Learn to route, drop, and rewrite messages with rsyslog filters for clearer log management. 16.11.2025 | reading time: 3 min Logs flood fast; filters let you decide which lines matter and where they go, and rsyslog is the tool that enforces those decisions; this short guide shows how to write filters that route, store, or drop messages so log files stay useful instead of noisy. Route app warnings and drop debug Create a small RainerScript rule that sends warnings and above from a program called "app1" to a separate file while discarding debug lines; for example create "/etc/rsyslog.d/10-app1.conf" and add the rules shown below, then restart rsyslog and test with logger: ``` if ($programname == "app1" and $syslogseverity <= 4) then { action(type="omfile" file="/var/log/app1-warning.log") stop } if ($programname == "app1" and $syslogseverity == 7) then { stop } ``` Commands to deploy and test: ``` sudo tee /etc/rsyslog.d/10-app1.conf > /dev/null <<'EOF' if ($programname == "app1" and $syslogseverity <= 4) then { action(type="omfile" file="/var/log/app1-warning.log") stop } if ($programname == "app1" and $syslogseverity == 7) then { stop } EOF sudo systemctl restart rsyslog logger -t app1 -p user.warning "Test warning from app1" logger -t app1 -p user.debug "Test debug from app1" tail -n 5 /var/log/app1-warning.log || echo "no file" ``` Expected result: the warning line appears in "/var/log/app1-warning.log" and the debug line does not. Filters, templates and performance Use property-based filters for simple checks, or RainerScript for complex logic; prefer `action(type="omfile" file="...")` with `stop` to avoid duplicate processing, apply rate-limiting modules when high-volume sources threaten I/O, and use templates to control output format or to forward with TLS; test with `logger` and check rsyslog diagnostics in the journal to iterate safely. Where rsyslog sits in your stack Rsyslog plays nicely with systemd-journald and with external collectors: it can read files, accept network syslog, forward to log shippers, or write into log rotation-managed files; choose modules like `imfile`,`omfwd` or `omprog` depending on whether you ingest files, forward to remote servers, or pipe to processors. Next steps Start by isolating one noisy service, write a small rsyslog rule, and iterate until logs carry signal not noise; deepen that skill into broader Linux administration, and consider formalizing knowledge with certificates such as CompTIA Linux+ or LPIC-1 — bitsandbytes.academy offers intensive exam preparation to help you pass. Join Bits & Bytes Academy First class LINUX exam preparation. setup security infrastructure troubleshooting scripting
