The Log Pipeline

Introduces the rsyslog log pipeline — the flow of events from input to output through rulesets and queues. This overview shows how logs move through rsyslog’s architecture.

rsyslog processes logs through a log pipeline — internally called the message pipeline. Each log message moves through three conceptual stages:

1. Input: collects data from sources (sockets, files, journal).

2. Ruleset: filters, parses, or transforms the message.

3. Action: outputs the processed log to its destination.

flowchart LR subgraph "Input stage" I1["imkafka"]:::input I2["imjournal"]:::input I3["imfile"]:::input I4["..."]:::input I5["imtcp / imudp"]:::input end subgraph "Ruleset (logic)" F1["Filters<br>(if/then)"]:::ruleset P1["mmjsonparse"]:::ruleset T1["mmjsontransform"]:::ruleset end subgraph "Actions (outputs)" A1["omkafka"]:::action A2["omfwd / omrelp"]:::action A3["omhttp"]:::action A4["..."]:::action A5["omelasticsearch"]:::action end I1 --> F1 I2 --> F1 I3 --> F1 I4 --> F1 I5 --> F1 F1 --> A1 F1 --> A2 F1 --> A3 F1 --> A4 F1 --> A5 classDef input fill:#d5e8d4,stroke:#82b366; classDef ruleset fill:#dae8fc,stroke:#6c8ebf; classDef action fill:#ffe6cc,stroke:#d79b00;

Why this matters

Understanding the log pipeline helps you reason about reliability, performance, and transformations. Every input, rule, and action is a building block that you can compose into advanced pipelines with branching, staging, and queuing.

Subpages

• Pipeline Stages
• Pipeline Design Patterns
• Example: JSON Parse and Transformation
• Pipeline Troubleshooting

---

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.