Rsyslog
Rsyslog is an open-source, high-performance syslog daemon designed for Unix-like operating systems, serving as a modular engine to collect, parse, buffer, transform, and route log messages reliably across networks.[1]
Initiated in 2004 by Rainer Gerhards as a fork of the sysklogd codebase, it was developed to provide a feature-rich drop-in replacement for traditional syslog implementations, addressing shortcomings in reliability (such as UDP-only transmission) and configurability while supporting advanced protocols like TCP and RFC 3195.[2]
Maintained by Adiscon GmbH under GPLv3 licensing since 2008, rsyslog has evolved over two decades into a versatile tool with a modular architecture featuring over 100 input and output plugins for integrations with systems like Elasticsearch, Kafka, databases, and files.[3][2]
Its key capabilities include the RainerScript scripting language for complex filtering and parsing, disk-assisted queuing to prevent message loss during high loads, and multithreading for processing over 1 million messages per second, making it suitable for both legacy syslog workloads and modern observability pipelines in bare-metal, virtual, or containerized environments.[1][2]
As the default logging daemon in several major Linux distributions, including Red Hat Enterprise Linux and Fedora, rsyslog enables centralized log aggregation, secure transmission, and compliance with standards like syslog over TLS.[4][1]
Introduction
Overview
Rsyslog is an open-source, high-performance logging subsystem for Unix-like systems, designed to handle traditional syslog tasks as well as modern log processing pipelines.[5] Its primary purpose is to collect, process, filter, and forward log messages from diverse sources, such as system events and applications, to various destinations including files, databases, or remote servers.[1]
Rsyslog operates in modes such as local logging for on-system message storage, remote logging for sending messages across networks, and central aggregation to consolidate logs from multiple hosts into a single repository.[6] It serves as a drop-in replacement for predecessors like sysklogd, offering enhanced performance and additional features while maintaining compatibility with standard syslog configurations.[7]
As of 2025, Rsyslog remains the default logging daemon in major Linux distributions including Fedora and Red Hat Enterprise Linux, and is commonly used or available in Ubuntu, capable of processing up to millions of messages per second under optimized conditions.[4][8][9] Its modular design allows for extensibility, and it supports standards like RFC 5424 for structured syslog messaging.[10][11]
Key Features
Rsyslog distinguishes itself from traditional syslog daemons through its high-performance queuing system, which employs on-disk spooling to handle high-volume log streams without data loss, ensuring reliability during peak loads or system resource constraints.[12] This feature, introduced in version 3.11.0 in January 2008, allows for on-demand disk-assisted queues that buffer messages persistently when processing cannot keep pace.[12]
Advanced filtering capabilities enable precise content-based routing using RainerScript, a domain-specific language that supports complex boolean, string, and arithmetic expressions, as well as regular expressions on any part of a syslog message.[12] This allows administrators to route, discard, or transform messages based on detailed criteria, far beyond basic facility and severity-based filtering in legacy implementations.[12]
Rsyslog leverages multi-threading with dynamic work thread pools to process inputs and outputs in parallel, optimizing performance on multi-core hardware for high-throughput environments.[12] Template-based message formatting provides customizable output structures, including dynamic log target generation and support for standards like CSV (RFC 4180) via property replacers, facilitating integration with diverse storage and analysis tools.[12]
Security is enhanced through TLS/SSL encryption for secure transport (native support added in version 3.19.0 in May 2008), access control lists (ACLs) to restrict network senders, and privilege drop mechanisms to minimize operational risks.[12] Extensibility is achieved via dynamic loading of input and output modules at runtime, allowing seamless integration with databases like MySQL or PostgreSQL without recompilation.[12]
In terms of performance, Rsyslog can process over one million messages per second on modern hardware with minimal processing to local destinations, as demonstrated in 2014 benchmarks that remain relevant today.[13] Historically, support for integrations like Elasticsearch and Kafka was added in 2014 to enhance observability workflows.[13]
Architecture
Core Components
Rsyslog operates through its central daemon, rsyslogd, which serves as the main process responsible for receiving, processing, and forwarding log messages in a high-performance, modular environment.[14] This daemon manages the overall log pipeline, ensuring efficient handling of syslog workloads by decoupling message producers and consumers via internal mechanisms.[15]
Input interfaces in Rsyslog collect log messages from diverse sources, including network protocols via UDP or TCP listeners (such as the imudp and imtcp modules) and local file monitoring for tailing log files.[16] These interfaces bind messages to specific processing paths, enabling isolated handling of incoming data streams.[17]
The processing engine forms the core of Rsyslog's message handling, where incoming logs undergo parsing to extract structured data, filtering to match criteria, and rewriting for transformation using configurable rulesets.[16] Rulesets act as hierarchical blocks that sequence filters and actions, evaluating messages top-to-bottom until a match triggers processing or the end is reached, with options to discard non-matching entries.[17]
Output interfaces deliver processed messages to various destinations, such as local files via the omfile module or remote syslog relays using omfwd, ensuring logs reach intended storage or forwarding points.[16]
Queue management enhances reliability by buffering messages between pipeline stages, with types including in-memory queues (fixed-array or linked-list for speed), disk-assisted queues (spilling to disk when memory fills to handle backpressure), and full disk queues for persistence during high loads or shutdowns.[18] These queues throttle inputs when full—such as slowing TCP receivers—and support configurable watermarks to balance performance and durability, preventing message loss under overload.[18]
The overall data flow in Rsyslog follows a pipeline: messages enter via inputs, pass through an initial queue for buffering, enter the ruleset for parsing, filtering, and rewriting, proceed to action-specific queues, and finally reach outputs for delivery, providing a structured yet flexible path for log processing.[16]
Modules and Extensibility
Rsyslog employs a plugin-based architecture that allows for modular extension of its logging capabilities without requiring recompilation of the core system. This design categorizes modules into distinct types, including input modules (prefixed with "im"), which receive log messages from various sources; output modules (prefixed with "om"), which forward or store messages to destinations; library modules (prefixed with "lm"), which provide reusable functions like encryption or compression; and parser modules (prefixed with "pm"), which process and structure incoming message content.[10][19]
Key examples of built-in modules illustrate this extensibility in practice. The imjournal module integrates with the systemd journal to ingest structured logs directly from modern Linux systems. The omkafka module enables output to Apache Kafka for distributed streaming and real-time processing pipelines. Similarly, the imtcp module supports TCP-based input with optional TLS encryption for secure remote logging over networks.
Modules are loaded dynamically at runtime using the $ModLoad directive in legacy configuration syntax or the equivalent module(load=) statement in RainerScript, allowing administrators to enable specific functionality on demand without rebuilding the binary.[20]
For custom extensions, Rsyslog provides a C-based application programming interface (API) that facilitates the development of new plugins. Developers can implement hooks for message parsing, filtering, and integration with the core queuing subsystem to handle high-volume or custom workflows.[21]
This extensibility supports integration with non-standard protocols and third-party systems through community-contributed modules, such as the ommongodb output module, which stores logs directly in MongoDB databases for flexible querying and analysis.[22]
The plugin system was introduced in 2010 as part of its modular architecture to replace the rigid sysklogd.[13] In 2025 developments, AI-assisted tools have accelerated module enhancements by aiding in code generation, documentation, and testing, ensuring ongoing innovation while maintaining human oversight.[23]
Configuration
Rsyslog supports a legacy configuration format derived from traditional BSD syslogd implementations, which uses simple directive-based syntax to specify logging rules in the form facility.priority action. For instance, a basic rule might direct mail-related debug messages to a specific file, such as mail.debug /var/log/maillog.[24] This format provides compatibility for migrations from older systems like Solaris or AIX but is considered obsolete for new configurations due to its limitations in handling complex logic.[25]
In contrast, RainerScript serves as the modern scripting language in Rsyslog, enabling advanced configurations with expressions, variables, control structures, and functions tailored for event processing. It supports constructs like conditional statements for filtering, such as if $syslogfacility-text == 'mail' then { action(...) }, allowing dynamic routing based on message properties without relying on rigid directives.[26] Variables can store computed values, and built-in functions handle tasks like string manipulation or arithmetic, making it suitable for sophisticated log processing pipelines.[27]
The primary configuration file is /etc/rsyslog.conf, which organizes settings into global directives at the top, followed by module loads, and then action blocks containing rules and outputs.[25] Additional files in /etc/rsyslog.d/*.conf are automatically included for modular extensions, such as site-specific rules, ensuring a hierarchical structure that separates core settings from customizations.[14]
Property replacers form a core mechanism for dynamic message formatting, using placeholders like %property% to insert values from log messages into templates. For example, %timestamp:::date-rfc3339% formats the timestamp in RFC 3339 standard, while options like ::date-rfc3339 apply transformations during replacement.[28] Templates are defined via $template name directives, combining fixed text with replacers to generate custom outputs, such as structured log lines for remote forwarding.
Since version 8, Rsyslog introduced object-based configuration using JSON-like blocks to define advanced setups, enhancing readability and modularity over flat directives. Examples include global(queue.type="LinkedList") for tuning worker queues or main_queue(queue.size="10000") for failover handling, where parameters are set within curly-brace enclosed objects.[29] This approach supports nested parameters and is backward-compatible with legacy syntax, though it requires explicit enabling for full utilization.[30]
Rsyslog parses configuration files line by line, interpreting directives that begin with a dollar sign ($) as legacy global settings, while RainerScript elements use keyword-based syntax.[31] Includes are handled via $IncludeConfig for recursive loading of external files, and legacy compatibility modes ensure older syslogd-style rules are processed without errors during upgrades.[14] The parser enforces a top-down evaluation, applying global directives first before processing rulesets, with support for multi-ruleset isolation via $Ruleset in legacy mode.[32]
Rules and Directives
In rsyslog, rules define how incoming log messages are filtered and processed through actions, while directives provide global or local configuration options that influence this processing. Rules typically consist of a filter condition followed by one or more actions, allowing administrators to route, store, or discard messages based on criteria such as severity, source, or content.[33] These elements are specified in the main configuration file /etc/rsyslog.conf or included files in /etc/rsyslog.d/, enabling flexible logging setups for single or multi-host environments.[14]
Filter types in rsyslog enable precise selection of messages for processing. Facility/priority filters, the traditional selector method, match messages by syslog facility (e.g., auth, mail, local0-local7) and priority level (e.g., info, err, crit), using syntax like facility.priority. For instance, auth.info selects authentication-related informational messages, while *.err captures errors from all facilities; wildcards (*), exact matches (=), exclusions (!), and separators (;) support complex combinations.[33] Expression-based filters leverage RainerScript for advanced conditions, such as if $msg contains "error" then ..., allowing logical operators (e.g., and, not) to evaluate message content or metadata.[33] Hostname and programname matching further refines filters, often via property-based selectors like :hostname, isequal, "example.com" or :programname, contains, "sshd", which compare against message properties for source-specific routing.[33]
Actions specify what happens to filtered messages, including storage, forwarding, or formatting. File writing actions direct output to local files, as in *.* /var/log/maillog, where the prefix - (e.g., - /var/log/maillog) disables synchronous writes for performance; dynamic filenames can use templates, such as /var/log/%HOSTNAME%/%programname%.log.[27] Forwarding actions send messages to remote hosts, using UDP (*.* @remotehost:514) or TCP (*.* @@remotehost:514), with options like compression (z1 to z9) or IPv6 addressing ([2001::1]:515).[27] Template application customizes output in actions, defined via template(name="MyTemplate" type="string" string="%msg%\n") and applied as /var/log/maillog;MyTemplate, supporting structured formats like JSON for integration with tools such as Elasticsearch.[34]
Global directives set overarching behaviors affecting all rules. The $PreserveFQDN on directive ensures fully qualified domain names are retained in hostnames, preventing stripping for intra-domain messages and enabling accurate source identification; it caches reverse DNS lookups for efficiency.[32] Similarly, $WorkDirectory /var/spool/rsyslog designates the storage path for queues, spool files, and temporary data, crucial for disk-based queuing in high-volume setups.[32]
Ruleset processing organizes rules into named groups, with the main queue handling default sequential evaluation from the configuration file's top until a discard or all rules are exhausted. Custom rulesets, introduced in rsyslog v4.5.0, allow binding inputs to specific sets (e.g., input(type="imtcp" port="514" ruleset="remote") { *.* /var/log/remote.log }), supporting multi-tenant isolation or prioritization via dedicated queues like ruleset(name="priority" queue.type="fixedArray") for asynchronous handling of critical traffic.[17]
Error handling in rules ensures robustness against failures. Discard actions, via stop or discard, halt processing and drop messages immediately, useful for filtering noise.[27] To stop propagation without discarding, rules can chain with conditional failover, enabled by action.execOnlyWhenPreviousIsSuspended on, which activates backups if primaries fail (e.g., due to network issues).[27] Failed actions can log errors to a dedicated file with action.errorfile /var/log/action_errors.json (JSON format since v8.32.0), aiding diagnostics.[27]
Best practices for rules and directives emphasize reliability and maintainability. Avoid infinite loops in expression-based filters by using bounded conditions and testing complex RainerScript logic iteratively to prevent recursive evaluations.[35] Employ templates consistently for structured output, such as JSON schemas (template(name="JsonOut" type="list" option.jsonf="on")), to facilitate parsing in downstream systems and reduce ad-hoc formatting.[34] For multi-ruleset setups, bind inputs explicitly to avoid unintended main queue processing, and monitor queue parameters to balance performance in prioritized environments.[17]
Protocols and Standards
Rsyslog supports two primary syslog message formats: the legacy BSD syslog format defined in RFC 3164 and the structured syslog protocol in RFC 5424.[36] These formats dictate how log messages are encoded, parsed, and processed, enabling compatibility with traditional systems while accommodating modern structured logging needs.[36]
The legacy format from RFC 3164 consists of a PRI part, a HEADER, and a MSG part.[37] The PRI is a numeric value enclosed in angle brackets (e.g., <34>), combining the facility (0-23, indicating the message source like kernel or user) and severity (0-7, from emergency to debug) as facility * 8 + severity.[38] The HEADER includes a TIMESTAMP in the format "Mmm dd hh:mm:ss" (e.g., "Oct 11 22:14:15"), using local time without year or timezone information, followed by the HOSTNAME (up to 255 characters).[39] The MSG comprises a TAG (up to 32 characters for the process name, ended by a colon or similar) and free-form CONTENT.[40] Limitations include non-ISO timestamps, potential ambiguity in parsing due to variable-length fields, and a maximum message size of 1024 octets, all using 7-bit ASCII.[41]
In contrast, RFC 5424 introduces a more robust structure with VERSION "1" in the HEADER, enhancing extensibility.[42] The full message follows the ABNF: SYSLOG-MSG = HEADER SP STRUCTURED-DATA [SP MSG], where HEADER includes PRI, VERSION, TIMESTAMP (ISO 8601 format like "1985-04-12T23:20:50.52Z" with optional subseconds and timezone), HOSTNAME, APP-NAME, PROCID, and MSGID.[43] STRUCTURED-DATA provides a FRAMEWORK for key-value parameters in the form [SD-ID SP*(SD-PARAM)] (e.g., [exampleSDID@32473 iut="3"]), using SD-IDs for identification and UTF-8 for values.[44] MSG contains the free-form message, and the format relies on octet boundaries for reliable parsing, with spaces as delimiters and no embedded NUL characters.[42] Key improvements over RFC 3164 include precise timestamps, structured extensibility, and support for international characters via UTF-8.[45]
Rsyslog parses these formats to extract core fields for routing and storage. From PRI, it derives the facility (0-23) and severity (0-7) values.[46][47] In RFC 5424 messages, it pulls APP-NAME (from the application generating the log), PROCID (process ID), and MSGID (message identifier), emulating missing fields like TAG from legacy formats for consistency.[36] The pmrfc3164 module handles legacy parsing, while the default chain supports RFC 5424, with configurable maximum sizes (e.g., 4KB) to prevent truncation.[48]
Rsyslog extends standard formats with non-standard output options, such as JSON formatting via templates. For example, a template like template(name="JsonOut" type="string" string="{\"msg\":\"%msg%\"}") enables structured JSON export for integration with tools like Elasticsearch, preserving fields like severity and app-name in key-value pairs.[34][49]
Rsyslog offers flexible handling modes: legacy mode for backward compatibility parses RFC 3164 messages and can relay them as RFC 5424, while strict mode enforces RFC 5424 parsing over transports like UDP or TCP, rejecting non-conforming inputs.[36] This dual approach ensures seamless operation in mixed environments without altering message integrity.[36]
Transport and Reliability Protocols
Rsyslog supports multiple transport protocols for transmitting syslog messages, ranging from the lightweight but unreliable User Datagram Protocol (UDP) to more robust options like Transmission Control Protocol (TCP) and the Reliable Event Logging Protocol (RELP), which incorporate mechanisms for enhanced reliability and security. These protocols enable Rsyslog to forward logs across networks while addressing challenges such as packet loss, connection failures, and data confidentiality.[50][51][52]
The default transport in Rsyslog is UDP, as defined in RFC 3164, which operates on port 514 and provides a connectionless, lightweight method for sending syslog messages without acknowledgments or retransmissions. This makes UDP suitable for high-volume, low-latency environments where occasional message loss is acceptable, but it risks data loss due to network congestion or failures, as there is no built-in reliability.[50]
For improved reliability, Rsyslog utilizes TCP transport via the imtcp input module, typically on port 601, adhering to RFC 6587 for syslog transmission over TCP. TCP ensures ordered delivery and retransmission of lost packets through its connection-oriented nature, with framing options like octet counting to delineate message boundaries and prevent parsing errors. Additional features, such as keep-alive probes and flow control, further mitigate disruptions by detecting dead connections and throttling senders during overload.[51]
RELP extends TCP's reliability by implementing application-level acknowledgments and sequencing, supported through the imrelp and omrelp modules in Rsyslog, which require the librelp library. This protocol guarantees message delivery under normal conditions by retransmitting unacknowledged frames within configurable windows (default size of 128), though minor duplications may occur in edge cases like abrupt connection drops before acknowledgments. RELP operates over TCP ports and is particularly valued for preventing loss in unreliable networks without the overhead of full TLS setup.[52][53][54]
Rsyslog also provides legacy support for RFC 3195, a reliable syslog transmission method over TCP using the im3195 module on port 601, featuring RAW (stream-oriented) and experimental COOKED (framed) profiles for guaranteed delivery. This standard maps syslog to TCP with explicit reliability layers but has been largely superseded by modern alternatives like RELP and RFC 6587 due to its complexity and limited adoption.[55][56]
To secure transmissions, Rsyslog integrates Transport Layer Security (TLS) or SSL encryption with TCP and RELP via network stream drivers such as GnuTLS (gtls), configured through directives like DefaultNetstreamDriverCAFile for certificate authorities, DefaultNetstreamDriverCertFile for server certificates, and $DefaultNetstreamDriverKeyFile for private keys. This setup, often on port 6514, protects against eavesdropping and tampering while maintaining reliability, with anonymous or certificate-based authentication modes available.[57]
Complementing these protocols, Rsyslog employs queueing mechanisms to enhance overall reliability, particularly during transport failures. Disk-assisted queues buffer messages in memory for speed and spill to on-disk storage (in configurable chunks up to 10 MB) when high watermarks are reached or during shutdowns, preventing loss by persisting data until delivery succeeds; parameters like ActionQueueType="DiskAssisted" and ActionQueueSaveOnShutdown enable this persistence.[18]
History and Development
Origins
Rsyslog traces its roots to the original syslogd developed by Eric Allman in the early 1980s as part of the Berkeley Software Distribution (BSD) for Unix systems, which established the foundational syslog protocol for logging messages across networks.[13] In the 1990s, sysklogd emerged as an enhanced implementation for Linux, extending BSD syslogd with minor improvements but retaining its core single-threaded design and limited configurability, which proved inadequate for emerging high-volume logging needs in enterprise settings.[2]
In 2004, Rainer Gerhards, founder of Adiscon GmbH, initiated the Rsyslog project by forking sysklogd to address these shortcomings, particularly its inability to handle high-load scenarios such as those in web servers due to the lack of multithreading, queuing mechanisms, and reliable transport options like TCP.[2][58] The primary motivations included enhancing performance and reliability for enterprise environments, adding features such as TCP support for syslog transmission and advanced filtering, while maintaining compatibility with existing syslog standards to facilitate adoption.[59] Gerhards aimed to create a more extensible alternative to both sysklogd and proprietary extensions in tools like syslog-ng, promoting open-source innovation without restrictive licensing models.[58]
The initial version of Rsyslog was released in 2005, marking its debut as version 1.0 with the fork incorporating early enhancements like TCP syslog reception and basic database output support.[60] Early integration occurred within Adiscon's logging products, such as MonitorWare, leveraging Rsyslog's capabilities for centralized Windows and Unix logging solutions. By November 2007, Rsyslog became the default syslog daemon in Fedora 8, signaling broader Linux distribution adoption and community interest.[2]
From its inception, Rsyslog was released under the GNU General Public License (GPL), with version 3 (GPLv3) adopted starting with v2.0.0 in 2008, emphasizing free software principles and encouraging community contributions, which began accumulating shortly after the initial release to further its modular design.[3][61]
Major Milestones
The stable release of Rsyslog v2.0.0 in January 2008 marked a significant milestone, providing a reliable foundation with major bug fixes and enhanced compatibility with traditional syslogd implementations.[2] This version addressed early stability issues from prior development releases and facilitated broader adoption, including as the default syslog daemon in Fedora 8 shortly before its release.[2] By establishing a robust core, v2.0 enabled Rsyslog to gain traction in enterprise environments seeking a drop-in replacement for legacy tools.[62]
Subsequent versions from v3 to v5, spanning 2009 to 2011, introduced transformative capabilities focused on scalability and flexibility, including disk-assisted queues for reliable message handling during high loads, multi-threading to improve concurrent processing, and the debut of RainerScript as a powerful scripting language for message processing and filtering.[62] These releases also added essential modules like imfile for reading log files as input and initial TLS support for encrypted transport, enhancing security in distributed logging setups.[62] Performance optimizations, such as reduced memory usage and faster queue operations, laid the groundwork for handling larger volumes of logs, while integrations with databases via libdbi and early systemd support broadened its applicability in modern Linux distributions.[62]
In 2012 and 2013, v6 and v7 releases advanced Rsyslog's enterprise readiness with a redesigned configuration system, native JSON support for structured logging, and further security enhancements including improved TLS implementation compliant with emerging standards like RFC 5424 from the IETF syslog working group.[62][13] Key additions encompassed omelasticsearch for direct output to Elasticsearch, ruleset-specific queues for fine-grained control, and persistent queue modes to prevent message loss, all contributing to more resilient and observable systems.[62] These versions solidified Rsyslog's role in high-availability environments, with contributions from the growing open-source community via platforms like GitHub and sponsorship from Adiscon, the primary development firm.[13]
The v8 series, beginning in 2014, ushered in a high-performance era, featuring a rewritten core engine that achieved benchmarks exceeding 1 million messages per second in optimized configurations with disk-assisted queues and multi-threading.[13] Native integrations for outputs to Elasticsearch and Apache Kafka were introduced, enabling seamless incorporation into modern log analytics pipelines without external dependencies.[62] This period also saw Rsyslog become the default logging daemon in Red Hat Enterprise Linux 7 and later releases, as well as Ubuntu 16.04 and subsequent versions, reflecting its maturity and widespread trust in production systems.[63]
From 2020 to 2025, Rsyslog continued evolving with enhancements to the imjournal module for deeper integration with systemd-journald, allowing efficient ingestion of journal logs into traditional syslog workflows.[62] In 2025, the project announced an "AI-first" strategy, leveraging AI for automating development tasks, documentation generation, and support processes while maintaining human oversight for code reviews and testing to ensure reliability.[23] This approach culminated in the stable release of v8.2510.0, incorporating cloud-native optimizations and further community-driven contributions influenced by IETF standards for syslog protocols.[13][62]
Applications and Integrations
Common Use Cases
Rsyslog is commonly deployed for local system logging, where it captures messages from the kernel, system services, and applications, directing them to standard files such as those in the /var/log directory for persistent storage and analysis.[35] This setup enables administrators to maintain detailed records of system events, facilitating troubleshooting and performance monitoring on individual hosts.[6]
In remote logging scenarios, Rsyslog forwards log messages from client systems to centralized servers, aggregating data in data centers for unified management across distributed environments.[6] This approach supports protocols like TCP on port 514 for reliable transmission, allowing logs from multiple sources to be consolidated into directories such as /var/log/remote/ on the server.[35]
For high-availability setups, Rsyslog employs disk or in-memory queues to buffer messages during server outages, ensuring no data loss, while the RELP protocol provides reliable delivery with failover capabilities in clustered systems.[64] Queues decouple message production from consumption, enabling asynchronous processing that resumes forwarding once connectivity is restored.[18] This is particularly useful in environments requiring continuous operation, such as enterprise networks.[6]
Rsyslog supports compliance logging by generating structured outputs suitable for audit trails, meeting requirements in regulated sectors like finance and healthcare through secure, tamper-evident log formats.[65] Features like TLS-encrypted transmission and precise templating ensure logs adhere to standards such as HIPAA by providing verifiable records of system activities.[65]
In real-time monitoring applications, Rsyslog filters log messages based on priorities or content, triggering alerts for critical events including security breaches, such as unauthorized access attempts.[35] For instance, emergency-level messages can be routed to all logged-in users or external systems for immediate notification.[35]
Rsyslog demonstrates scalability in handling logs from thousands of IoT devices or cloud instances, supporting high-performance ingestion in enterprise deployments with throughput up to one million messages per second.[5] Its modular architecture allows it to process large volumes from distributed sources without overwhelming resources.[5]
However, Rsyslog may not be optimal for ultra-low-latency requirements, where its traditional syslog-oriented design can introduce delays compared to specialized tools like Fluentd, which offer more advanced streaming capabilities.[66] UDP-based forwarding, in particular, lacks built-in reliability features like queuing, potentially leading to message drops in high-speed scenarios.[6]
Integration Examples
Rsyslog enhances logging pipelines by integrating with the ELK Stack (Elasticsearch, Logstash, Kibana) through its omelasticsearch output module, which directly indexes structured log messages into Elasticsearch indices for efficient search, analysis, and visualization. This module supports bulk operations, dynamic index naming based on timestamps or templates, and automatic detection of Elasticsearch or OpenSearch versions starting from rsyslog 8.2510.0, reducing the need for intermediate processing via Logstash in many scenarios. Configuration typically involves loading the module and defining actions that specify the Elasticsearch server, port, and output template, such as the RFC 5424 format for compatibility with Kibana dashboards. For instance, a basic setup might route all logs to a daily index:
module(load="omelasticsearch")
*.* action(
type="omelasticsearch"
server="elasticsearch.example.com"
serverport="9200"
dynSearchIndexes="on"
searchIndex="rsyslog-%$year%-%$month%-%$day%"
template="RSYSLOG_SyslogProtocol23Format"
)
module(load="omelasticsearch")
*.* action(
type="omelasticsearch"
server="elasticsearch.example.com"
serverport="9200"
dynSearchIndexes="on"
searchIndex="rsyslog-%$year%-%$month%-%$day%"
template="RSYSLOG_SyslogProtocol23Format"
)
This integration allows organizations to leverage Elasticsearch's full-text search capabilities while maintaining rsyslog's high-throughput processing, with reported performance of up to 20 million logs per hour in tuned environments.[67][68]
For streaming and decoupling log flows, rsyslog employs the omkafka output module to produce messages to Apache Kafka topics, enabling reliable, scalable distribution to downstream consumers without direct coupling to storage systems. As a Kafka producer, omkafka handles partitioning via keys (e.g., hostname or facility), serialization in formats like JSON or Avro, and fault-tolerant delivery with acknowledgments, supporting rsyslog's queueing for backpressure management. Essential configuration parameters include the broker address, topic name, and optional TLS for secure transmission; a simple example forwards all messages to a central topic:
module(load="omkafka")
*.* action(
type="omkafka"
topic="syslog-events"
broker="kafka-cluster:9092"
partition="0"
key="$hostname"
template="RSYSLOG_TraditionalFileFormat"
)
module(load="omkafka")
*.* action(
type="omkafka"
topic="syslog-events"
broker="kafka-cluster:9092"
partition="0"
key="$hostname"
template="RSYSLOG_TraditionalFileFormat"
)
This setup is particularly useful in microservices architectures, where Kafka acts as a buffer for variable load, allowing tools like Kafka Streams or Connect to further process logs before storage.[69]
Bridging legacy syslog workflows with modern init systems, rsyslog's imjournal input module reads structured entries from the systemd journal (journald), importing them as syslog-compatible messages for unified processing and forwarding. The module uses the journal API to access binary logs, preserving metadata like priority, timestamp, and unit name, while supporting cursor-based state files to resume after restarts and avoid duplicates. It is loaded implicitly in many distributions like Ubuntu, but explicit configuration can filter by journal fields:
module(load="imjournal" StateFile="imjournal.state" allowSystemDefinitionUpdates="on")
module(load="imjournal" StateFile="imjournal.state" allowSystemDefinitionUpdates="on")
This integration facilitates migration from pure journald environments to rsyslog-centric pipelines, enabling features like remote relaying or parsing that journald lacks natively.[70]
Rsyslog stores logs in relational databases using dedicated output modules like ommysql for MySQL/MariaDB and ompgsql for PostgreSQL, providing native, high-performance insertion of structured data without relying on generic ODBC layers. These modules support parameterized SQL templates to map syslog properties (e.g., msg, hostname) to table columns, with options for asynchronous queuing and reconnection on failures to handle high-volume inserts. For MySQL, configuration specifies the database, credentials, and query template:
module(load="ommysql")
*.* action(
type="ommysql"
server="mysql-server"
serverport="3306"
db="syslog_db"
uid="rsyslog_user"
pwd="password"
mysqlserverport="3306"
template="INSERT into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime) values ('%msg%', %syslogfacility%, '%hostname%', %pri%, '%timestamp%');"
)
module(load="ommysql")
*.* action(
type="ommysql"
server="mysql-server"
serverport="3306"
db="syslog_db"
uid="rsyslog_user"
pwd="password"
mysqlserverport="3306"
template="INSERT into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime) values ('%msg%', %syslogfacility%, '%hostname%', %pri%, '%timestamp%');"
)
The ompgsql module follows a similar pattern but uses PostgreSQL-specific drivers for better performance in transactional workloads. These outputs are ideal for compliance-driven environments requiring queryable, ACID-compliant storage.[71][72][73]
In cloud environments, rsyslog integrates with AWS CloudWatch Logs via the AWS Marketplace application, which automates deployment on EC2 instances and enables forwarding of rsyslog performance statistics (pstats) to CloudWatch for monitoring queue depths and throughput. For general log forwarding to CloudWatch Logs, use dedicated integrations such as the omawslogs output module or the CloudWatch agent configured via the AWS Marketplace deployment, which handles authentication via IAM roles.[74] Similarly, for Azure Monitor, rsyslog configures the omfwd module to relay syslog messages over TCP to the Azure Monitor Agent (AMA) on port 28330, which then ingests them into Log Analytics workspaces for querying and retention. The AMA auto-generates rsyslog configs under /etc/rsyslog.d upon applying a Data Collection Rule (DCR), collecting all facilities and levels by default:
*.* @@127.0.0.1:28330
*.* @@127.0.0.1:28330
This setup supports SELinux and various syslog RFC formats, ensuring compatibility with Azure's structured analytics.[74][75]
For containerized deployments in Docker and Kubernetes, rsyslog operates as a logging agent in sidecar patterns, where a dedicated container tails application logs or journald and forwards them to central collectors, adding context like pod names via the mmkubernetes module. This module enriches messages with Kubernetes metadata (e.g., namespace, labels) using the Kubernetes API, loaded as a parser in rsyslog config:
module(load="mmkubernetes" kubeconfig="/etc/kubernetes/kubeconfig" annotations=".")
module(load="mmkubernetes" kubeconfig="/etc/kubernetes/kubeconfig" annotations=".")
Common implementations deploy rsyslog as a DaemonSet in Kubernetes clusters to aggregate node-level logs, with Docker volumes mounting /var/log for access, enabling unified observability across ephemeral workloads without native logging drivers.[76][77]
Rsyslog chains with analytics platforms by relaying logs via omfwd for traditional syslog or omhttp/omrelp for secure protocols, integrating with Splunk for machine learning-driven insights or Graylog for search-based alerting. To Splunk, logs forward to the HTTP Event Collector (HEC) endpoint in JSON, bypassing raw syslog for better parsing:
module(load="omhttp")
*.* action(
type="omhttp"
server="splunk-hec.example.com"
serverport="8088"
httpheader="Authorization: Splunk <token>"
template="SplunkHEC"
usehttps="on"
)
module(load="omhttp")
*.* action(
type="omhttp"
server="splunk-hec.example.com"
serverport="8088"
httpheader="Authorization: Splunk <token>"
template="SplunkHEC"
usehttps="on"
)
For Graylog, omfwd targets GELF UDP/TCP inputs for structured ingestion, or syslog with TLS for security:
*.* @@graylog.example.com:12201;RSYSLOG_SyslogProtocol23Format
*.* @@graylog.example.com:12201;RSYSLOG_SyslogProtocol23Format
These relays support filtering and transformation in rsyslog before handover, optimizing for platform-specific strengths like Splunk's predictive analytics or Graylog's stream processing. As of rsyslog 8.2510.0 (October 2025), enhancements include better support for Windows event logs and AI-driven documentation for easier configuration of integrations.[78][79][80][81][82]