# Confused With Syslog Message Format

If you're confused about the syslog message format and how `rsyslog` handles it, here’s a quick overview to help clarify:

### Syslog Message Format

Syslog messages have a standard format which typically looks like this:

```
<PRI> TIMESTAMP HOSTNAME TAG: MESSAGE
```

- **PRI**: Priority value (a combination of facility and severity).
- **TIMESTAMP**: Date and time of the log entry.
- **HOSTNAME**: The name of the machine that generated the log.
- **TAG**: A short string identifying the source of the log message.
- **MESSAGE**: The actual log message content.

### Rsyslog Configuration

In `rsyslog`, you often deal with parsing, filtering, and routing syslog messages. Here’s a basic rundown of the configuration elements:

1. **Modules**:
Modules extend `rsyslog` functionality. Common modules include `imudp` for UDP input, `imtcp` for TCP input, and `omfile` for outputting logs to files.
2. **Inputs**:
Define sources of log messages. For example:
    
    ```
    module(load="imudp") # Load UDP module
    input(type="imudp" port="514") # Listen on port 514
    ```
    
3. **Templates**:
Define how log messages are formatted. Example:
    
    ```
    template(name="MyTemplate" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag% %msg%\\n")
    ```
    
4. **Rules**:
Rules specify how to handle incoming log messages. Example:
    
    ```
    if $programname == 'myapp' then /var/log/myapp.log
    & ~
    ```
    
    This rule routes messages from `myapp` to `/var/log/myapp.log` and then discards the original message.
    
5. **Actions**:
Actions define what happens to log messages after they are processed by rules. Actions can include writing to files, forwarding to remote servers, or executing commands.

### Example Configuration

Here’s a simple example configuration for `rsyslog` to handle syslog messages:

```
# Load modules
module(load="imudp") # UDP input
module(load="omfile") # File output

# Define template
template(name="CustomFormat" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag% %msg%\\n")

# Define input
input(type="imudp" port="514")

# Define rules
if $programname == 'myapp' then {
    action(type="omfile" file="/var/log/myapp.log" template="CustomFormat")
}

# Discard messages not handled by the above rule
& ~
```

### Common Issues

- **Incorrect PRI Value**: If `rsyslog` isn't handling messages as expected, check if the PRI value is correctly formatted. An incorrect PRI value can cause parsing issues.
- **Log Rotation**: Ensure that log rotation tools (like `logrotate`) are correctly configured to handle `rsyslog` log files.
- **Permissions**: Verify that `rsyslog` has the necessary permissions to read/write the log files.