Modules contain configuration parameters for processing messages. The processed or transformed messages can then be transmitted to various targets as required. Modules are classified into different categories, such as output, input, parser, library, and so on. For a complete list of these module classes, see the appropriate section in https://www.rsyslog.com/doc/. For a list of the modules, see the rsyslog.conf(5) manual page.

Modules enable different rsyslog functionalities to become operative, so long as those modules are loaded. Modules are loaded through the module load directive as follows:

module(load="module-name")

Global directives specify configuration options that apply to the rsyslogd daemon. A directive might specify the location of auxiliary files. A directive can also be a module(load" ") statement that applies global settings, such as the timestamp format to use for all messages, as shown in the following example:

module(load="builtin:omfile" Template=RSYSLOG_TraditionalFileFormat")

Because the module applies to all messages, the directive is specified under the Global Directives section.

Rules or rule sets configure how logged messages are managed.

A rule consists of two fields: a selector field and an action field. The two fields are separated by one more spaces or tabs.

The selector field has two parts, separated by a period, which are a facility keyword and a priority keyword. Facility keywords include auth, authpriv, cron, daemon, kern, and so on. Priority keywords include debug, info, notice, warning, and so on. Therefore kern.* selects kernel messages of all priority levels, but kern.emerg selects emergency kernel messages only.

For a list of both facility and priority selectors, see the rsyslog.conf(5) manual page.

The action field typically indicates to which log file the message content is written. For example, the following rule indicates that cron messages are stored in log files in the /var/log/cron directory:

cron.*   /var/log/cron