • get_property()
          • getenv()
          • int2hex()
          • num2ipv4() / ipv42num()
          • is_time()
          • lookup()
          • parse_json()
          • parse_time()
          • percentile_observe()
          • previous_action_suspended()
          • prifilt()
          • random()
          • re_extract()
          • re_extract_i()
          • re_match()
          • re_match_i()
          • replace()
          • script_error()
          • strlen()
          • substring()
          • tolower()
          • ltrim() / rtrim()
          • wrap()
        • Module Functions
          • Faup
          • HashXX
          • HashXXmod
          • HTTP-Request
          • Unflatten
      • Control Structures
      • configuration objects
      • String Constants
      • Variable (Property) types
      • Lookup Tables
      • General Queue Parameters
      • The rsyslog “call” statement
      • The rsyslog “call_indirect” statement
      • global() configuration object
      • The rsyslog include() object
    • Actions
    • Input
    • Parser
    • timezone
    • Examples
    • Legacy Configuration Directives
      • Configuration Parameter Types
      • Legacy Global Configuration Statements
        • $AbortOnUncleanConfig
        • $DebugPrintCFSyslineHandlerList
        • $DebugPrintModuleList
        • $DebugPrintTemplateList
        • $FailOnChownFailure
        • $GenerateConfigGraph
        • $IncludeConfig
        • $MainMsgQueueSize
        • $MaxOpenFiles
        • $ModDir
        • $ModLoad
        • $UMASK
        • $ResetConfigVariables
      • Legacy Directives affecting Input Modules
        • $AllowedSender
        • $DropMsgsWithMaliciousDnsPTRRecords
        • $ControlCharacterEscapePrefix
        • $DropTrailingLFOnReception
        • $Escape8BitCharactersOnReceive
        • $EscapeControlCharactersOnReceive
        • $MarkMessagePeriod
      • Depricated Legacy Action-Specific Configuration Statements
        • How to Convert Deprecated $ActionExecOnlyWhenPreviousIsSuspended to Modern Style
        • How to Convert Deprecated $ActionResumeInterval to Modern Style
        • $RepeatedMsgReduction
        • $omfileForceChown
        • $DirGroup
        • How to Convert Deprecated $DirOwner to Modern Style
        • $DynaFileCacheSize
        • $FileCreateMode
        • $FileGroup
        • $FileOwner
        • $GssForwardServiceName
        • $GssMode
      • Ruleset-Specific Legacy Configuration Statements
        • $RulesetCreateMainQueue
        • $RulesetParser
    • rsyslog statistic counter
    • Modules
      • Output Modules
        • omamqp1: AMQP 1.0 Messaging Output Module
        • omazureeventhubs: Microsoft Azure Event Hubs Output Module
        • omclickhouse: ClickHouse Output Module
        • omczmq: Output module for ZeroMQ
        • omdtls: Output Module for DTLS Protocol over UDP
        • omelasticsearch: Elasticsearch Output Module
        • omfile: File Output Module
        • omfwd: syslog Forwarding Output Module
        • omhdfs: Hadoop Filesystem Output Module
        • omhiredis: Redis Output Module
        • omhttp: HTTP Output Module
        • omhttpfs: Hadoop HTTPFS Output Module
        • omjournal: Systemd Journal Output
        • omkafka: write to Apache Kafka
        • omlibdbi: Generic Database Output Module
        • ommail: Mail Output Module
        • ommongodb: MongoDB Output Module
        • ommysql: MariaDB/MySQL Database Output Module
        • omoracle: Oracle Database Output Module
        • PostgreSQL Database Output Module (ompgsql)
        • ompipe: Pipe Output Module
        • omprog: Program integration Output module
        • omrabbitmq: RabbitMQ output module
        • omrelp: RELP Output Module
        • omruleset: ruleset output/including module
        • omsendertrack: Sender Tracking Output Module
        • omsnmp: SNMP Trap Output Module
        • omstdout: stdout output module (testbench tool)
        • omudpspoof: UDP spoofing output module
        • omusrmsg: notify users
        • omuxsock: Unix sockets Output Module
        • GuardTime Log Signature Provider (gt)
        • Keyless Signature Infrastructure Provider (ksi)
        • KSI Signature Provider (rsyslog-ksi-ls12)
      • Input Modules
        • im3195: RFC3195 Input Module
        • imbatchreport: Batch report input module
        • imdocker: Docker Input Module
        • imdtls: Input Module for DTLS Protocol over UDP
        • imfile: Text File Input Module
        • imgssapi: GSSAPI Syslog Input Module
          • GSSAPI module support in rsyslog v3
        • Imhiredis: Redis input plugin
        • imhttp: HTTP input module
        • imjournal: Systemd Journal Input Module
        • imkafka: read from Apache Kafka
        • imklog: Kernel Log Input Module
        • imkmsg: /dev/kmsg Log Input Module
        • immark: Mark Message Input Module
        • Impcap: network traffic capture
        • improg: Program integration input module
        • impstats: Generate Periodic Statistics of Internal Counters
        • imptcp: Plain TCP Syslog
        • imrelp: RELP Input Module
        • imsolaris: Solaris Input Module
        • imtcp: TCP Syslog Input Module
        • imtuxedoulog: Tuxedo ULOG input module
        • imudp: UDP Syslog Input Module
        • imuxsock: Unix Socket Input Module
      • Parser Modules
        • pmciscoios
        • pmdb2diag: DB2 Diag file parser module
        • pmlastmsg: last message repeated n times
        • Log Message Normalization Parser Module (pmnormalize)
        • pmnull: Syslog Null Parser Module
        • pmrfc3164: Parse RFC3164-formatted messages
        • pmrfc3164sd: Parse RFC5424 structured data inside RFC3164 messages
        • pmrfc5424: Parse RFC5424-formatted messages
      • Message Modification Modules
        • AI-based classification (mmaitag)
        • IP Address Anonymization Module (mmanon)
        • mmcount
        • Darwin connector (mmdarwin)
        • MaxMind/GeoIP DB lookup (mmdblookup)
        • Support module for external message modification modules
        • Fields Extraction Module (mmfields)
        • JSON/CEE Structured Content Extraction Module (mmjsonparse)
        • Kubernetes Metadata Module (mmkubernetes)
        • Log Message Normalization Module (mmnormalize)
        • RFC5424 structured data parsing module (mmpstrucdata)
        • mmrfc5424addhmac
        • mmrm1stspace: First Space Modification Module
        • Number generator and counter module (mmsequence)
        • mmsnmptrapd message modification module
        • mmtaghostname: message modification module
        • Fix invalid UTF-8 Sequences (mmutf8fix)
      • String Generator Modules
      • Library Modules
      • Where are the modules integrated into the Message Flow?
    • Output Channels
    • Dropping privileges in rsyslog
    • Notes on IPv6 Handling in Rsyslog
    • libgcrypt Log Crypto Provider (gcry)
    • libossl Log Crypto Provider (ossl)
    • Dynamic Stats
    • Lookup Tables
    • Percentile Stats
  • rsyslog and containers
    • Container-Features
    • docker specifics
  • Troubleshooting
    • Output File is not Being Written
    • Troubleshooting SELinux-Related Issues
    • Rsyslog Debug Support
    • troubleshooting problems
    • How to create a debug log
  • FAQ
    • FAQ: some general topics often asked
    • What is the difference between the main_queue and a queue with a ruleset tied to an input?
    • FAQ: Encrypting MySQL Traffic with ommysql Plugin
    • FAQ: Troubleshooting UDP Packet Loss
    • Common Configuration Mistakes and Misunderstandings
  • Concepts
    • Understanding rsyslog Queues
    • The Janitor Process
    • Message parsers in rsyslog
    • Multiple Rulesets in rsyslog
      • Legacy Format Samples for Multiple Rulesets
    • NetStream Drivers
      • ptcp Network Stream Driver
      • gtls Network Stream Driver
      • Supported Driver Modes
      • Supported Authentication Modes
      • CheckExtendedKeyPurpose
      • PrioritizeSAN
      • openssl Network Stream Driver
  • Example Use Cases
    • Receiving massive amounts of messages with high performance
  • Tutorials
    • Encrypting Syslog Traffic with TLS (SSL)
      • Sample Use Case: Single Central Log Server
      • Setting up the CA
      • Generating the machine certificate
      • Setting up the Central Server
      • Setting up a client
      • Setting up the UDP syslog relay
      • Error Messages
      • Creating certificates with a script
    • Encrypting Syslog Traffic with TLS (SSL) [short version]
    • Writing syslog messages to MariaDB, MySQL, PostgreSQL or any other supported Database
    • Handling a massive syslog database insert rate with Rsyslog
    • Reliable Forwarding of syslog Messages with Rsyslog
    • Recording the Priority of Syslog Messages
    • Failover Syslog Server
    • Log rotation with rsyslog
    • GELF forwarding in rsyslog
    • Log Sampling
    • Random sampling
    • Hash-based Sampling
  • Development
    • The rsyslog config data model
    • Objects
    • Debugging
    • rsyslog code style
    • Writing Rsyslog Output Plugins
    • The rsyslog queue object
    • writing rsyslog tests
    • Generic design of a syslogd
    • Internal tooling
  • Historical Documents
    • Using php-syslog-ng with rsyslog
    • SSL Encrypting Syslog with Stunnel
    • Legacy Format Samples for Multiple Rulesets
    • Developing rsyslog modules (outdated)
  • RSyslog - History
  • Licensing
  • How you can Help
  • Community Resources
  • RSyslog - Features
  • Proposals
    • Version Naming
    • Lookup Tables
    • Rsyslog documentation
      • The Book
        • Overview
        • Installing and configuring Rsyslog
        • Create your first Rsyslog setup
        • Configuration format
        • Input: from where come the logs
        • Output
        • Queues: prepare for the worst
        • Security
        • Extending rsyslog
      • The Cookbook
        • Templates
          • Configuring an RFC 3164 Template with Json message
          • Configuring an RFC 5424 Template with Json message
        • Setup Cookbooks
          • Centralised logging with Logstash/ElasticSearch/Kibana
      • Configuration Reference
        • Module Configuration Reference
        • Input Configuration Reference
        • Action Configuration Reference
        • Parser Configuration Reference
        • Global Configuration Reference
        • Timezone Configuration Reference
      • Contributing
        • Contributing Code
          • Coding Standards
          • Git
        • How to contribute to the documentation
        • Community
          • The Release Process
          • Other Resources
      • Rsyslog Documentation Review Proposal
  • Rsyslog Whitepapers
    • syslog parsing in rsyslog
    • syslog-protocol support in rsyslog
    • Turning Lanes and Rsyslog Queues
    • Preserving syslog sender over NAT
    • How reliable should reliable logging be?
  • Free Services for Rsyslog
  • Compatibility
    • Compatibility Notes for rsyslog v8
    • Compatibility Notes for rsyslog v7
    • Compatibility Notes for rsyslog v6
    • Compatibility Notes for rsyslog v5
    • Compatibility Notes for rsyslog v4
    • Compatibility Notes for rsyslog v3
Back to top
View this page

Security¶

Securing your setup¶

Dropping privileges¶

See also

Help with configuring/using Rsyslog:

  • rsyslog Assistant: official AI-powered support

  • GitHub Discussions

  • GitHub Issues: rsyslog source project – report suspected bugs

See also

Contributing to Rsyslog:

  • Source & documentation are in the unified rsyslog source project repository

Copyright 2008-2025 Rainer Gerhards, (Großrinderfeld), and others.

Next
Extending rsyslog
Previous
Queues: prepare for the worst
Made with Furo
On this page
  • Security
    • Securing your setup
    • Dropping privileges