Actions specify what to do with the messages filtered out by a selector. The following are some of the available actions.
Saving rsyslog Messages to Log Files
To save an rsyslog message to a log file, specify the absolute path to the log file after the selector. The following example selects all cron messages and the action saves them to the /var/log/cron.log log file:
cron.* /var/log/cron.log
You can specify an existing tty or /dev/console device to send rsyslog messages to standard output.
Sending rsyslog Messages over the Network
Use the following syntax to forward rsyslog messages to a remote machine:
@[zNUMBER]HOST:[PORT]
– Use a single at sign (@) to specify UDP as the transport protocol.
– Use a double at sign (@@) to specify TCP.
– The optional zNUMBER field enables a level of zlib compression from 1 to 9.
– The HOST field specifies the receiving host.
– The optional PORT field specifies the port number on the receiving host.
For example, to forward messages to 192.168.10.101 using the UDP protocol:
*.* @192.0.2.101
To forward messages to port 18 on “host02.example.com” using the TCP protocol:
*.* @@host02example.com:18
Sending rsyslog Messages to Specific Users
Specify the username to send rsyslog messages to. Separate usernames with a comma (,) to specify more than one user. Use an asterisk (*) to send messages to every user that is currently logged on. The following example sends all kernel messages to user joe:
kern.* joe
Executing a Program
You can execute a program for selected rsyslog messages. To specify a program to be executed, prefix it with a caret character (^). Specify a template that formats the received message and passes it to the specified executable as a one-line parameter. The following example processes all kernel messages by the template knl and passes them on to the knlprog program.
kern.* ^knl-prog;knl
Write rsyslog Messages into a Database
You can use the database writer action to write selected rsyslog messages directly into a database table. The database writer uses the following syntax:
:PLUGIN:DB_HOST,DB_NAME,DB_USER,DB_PASSWORD;[TEMPLATE]
– The PLUGIN field specifies the plug-in that performs the database writing.
– rsyslog provides support for MySQL and PostgreSQL databases.
– MySQL integration requires the rsyslogmysql software package.
– PostgreSQL requires the rsyslog-pgsql package. You also need to load the ommysql module for MySQL and the ompgsql module for PostgreSQL.
Discarding rsyslog Messages
Use the tilde character (~) to discard selected messages. The following rule discards any news messages:
news.* ~
You can specify multiple actions for a selector by specifying subsequent actions on a new line and preceding the actions with an ampersand character (&). Specify the selector on the first action line. The following is an example of a rule with multiple actions:
kern.* joe & ^knl-prog;knl & @192.0.2.101
In the preceding example, all kernel messages are:
– Sent to user joe
– Processed by the template knl and passed on to the knl-prog executable
– Forwarded to 192.0.2.101 by using the UDP protocol
Understanding rsyslog Templates
CentOS / RHEL 6,7 : How to increase system log message verbosity (rsyslogd)
CentOS / RedHat : Beginners guide to log file administration