Use this documentation with care! It describes the outdated version 7, which was actively developed around 2014 and is considered dead by the rsyslog team.

This documentation reflects the latest update of the v7-stable branch. It describes the 7.6.8 version, which was never released. As such, it contains some content that does not apply to any released version.

To obtain the doc that properly matches your installed v7 version, obtain the doc set from your distro. Each version of rsyslog contained the version that exactly matches it.

As general advise, it is strongly suggested to upgrade to the current version supported by the rsyslog project. The current version can always be found on the right-hand side info box on the rsyslog web site.

Note that there is only limited rsyslog community support available for the outdated v7 version (officially we do not support it at all, but we usually are able to answer simple questions). If you need to stick with v7, it probably is best to ask your distribution for support.

imrelp: RELP Input Module

Module Name:    imrelp

Author: Rainer Gerhards


Provides the ability to receive syslog messages via the reliable RELP protocol. This module requires librelp to be present on the system. From the user’s point of view, imrelp works much like imtcp or imgssapi, except that no message loss can occur. Please note that with the currently supported relp protocol version, a minor message duplication may occur if a network connection between the relp client and relp server breaks after the client could successfully send some messages but the server could not acknowledge them. The window of opportunity is very slim, but in theory this is possible. Future versions of RELP will prevent this. Please also note that rsyslogd may lose a few messages if rsyslog is shutdown while a network conneciton to the server is broken and could not yet be recovered. Future version of RELP support in rsyslog will prevent that. Please note that both scenarios also exists with plain tcp syslog. RELP, even with the small nits outlined above, is a much more reliable solution than plain tcp syslog and so it is highly suggested to use RELP instead of plain tcp. Clients send messages to the RELP server via omrelp.

Module Parameters:

  • Ruleset <name> (requires v7.5.0+) Binds the specified ruleset to all RELP listeners.

Input Parameters:

  • Port <port> Starts a RELP server on selected port
  • tls (not mandatory, values “on”,”off”, default “off”) If set to “on”, the RELP connection will be encrypted by TLS, so that the data is protected against observers. Please note that both the client and the server must have set TLS to either “on” or “off”. Other combinations lead to unpredictable results.
  • tls.compression (not mandatory, values “on”,”off”, default “off”) The controls if the TLS stream should be compressed (zipped). While this increases CPU use, the network bandwidth should be reduced. Note that typical text-based log records usually compress rather well.
  • tls.dhbits (not mandatory, integer) This setting controls how many bits are used for Diffie-Hellman key generation. If not set, the librelp default is used. For secrity reasons, at least 1024 bits should be used. Please note that the number of bits must be supported by GnuTLS. If an invalid number is given, rsyslog will report an error when the listener is started. We do this to be transparent to changes/upgrades in GnuTLS (to check at config processing time, we would need to hardcode the supported bits and keep them in sync with GnuTLS - this is even impossible when custom GnuTLS changes are made…).
  • tls.permittedPeer peer Places access restrictions on this listener. Only peers which have been listed in this parameter may connect. The validation bases on the certificate the remote peer presents. The peer parameter lists permitted certificate fingerprints. Note that it is an array parameter, so either a single or multiple fingerprints can be listed. When a non-permitted peer connects, the refusal is logged together with it’s fingerprint. So if the administrator knows this was a valid request, he can simple add the fingerprint by copy and paste from the logfile to rsyslog.conf. To specify multiple fingerprints, just enclose them in braces like this: tls.permittedPeer=[“SHA1:…1”, “SHA1:….2”] To specify just a single peer, you can either specify the string directly or enclose it in braces.
  • tls.authMode mode Sets the mode used for mutual authentication. Supported values are either “fingerprint” or “name”. Fingerprint mode basically is what SSH does. It does not require a full PKI to be present, instead self-signed certs can be used on all peers. Even if a CA certificate is given, the validity of the peer cert is NOT verified against it. Only the certificate fingerprint counts. In “name” mode, certificate validation happens. Here, the matching is done against the certificate’s subjectAltName and, as a fallback, the subject common name. If the certificate contains multiple names, a match on any one of these names is considered good and permits the peer to talk to rsyslog.
  • tls.prioritystring (not mandatory, string) This parameter permits to specify the so-called “priority string” to GnuTLS. This string gives complete control over all crypto parameters, including compression setting. For this reason, when the prioritystring is specified, the “tls.compression” parameter has no effect and is ignored. Full information about how to construct a priority string can be found in the GnuTLS manual. At the time of this writing, this information was contained in section 6.10 of the GnuTLS manual. Note: this is an expert parameter. Do not use if you do not exactly know what you are doing.

Caveats/Known Bugs:

  • see description
  • To obtain the remote system’s IP address, you need to have at least librelp 1.0.0 installed. Versions below it return the hostname instead of the IP address.
  • Contrary to other inputs, the ruleset can only be bound to all listeners, not specific ones. This is due to a currently existing limitation in librelp.


This sets up a RELP server on port 20514.

module(load="imrelp") # needs to be done just once
input(type="imrelp" port="20514")

Legacy Configuration Directives:

  • InputRELPServerBindRuleset <name> (available in 6.3.6+) equivalent to: RuleSet
  • InputRELPServerRun <port> equivalent to: Port

Legacy Sample:

This sets up a RELP server on port 20514.

$ModLoad imrelp # needs to be done just once
$InputRELPServerRun 20514

This documentation is part of the rsyslog project. Copyright © 2008-2014 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 3 or higher.

Previous topic

imptcp: Plain TCP Syslog

Next topic

imsolaris: Solaris Input Module

This Page