Rsyslog Properties

2 min read Uncategorized

Here's the full list of rsyslog message properties that can be configured in /etc/rsyslog.conf:

Message Properties

Property	Description
`$msg`	The message body (content after the header)
`$rawmsg`	The entire raw message as received
`$rawmsg-after-pri`	Raw message after the PRI part
`$hostname`	Hostname from the message
`$source`	Alias for hostname
`$fromhost`	Hostname of the system the message was received from
`$fromhost-ip`	IP address of the system the message was received from
`$syslogtag`	Tag from the message (e.g., "sshd[1234]:")
`$programname`	Program name (tag without the PID portion)
`$pri`	PRI value (numeric)
`$pri-text`	PRI as text (e.g., "local0.err")
`$syslogfacility`	Facility as numeric value (0-23)
`$syslogfacility-text`	Facility as text (e.g., "local0", "auth", "kern")
`$syslogseverity`	Severity as numeric value (0-7)
`$syslogseverity-text`	Severity as text (e.g., "err", "info", "debug")
`$timegenerated`	Timestamp when message was received by rsyslog
`$timereported`	Timestamp from the message itself
`$timestamp`	Alias for timereported
`$protocol-version`	Syslog protocol version (0 = legacy, 1 = RFC5424)
`$structured-data`	Structured data from RFC5424 messages
`$app-name`	APP-NAME from RFC5424
`$procid`	PROCID from RFC5424 (or extracted PID)
`$msgid`	MSGID from RFC5424
`$inputname`	Name of the input module that received the message


Property	Description
`$year`	4-digit year
`$month`	2-digit month (01-12)
`$day`	2-digit day (01-31)
`$hour`	2-digit hour (00-23)
`$minute`	2-digit minute (00-59)
`$second`	2-digit second (00-59)
`$now`	Current date in YYYY-MM-DD format
`$now-unixtimestamp`	Current time as Unix timestamp


Property	Description
`$myhostname`	Hostname of the rsyslog server itself
`$bom`	Byte Order Mark (UTF-8)
`$uptime`	System uptime in seconds