Confused With Syslog Message Format

Better Stack Team
Updated on November 18, 2024

If you're confused about the syslog message format and how rsyslog handles it, here’s a quick overview to help clarify:

Syslog Message Format

Syslog messages have a standard format which typically looks like this:

 
<PRI> TIMESTAMP HOSTNAME TAG: MESSAGE
  • PRI: Priority value (a combination of facility and severity).
  • TIMESTAMP: Date and time of the log entry.
  • HOSTNAME: The name of the machine that generated the log.
  • TAG: A short string identifying the source of the log message.
  • MESSAGE: The actual log message content.

Rsyslog Configuration

In rsyslog, you often deal with parsing, filtering, and routing syslog messages. Here’s a basic rundown of the configuration elements:

  1. Modules: Modules extend rsyslog functionality. Common modules include imudp for UDP input, imtcp for TCP input, and omfile for outputting logs to files.

  2. Inputs: Define sources of log messages. For example:

     
    module(load="imudp") # Load UDP module
input(type="imudp" port="514") # Listen on port 514

  3. Templates: Define how log messages are formatted. Example:

     
    template(name="MyTemplate" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag% %msg%\\n")

  4. Rules: Rules specify how to handle incoming log messages. Example:

     
    if $programname == 'myapp' then /var/log/myapp.log
& ~

    This rule routes messages from myapp to /var/log/myapp.log and then discards the original message.

  5. Actions: Actions define what happens to log messages after they are processed by rules. Actions can include writing to files, forwarding to remote servers, or executing commands.

Example Configuration

Here’s a simple example configuration for rsyslog to handle syslog messages:

 
# Load modules
module(load="imudp") # UDP input
module(load="omfile") # File output

# Define template
template(name="CustomFormat" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag% %msg%\\n")

# Define input
input(type="imudp" port="514")

# Define rules
if $programname == 'myapp' then {
    action(type="omfile" file="/var/log/myapp.log" template="CustomFormat")
}

# Discard messages not handled by the above rule
& ~

Common Issues

  • Incorrect PRI Value: If rsyslog isn't handling messages as expected, check if the PRI value is correctly formatted. An incorrect PRI value can cause parsing issues.
  • Log Rotation: Ensure that log rotation tools (like logrotate) are correctly configured to handle rsyslog log files.
  • Permissions: Verify that rsyslog has the necessary permissions to read/write the log files.
Got an article suggestion? Let us know
Explore more
Rsyslog
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.