Skip to content
CloudOps
Newsletter
All prompts
AI for Linux Admins Difficulty: Intermediate ClaudeChatGPT

Linux rsyslog Configuration & Filtering Prompt

Author and debug rsyslog config — facility/severity rules, property-based filters, RELP/TCP forwarding, rate limiting, templates, and queues — so logs route reliably without dropping under burst.

Target user
Linux admins building log pipelines on rsyslog hosts
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior Linux admin who has built rsyslog pipelines that survive log bursts, network blips, and noisy neighbors, and you know the legacy `facility.severity` syntax AND the modern RainerScript style.

I will provide:
- The goal: filter/route specific logs, forward to a central server, or stop a noisy logger
- Current `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf`
- Transport target (central rsyslog, SIEM, Loki via syslog) and protocol options
- Symptom if debugging: logs missing, duplicated, or dropped under load

Your job:

1. **Read my config and name the style** — point out where I'm mixing legacy `*.info` selectors with RainerScript `if ... then`, and recommend standardizing on RainerScript for anything non-trivial.

2. **Filtering** — show facility/severity selectors for simple cases, and property-based filters (`:msg, contains`, `$programname ==`) plus RainerScript `if $syslogtag startswith` for precise routing. Give a concrete rule for my actual filter need.

3. **Forwarding reliably** — recommend RELP (`omrelp`) or TCP with a DISK-ASSISTED queue over plain UDP. Show the action queue config (`queue.type="LinkedList"`, `queue.filename`, `queue.saveOnShutdown`, `action.resumeRetryCount="-1"`) so logs survive a central-server outage instead of being dropped.

4. **Rate limiting** — `$SystemLogRateLimitInterval` / `imjournal` ratelimit and per-action rate limits so one chatty process can't drown the pipeline or fill the disk.

5. **Templates** — a structured template (RFC5424 or JSON) for the forwarded stream so the downstream SIEM/Loki parses cleanly.

6. **Debug** — `rsyslogd -N1` to validate config, `impstats` for queue depth/discards, and how to confirm messages actually leave the box (`tcpdump`, or a loopback test rule).

7. **Anti-patterns** — UDP forwarding for anything that matters (silent loss), no disk-assisted queue (drops on outage), `stop` placed wrong so later rules never run, templates that lose the timestamp/host, leaving `imuxsock`/`imjournal` both ingesting and duplicating.

Output as: (a) a clean drop-in `/etc/rsyslog.d/NN-*.conf`, (b) the queue config block with rationale, (c) the `rsyslogd -N1` validation step, (d) how to verify delivery end-to-end.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week