All the messages in Linux (kernel and system) are passed through the rsyslog.conf file. Every message received is handled as it is passed to Rsyslog. It does that by looking at all the rule statements to effectively manage the message. If no rule is defined for the incoming message, it is discarded.
This guide helps the users to understand the /etc/rsyslog.conf file for configuring the system.
- What is rsyslog.conf File?
- Global Directives
What is rsyslog.conf File?
The rsyslog is an open-source logging utility that can be used to manage a central logging server using which the clients can send their log files to the server. The primary purpose of the Rsyslog is to capture a message and route them to the appropriate log files.
The file is located at /etc/rsyslog.conf and can be viewed using any editor (we use the cat command):
$ cat /etc/rsyslog.conf
The above image is a snippet of the contents of the rsyslog.conf, and it should not be tampered with.
Let’s discuss the sections in it.
What are Global Directives in the /etc/rsyslog.conf File?
The Global Directives are the configuration options used to configure the rsyslog daemon. They start with a dollar ($) sign and specify the behavior of the log based on a predefined set of variables. One global directive can be defined per line. Here is an example of defining a global directive to specify the maximum size of the Syslog message:
The above line is added to the rsyslog.conf file right below the Global Directives. Open it using the nano command:
$ sudo nano /etc/rsyslog.conf
The default value of “$MainMsgQueueSize” is set to 10000, which is now set to 40000.
What are Modules in the /etc/rsyslog.conf File?
The rsyslog uses a modular design to get more functionalities and features. These modules can be from third parties, too, and can access some data. So, use the modules from a trusted source only. To add a module, this syntax is used:
Here, the “$ModLoad” is a Global Directive that loads the module. Here is a list of trusted modules that can be loaded into the rsyslog file.
What are Rules in the /etc/rsyslog.conf File?
At the bottom of the /etc/rsyslog.conf file, there is a section with no heading called the “Rules Section.” It specifies each selector that has the facility specifying the type and priority of the message:
The above rule loads all the logs from the “/etc/rsyslog.d.”
What are Selectors in the /etc/rsyslog.conf File?
The selectors are made up of two parts, facility and priority. A dot separates these parts (‘.’). More on the facility and priority can be read here on the official documentation.
The priority defines the message’s severity and can be keywords such as emerg, err, alert, warning, info, notice, and debug.
The facility specifies the sub-system that produced the message and can be keywords such as uucp, ker, daemon, cron, auth, authpriv, mail, mark, and local 0 – local 7.
The /etc/rsyslog.conf file is one of the most important configuration files for Linux, as every message (log) passes through it before it is judged based on the configurations. This file contains Global Directives, Modules, Rules, Selectors, and Actions for different functionalities.
This guide explained the /etc/rsyslog.conf file for configuring the Linux system.