rsyslog

The rocket-fast system for log processing pipelines

rsyslog

The rocket-fast system for log processing pipelines

Search Results for: queue

Avoid overly-large in memory queues

Rainer GerhardsFAQNo Comments on Avoid overly-large in memory queues

Rsyslog provides the “queue.size” parameter to set a limit on the number of messages a queue can keep in memory. This is primarily meant to support peak traffic.

Note that this counter is given in number of messages, not bytes. A frequent mistake is to think in bytes and select very large values (e.g. 7 million frequently seen, maybe due to a web tutorial somewhere). If queues are that large there is a chance the rsyslog will be aborted by out of memory condition when the queue gets fuller and fuller.

An example. You send data to a remote syslog server. You define a very large queue on it. Usually, the queue keeps very slow. But when the system goes offline, the queue fills up. This will lead to sharply increasing memory usage. Depending on all circumstances this may not be a problem – or it may be! The likelihood of becoming problematic, and harder to reproduce, increases with the number of queues defined.

To avoid such misunderstandings, rsyslog starting at 8.1905.0 emits a warning message. It has probably lead you to this page. If the queue size is correct, you can ignore the warning message. You can also filter it out via regular rules, if you like. But if you did not intend to define such a large queue, please reconsider the value.

Note: rsyslog considers queues larger than 500,000 messages to be overly large – there seldom is a good reason to use sizes in excess of that.

message modification modules: why run in direct (queue) mode?

Rainer Gerhardsself-help

Message modificaton modules modify the message object, so the next actions can process the modified message. However, if the action that invokes the message modification module runs on a real queue (anything other than queue.type=”direct”), the message object is actuallyΒ duplicated, and done so only for executing the action. In other words, the duplicated message object is immediately destroyed after the action completes. That means the modification made by the module will never be visible by anyone else.

So never run a message modification module on a non-direct queue. Message modification modules usually start with the letters “mm” (as in “mmjsonparse”).

Note that this is not a bug: rsyslog’s design is generic, and for most other actions the duplication of message is necessary in many cases. The config parser detects this kind of problems, but does not auto-correct it as the issue points to a potentially larger issue.

Tutorial: Sending impstats Metrics to Elasticsearch Using Rulesets and Queues

rgheorgheMore complex scenarios, , , , , , , , , , ,

Originally posted on the Sematext blog: Monitoring rsyslog’s Performance with impstats and Elasticsearch

If you’re using rsyslog for processing lots of logs (and, as we’ve shown before, rsyslog is good at processing lots of logs), you’re probably interested in monitoring it. To do that, you can use impstats, which comes from input module for process stats. impstats produces information like:
input stats, like how many events went through each input
queue stats, like the maximum size of a queue
– action (output or message modification) stats, like how many events were forwarded by each action
– general stats, like CPU time or memory usage

In this post, we’ll show you how to send those stats to Elasticsearch (or Logsene — essentially hosted ELK, our log analytics service, that exposes the Elasticsearch API), where you can explore them with a nice UI, like Kibana. For example get the number of logs going through each input/output per hour:
kibana_graph
More precisely, we’ll look at:
– useful options around impstats
– how to use those stats and what they’re about
– how to ship stats to Elasticsearch/Logsene by using rsyslog’s Elasticsearch output
– how to do this shipping in a fast and reliable way. This will apply to most rsyslog use-cases, not only impstats

Continue reading “Tutorial: Sending impstats Metrics to Elasticsearch Using Rulesets and Queues”

rsyslog statistic counter Queues

adisconteamsub-faq, , , ,

Queue

For each queue inside the system its own set of statistics counters is created. If there are multiple action (or main) queues, this can become a rather lengthy list. The stats record begins with the queue name (e.g. “main Q” for the main queue; ruleset queues have the name of the ruleset they are associated to, action queues the name of the action).

  • size – currently active messages in queue
  • enqueued – total number of messages enqueued into this queue since startup
  • maxsize – maximum number of active messages the queue ever held
  • full – number of times the queue was actually full and could not accept additional messages
  • discarded.full – number of messages discarded because the queue was full
  • discarded.nf – number of messages discarded because the queue was nearly full. Starting at this point, messages of lower-than-configured severity are discarded to save space for higher severity ones.

Back to statistics counter overview

Lower Bound for Queue Sizes

Rainer GerhardsFAQ,

The queue.size parameter permits to specify the maximum queue size in number of messages. While not technically enforced, there is a lower limit on this parameter. Setting it to very low values (roughly below 100 messages) is not supported and can lead to unpredictable results. Also, future version my automatically adjust to a safe lower bound and/or decide to fail queue startup in those cases. So if you use very low values, do so at your own risk.

Encrypted disk queues

adisconteamFAQ, , ,

This guide will tell you, how to quickly protect your disk queue through encryption. So you can be sure that unauthorized persons can’t read your queue.
Please note that we only use the “disk” queue format in this guide to show you the encrypted files but normally we recommend you to use the “LinkedList” queue format for a better performance.

This feature is available from version 7.5.0 or higher. In addition to rsyslog we need the most current version of librelp.

 

The Intention

Whenever two systems talk over a network, something can go wrong. For example, the communications link may go down, or a client or server may abort. Even in regular cases, the server may be offline for a short period of time because of routine maintenance.

A logging system should be capable of avoiding message loss in situations where the server is not reachable. To do so, unsent data needs to be buffered at the client while the server is offline. Then, once the server is up again, this data is to be sent.

This can easily be acomplished by rsyslog. In rsyslog, every action runs on its own queue and each queue can be set to buffer data if the action is not ready. Of course, you must be able to detect that “the action is not ready”, which means the remote server is offline. This can be detected with plain TCP syslog and RELP, but not with UDP. So you need to use either of the two. In this howto, we use plain TCP syslog.

Please note that we are using rsyslog-specific features. The are required on the client, but not on the server. So the client system must run rsyslog (at least version 7.5.0), while on the server another syslogd may be running, as long as it supports plain tcp syslog.

Normally the rsyslog queueing subsystem tries to buffer to memory if you use the “LinkedList” queue typ. So even if the remote server goes offline, no disk file is generated. File on disk are created only if there is need to, for example if rsyslog runs out of (configured) memory queue space or needs to shutdown (and thus persist yet unsent messages). Using main memory and going to the disk when needed is a huge performance benefit. But in this case we only want to create a disk queue which is encrypted. So we use “Disk” as the queue typ, disk means that rsyslog writes immediately.

How To Setup

First, you need to create a working directory for rsyslog. This is where it stores its queue files (should need arise). You may use any location on your local system.

What have to do next is instruct rsyslog to use a disk queue and then configure your action. There is nothing else to do. With the following simple config file, you forward anything you receive to a remote server and have buffering applied automatically. This must be done on the client machine.

module(load=” imuxsock”) # local message reception
$WorkDirectory /home/test/rsyslog/work # default location for work (spool) files

action(type=”omfwd”
queue.type=”disk” queue.fileName=”enc”
queue.cry.provider=”gcry” queue.cry.key=”/path/to/contrib/gnutls/key.pem”
target=”172.123.123.5
port=”10514″)

The “queue.fileName=”enc”” is used to create encrypted queue files, should need arise. This value must be unique inside rsyslog.conf. No two rules must use the same queue file. Also, for obvious reasons, it must only contain those characters that can be used inside a valid file name. Rsyslog possibly adds some characters in front and/or at the end of that name when it creates files. So that name should not be at the file size name length limit (which should not be a problem these days).
In the next value “queue.cry.key=”/path/to/key”” you have to provide the path to your keyfile, if this path is invalid rsyslog will not encrypt your queue files.

Please note that actual spool files are directly created because we use the “disk” mode, if you use the “LinkedList” mode then they are only created if the remote server is down and there is no more space in the in-memory queue. By default, a short failure of the remote server will never result in the creation of a disk file as a couple of hundered messages can be held in memory by default. [These parameters can be fine-tuned. However, then you need to either fully understand how the queue works (read elaborate doc) or use professional services to have it done based on your specs ;) – what that means is that fine-tuning queue parameters is far from being trivial…]

If you would like to test the encryption scenario, you need to stop, wait a while and restart your server. Then simply open a new generated queue file they should all be encrypted now.

rsyslog: High-Performance Syslog Server and Log Aggregation Tool

The rocket-fast system for log processing pipelines

rsyslog helps you collect, transform, and route event data reliably at scale. Built for speed, flexibility, and control in modern Linux and container environments.

Abstract visualization of rsyslog configuration pipelines
Professional Services
Documentation
GitHub

Runs great on single hosts and in containerized deployments.

Trusted by organizations worldwide

1M+

Messages per second

100+

Input/output modules

20+

Years in production

What’s new

πŸ“¦ Current versions

Download the latest stable release, daily builds, or explore containerized deployments. All versions include documentation and release notes.

Latest stable release: 8.2512.0 [doc] [download]

Next release: 8.2602.0, February 2026

πŸ“¦ daily stable build (Ubuntu)

πŸ“¦ daily stable build (CentOS)

🐳 rsyslog docker container

πŸ“š packages and older versions

πŸͺŸ Windows Agent: 8.1 [download]

Get started in 60 seconds

Two quick ways to try rsyslog.

# Debian/Ubuntu
sudo apt-get update
sudo apt-get install -y rsyslog
sudo systemctl enable --now rsyslog
# Config lives in /etc/rsyslog.conf and /etc/rsyslog.d/
# Docker (example)
docker run --name rsyslog/rsyslog -d \
  -v $(pwd)/rsyslog.conf:/etc/rsyslog.conf:ro \
  -p 514:514/tcp -p 514:514/udp \
  rsyslog/rsyslog

See First steps guide and Basic configuration reference for more detail.

What is rsyslog?

rsyslog is an open-source, high-performance engine for collecting, transforming and routing event data. It ingests from diverse sources (files, journals, syslog, Kafka), applies parsing, enrichment and filtering rules via RainerScript and modules like mmnormalize, buffers safely with disk-assisted queues, and forwards to Elasticsearch, Kafka, HTTP endpoints or files. With over 20 years of proven reliability, rsyslog bridges classic syslog-style logging and modern data pipelines β€” now guided by an AI-First (human-controlled) vision for smarter observability.

Learn more about the project.

Why operators rely on rsyslog

πŸ’Ύ Reliable delivery
Disk-assisted queues and backpressure controls keep pipelines flowing.

πŸ“Ž Flexible parsing
Support for regex, structured formats, JSON, and liblognorm pipelines.

πŸ“¦ Powerful routing
Conditional rules and reusable templates with RainerScript.

πŸ“­ Broad outputs
Files, TCP/UDP/TLS syslog, Kafka, HTTP, and database destinations.

πŸ“° Performance at scale
Multi-threaded design with tuning controls for predictable latency.

🌍 Runs anywhere
Bare metal, virtual machines, and containerized environments.

Works with your observability stack

TargetDescription / Docs link
Elastic / OpenSearchoutput-elasticsearch module guide
Grafana LokiHTTP/JSON shipping example
Kafkaomkafka documentation
Splunk HEComhttp configuration example
Files & rotationomfile output reference
DatabasesOutput modules overview

Integrates via open protocols (syslog, TCP/TLS, HTTP, Kafka). No cloud-vendor lock-in.

πŸ’Ό Professional services for production workloads

Need expert help to ship faster and reduce risk? Our team provides architecture reviews, performance tuning, migrations, troubleshooting, and long-term supportβ€”tailored to your stack.

  • βœ… Architecture & performance reviews
  • βœ… Production readiness, HA & DR patterns
  • βœ… Migrations (e.g., from Kiwi, Logstash)
  • βœ… Custom modules and integrations
  • βœ… Incident response and troubleshooting
  • βœ… SLAs and long-term support options
Talk to an expert
Custom development

πŸ’» Two tiny examples

Example A (RainerScript)

module(load="imuxsock")
module(load="imklog")
template(name="jsonl" type="list") {
  constant(value="{\"ts\":\"")     property(name="timereported" dateFormat="rfc3339")
  constant(value="\",\"host\":\"") property(name="hostname")
  constant(value="\",\"msg\":\"")  property(name="msg" format="json")
  constant(value="\"}\n")
}
*.* action(type="omfile" file="/var/log/events.jsonl" template="jsonl")

Example B (RainerScript)

module(load="imuxsock")
module(load="omkafka")
if ($programname == "sshd") then {
  action(type="omkafka"
         broker=["kafka:9092"]
         topic="security-auth"
         template="RSYSLOG_TraditionalFileFormat")
}

πŸ€– Self-support with the rsyslog Assistant

The rsyslog Assistant is an AI-powered self-support tool based on curated, verified project knowledge, supervised by maintainers. Use it to explore configuration options, examples, and troubleshooting tips.

Open rsyslog Assistant

πŸ“’ Latest from the project

View all news

Documentation | Modules | Community | Security | Support / Contact

rsyslog 8.2510.0 (2025.10) released

Rainer Gerhardsannouncement, Release Announcement, Uncategorized

We have today released the 8.25100 rsyslog scheduled stable release. This release delivers three main themes: better Windows Security event ingestion, more flexible JSON handling end to end, and pragmatic compatibility fixes across popular outputs and platforms. It also includes steady documentation improvements and CI hardening.

Continue reading “rsyslog 8.2510.0 (2025.10) released”

rsyslog 8.2508.0 (2025.08) – release announcement

Rainer Gerhardsannouncement, Release Announcement

Download: https://www.rsyslog.com/files/download/rsyslog/rsyslog-8.2508.0.tar.gz
Project-provided packages are building now and are expected later today. Ubuntu PPAs are already done.

We are excited to ship a large and meaningful rsyslog release. This cycle advances our responsible “AI First” strategy and moves decisively toward cloud native operations. It also delivers major quality, security, and documentation improvements.

Continue reading “rsyslog 8.2508.0 (2025.08) – release announcement”
Scroll to top