The rsyslog daemon is a log entry management facility whose main configuration file is /etc/rsyslog.conf. The configuration of this file consists of 3 parts: facility, priority & action.

 
Facilities       Priorities        Actions                                                                       ______________
kern               emerg              /path/filename           → dumps messages onto the file
user               alert                 @ip_address            → sends messages to IP:514 over udp
mail               crit                    @ip_address:port    → sends messages to IP:port over udp
daemon         err                    @@ip_address        → sends messages to IP over tcp
auth               warning            @@[2001:db8::1]    → sends messages to IP over tcp
syslog            notice               /dev/console            → sends messages to the local consoles
lpr                  info                   marc                        → sends messages to the terminals of user marc
news             debug               *                               → sends messages to the terminals of all users
uucp                                      /home/jan/check.sh  → execute shell script
cron                                       insert record in database (MySQL / PosgtreSQL)
authpriv                                 ~                               → discards message
ftp
ntp
logaudit
logalert
clock
local[0­7]

 

Let’s look at some examples first to make sense of it all. The example below dumps all messages sent by the kernel facility onto the kernel.log file regardless of the priority.

kern.*                       /var/log/kernel.log

The next example dumps messages sent by the mail facility onto the mail.log file as long as they have a critical priority or higher.

mail.crit                    /var/log/mail.log

The following one dumps messages sent by the cron facility onto the cron.log file as long as they do not have info or debug priorities (so notice or higher priority).

cron.!info,!debug            /var/log/cron.log

The next one dumps messages sent by lpr of critical or higher priority as well as those sent by ftp with priority set to alert (not higher or lower) onto messages.log.

lpr.crit;ftp.=alert          /var/log/messages.log

The next example sends all messages from the kern facility of crit or higher priority, onto the terminals of user marc, onto the file kernel.log and also to the given host over udp to the default port 514.

kern.crit                    marc & /var/log/kernel.log & @192.168.0.5

The rsyslogd daemon offers more complex configuration options that the ones covered above. But if your needs cannot be fulfilled with the examples above, then it’s better to check man rsyslog.conf.

If we want to examine log files and we are using a graphical interface (graphical.target) it might be best to use the GUI gnome-system-log.

We can also use journalctl as we shall see in the next section.

<< Logging              journal >>