Configuration¶
This section is the reference manual for configuring rsyslog. It covers all major configuration concepts, modules, and directives needed to build robust logging infrastructures — from simple setups to complex log processing pipelines.
rsyslog’s primary configuration file is located at:
/etc/rsyslog.conf
Additional configuration snippets are commonly placed in:
/etc/rsyslog.d/*.conf
Within these files, you define: - Input modules (where logs come from) - Filters and parsers (how logs are processed) - Actions (where logs are sent) - Global directives (overall behavior and performance tuning)
The topics listed below provide a complete guide to rsyslog configuration.
- Basic Structure
- Output Modules
- omamqp1: AMQP 1.0 Messaging Output Module
- omazureeventhubs: Microsoft Azure Event Hubs Output Module
- omclickhouse: ClickHouse Output Module
- omczmq: Output module for ZeroMQ
- omdtls: Output Module for DTLS Protocol over UDP
- omelasticsearch: Elasticsearch Output Module
- omfile: File Output Module
- omfwd: syslog Forwarding Output Module
- omhdfs: Hadoop Filesystem Output Module
- omhiredis: Redis Output Module
- omhttp: HTTP Output Module
- omhttpfs: Hadoop HTTPFS Output Module
- omjournal: Systemd Journal Output
- omkafka: write to Apache Kafka
- omlibdbi: Generic Database Output Module
- ommail: Mail Output Module
- ommongodb: MongoDB Output Module
- ommysql: MariaDB/MySQL Database Output Module
- omoracle: Oracle Database Output Module
- PostgreSQL Database Output Module (ompgsql)
- ompipe: Pipe Output Module
- omprog: Program integration Output module
- omrabbitmq: RabbitMQ output module
- omrelp: RELP Output Module
- omruleset: ruleset output/including module
- omsendertrack: Sender Tracking Output Module
- omsnmp: SNMP Trap Output Module
- omstdout: stdout output module (testbench tool)
- omudpspoof: UDP spoofing output module
- omusrmsg: notify users
- omuxsock: Unix sockets Output Module
- GuardTime Log Signature Provider (gt)
- Keyless Signature Infrastructure Provider (ksi)
- KSI Signature Provider (rsyslog-ksi-ls12)
- Input Modules
- im3195: RFC3195 Input Module
- imbatchreport: Batch report input module
- imczmq: Input module for ZeroMQ
- imdocker: Docker Input Module
- imdtls: Input Module for DTLS Protocol over UDP
- imfile: Text File Input Module
- imgssapi: GSSAPI Syslog Input Module
- Imhiredis: Redis input plugin
- imhttp: HTTP input module
- imjournal: Systemd Journal Input Module
- imkafka: read from Apache Kafka
- imklog: Kernel Log Input Module
- imkmsg: /dev/kmsg Log Input Module
- immark: Mark Message Input Module
- Impcap: network traffic capture
- improg: Program integration input module
- impstats: Generate Periodic Statistics of Internal Counters
- imptcp: Plain TCP Syslog
- imrelp: RELP Input Module
- imsolaris: Solaris Input Module
- imtcp: TCP Syslog Input Module
- imtuxedoulog: Tuxedo ULOG input module
- imudp: UDP Syslog Input Module
- imuxsock: Unix Socket Input Module
- Parser Modules
- pmciscoios
- pmdb2diag: DB2 Diag file parser module
- pmlastmsg: last message repeated n times
- Log Message Normalization Parser Module (pmnormalize)
- pmnull: Syslog Null Parser Module
- pmrfc3164: Parse RFC3164-formatted messages
- pmrfc3164sd: Parse RFC5424 structured data inside RFC3164 messages
- pmrfc5424: Parse RFC5424-formatted messages
- Message Modification Modules
- AI-based classification (mmaitag)
- IP Address Anonymization Module (mmanon)
- mmcount
- Darwin connector (mmdarwin)
- MaxMind/GeoIP DB lookup (mmdblookup)
- Support module for external message modification modules
- Fields Extraction Module (mmfields)
- JSON/CEE Structured Content Extraction Module (mmjsonparse)
- Kubernetes Metadata Module (mmkubernetes)
- Log Message Normalization Module (mmnormalize)
- RFC5424 structured data parsing module (mmpstrucdata)
- mmrfc5424addhmac
- mmrm1stspace: First Space Modification Module
- Number generator and counter module (mmsequence)
- mmsnmptrapd message modification module
- mmtaghostname: message modification module
- Fix invalid UTF-8 Sequences (mmutf8fix)
- String Generator Modules
- Library Modules
- Templates
- rsyslog Properties
- The Property Replacer
- Filter Conditions
- RainerScript
- Data Types
- Expressions
- Functions
- Control Structures
- configuration objects
- Rsyslog Parameter String Constants
- Examples
- Variable (Property) types
- Lookup Tables
- General Queue Parameters
- The rsyslog “call” statement
- The rsyslog “call_indirect” statement
- global() configuration object
- The rsyslog include() object
- Actions
- Input
- Parser
- timezone
- Examples
- Legacy Configuration Directives
- rsyslog statistic counter
- Modules
- Output Channels
- Dropping privileges in rsyslog
- Notes on IPv6 Handling in Rsyslog
- libgcrypt Log Crypto Provider (gcry)
- libossl Log Crypto Provider (ossl)
- Dynamic Stats
- Lookup Tables
- Percentile Stats
- Converting older formats to
advanced - Configuration Formats
- sysklogd format
Additional Resources¶
Config snippets: See rsyslog config snippets for ready-to-use building blocks.
Example configuration: Download a sample configuration file:
rsyslog-example.conf.
Compatibility Note¶
rsyslog retains partial configuration compatibility with traditional BSD-style syslogd, which can be helpful when migrating from older implementations (e.g., on Solaris or AIX). On modern Linux systems, native rsyslog configuration formats (especially RainerScript) are recommended and provide access to all advanced features.
Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project
Contributing: Source & docs: rsyslog source project
© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.