Understanding rsyslog Actions

Actions specify what to do with the messages filtered out by a selector. The following are some of the available actions.

Saving rsyslog Messages to Log Files

To save an rsyslog message to a log file, specify the absolute path to the log file after the selector. The following example selects all cron messages and the action saves them to the /var/log/cron.log log file:

cron.* /var/log/cron.log

You can specify an existing tty or /dev/console device to send rsyslog messages to standard output.

Sending rsyslog Messages over the Network

Use the following syntax to forward rsyslog messages to a remote machine:

@[zNUMBER]HOST:[PORT]

– Use a single at sign (@) to specify UDP as the transport protocol.
– Use a double at sign (@@) to specify TCP.
– The optional zNUMBER field enables a level of zlib compression from 1 to 9.
– The HOST field specifies the receiving host.
– The optional PORT field specifies the port number on the receiving host.

For example, to forward messages to 192.168.10.101 using the UDP protocol:

*.* @192.0.2.101

To forward messages to port 18 on “host02.example.com” using the TCP protocol:

*.* @@host02example.com:18

Sending rsyslog Messages to Specific Users

Specify the username to send rsyslog messages to. Separate usernames with a comma (,) to specify more than one user. Use an asterisk (*) to send messages to every user that is currently logged on. The following example sends all kernel messages to user joe:

kern.* joe

Executing a Program

You can execute a program for selected rsyslog messages. To specify a program to be executed, prefix it with a caret character (^). Specify a template that formats the received message and passes it to the specified executable as a one-line parameter. The following example processes all kernel messages by the template knl and passes them on to the knlprog program.

kern.* ^knl-prog;knl

Write rsyslog Messages into a Database

You can use the database writer action to write selected rsyslog messages directly into a database table. The database writer uses the following syntax:

:PLUGIN:DB_HOST,DB_NAME,DB_USER,DB_PASSWORD;[TEMPLATE]

– The PLUGIN field specifies the plug-in that performs the database writing.
– rsyslog provides support for MySQL and PostgreSQL databases.
– MySQL integration requires the rsyslogmysql software package.
– PostgreSQL requires the rsyslog-pgsql package. You also need to load the ommysql module for MySQL and the ompgsql module for PostgreSQL.

Discarding rsyslog Messages

Use the tilde character (~) to discard selected messages. The following rule discards any news messages:

news.* ~

You can specify multiple actions for a selector by specifying subsequent actions on a new line and preceding the actions with an ampersand character (&). Specify the selector on the first action line. The following is an example of a rule with multiple actions:

kern.* joe
& ^knl-prog;knl
& @192.0.2.101

In the preceding example, all kernel messages are:
– Sent to user joe
– Processed by the template knl and passed on to the knl-prog executable
– Forwarded to 192.0.2.101 by using the UDP protocol