5. Order Matters: Config and Include Files#

Learn how rsyslog processes configuration in order, why file ordering in /etc/rsyslog.d/ matters, and how earlier rules affect later ones.

5.1. Goal#

Understand that rsyslog executes rules sequentially. The order of actions and included files can change results.

5.2. Key principle#

Rules in the same file run top to bottom.
Files in /etc/rsyslog.d/ are processed in lexical order (e.g., 10-first.conf runs before 50-extra.conf).
An earlier rule can discard or modify messages, so later rules may never see them.

5.3. Hands-on example#

Create /etc/rsyslog.d/10-drop.conf:

if ($programname == "tut05") then {
    stop    # discard these messages, no further actions
}

Create /etc/rsyslog.d/20-log.conf:

if ($programname == "tut05") then {
    action(type="omfile" file="/var/log/tut05.log")
}

Restart rsyslog:

sudo systemctl restart rsyslog

Send a test message:

logger -t tut05 "hello from tutorial 05"

5.3.1. Expected result#

No file /var/log/tut05.log is created. The first snippet (10-drop.conf) discards the message before the logging rule runs.

5.4. Switch the order#

Rename the files to reverse order:

sudo mv /etc/rsyslog.d/10-drop.conf /etc/rsyslog.d/50-drop.conf
sudo systemctl restart rsyslog
logger -t tut05 "hello after reorder"

Now /var/log/tut05.log will contain the message, because the logging rule ran first.

5.5. If it’s not working…#

Still no log file
- Check snippet order with: ls -1 /etc/rsyslog.d/
- Ensure 20-log.conf comes before 50-drop.conf.
File exists but is empty
- Confirm you used the correct tag: logger -t tut05 "…"
Syntax errors
- Validate your config: sudo rsyslogd -N1

5.6. Verification checkpoint#

By the end of this tutorial you should be able to:

Explain that rsyslog rules run top to bottom, file by file.
Use file naming (10-…, 50-…) to control execution order.
Predict why a later action might never see a message.

5.7. See also / Next steps#

The Log Pipeline: Inputs → Rulesets → Actions – how messages flow through inputs, rulesets, and actions.
Basic Configuration – reference example of a simple config.
Forwarding Logs – adding network forwarding.

Tip

🎬 Video idea (3 min): show two snippet files, run logger -t tut05 …, then swap the file order and rerun. Visualize how rsyslog processes files in lexical order.

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project