Confused With Syslog Message Format

Better Stack Team
Updated on November 18, 2024

If you're confused about the syslog message format and how rsyslog handles it, here’s a quick overview to help clarify:

Syslog Message Format

Syslog messages have a standard format which typically looks like this:

 
<PRI> TIMESTAMP HOSTNAME TAG: MESSAGE
  • PRI: Priority value (a combination of facility and severity).
  • TIMESTAMP: Date and time of the log entry.
  • HOSTNAME: The name of the machine that generated the log.
  • TAG: A short string identifying the source of the log message.
  • MESSAGE: The actual log message content.

Rsyslog Configuration

In rsyslog, you often deal with parsing, filtering, and routing syslog messages. Here’s a basic rundown of the configuration elements:

  1. Modules: Modules extend rsyslog functionality. Common modules include imudp for UDP input, imtcp for TCP input, and omfile for outputting logs to files.

  2. Inputs: Define sources of log messages. For example:

     
    module(load="imudp") # Load UDP module
input(type="imudp" port="514") # Listen on port 514

  3. Templates: Define how log messages are formatted. Example:

     
    template(name="MyTemplate" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag% %msg%\\n")

  4. Rules: Rules specify how to handle incoming log messages. Example:

     
    if $programname == 'myapp' then /var/log/myapp.log
& ~

    This rule routes messages from myapp to /var/log/myapp.log and then discards the original message.

  5. Actions: Actions define what happens to log messages after they are processed by rules. Actions can include writing to files, forwarding to remote servers, or executing commands.

Example Configuration

Here’s a simple example configuration for rsyslog to handle syslog messages:

 
# Load modules
module(load="imudp") # UDP input
module(load="omfile") # File output

# Define template
template(name="CustomFormat" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag% %msg%\\n")

# Define input
input(type="imudp" port="514")

# Define rules
if $programname == 'myapp' then {
    action(type="omfile" file="/var/log/myapp.log" template="CustomFormat")
}

# Discard messages not handled by the above rule
& ~

Common Issues

  • Incorrect PRI Value: If rsyslog isn't handling messages as expected, check if the PRI value is correctly formatted. An incorrect PRI value can cause parsing issues.
  • Log Rotation: Ensure that log rotation tools (like logrotate) are correctly configured to handle rsyslog log files.
  • Permissions: Verify that rsyslog has the necessary permissions to read/write the log files.
Got an article suggestion? Let us know
Explore more
Rsyslog
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Make your mark

Join the writer's program

Are you a developer and love writing and sharing your knowledge with the world? Join our guest writing program and get paid for writing amazing technical guides. We'll get them to the right readers that will appreciate them.

Write for us
Writer of the month
Marin Bezhanov
Marin is a software engineer and architect with a broad range of experience working...
Build on top of Better Stack

Write a script, app or project on top of Better Stack and share it with the world. Make a public repository and share it with us at our email.

community@betterstack.com

or submit a pull request and help us build better products for everyone.

See the full list of amazing projects on github