How to route syslog messages to a file in rsyslog

A dedicated rsyslog file route keeps one class of messages visible without forcing an operator to search through the default system log. The route needs a match condition, a writable destination, and a clear decision about whether matching messages should continue into later rules.

rsyslog writes local files through the omfile output module. A RainerScript rule can test a message property, run an omfile action for matching records, and then use stop when the matching records should leave the remaining default rule flow.

The example uses a temporary route-demo program tag and /var/log/route-demo.log as the proof destination on a systemd Linux host where rsyslog is already installed. Keep the proof file small, validate the full master configuration before restarting the service, and add log rotation before leaving a high-volume route in production.

Related: How to filter syslog messages by program name in rsyslog
Related: How to find local syslog log files

Steps to route matching syslog messages to a local file:

  1. Choose the match condition, destination file, and stop behavior. 
    Match condition: $programname == "route-demo"
Destination file: /var/log/route-demo.log
File mode: 0640
Stop behavior: matching messages do not continue to later rules

    Use a program-name match for the first proof because logger --tag route-demo can generate matching and non-matching messages without changing any application.

  2. Create or clear the destination file with the usual Ubuntu rsyslog log ownership. 
    $ sudo install -o syslog -g adm -m 0640 /dev/null /var/log/route-demo.log

    If the host uses different ownership for local log files, match the owner and group used by existing files under /var/log.

  3. Create a dedicated rsyslog drop-in file before the packaged default file rules. 
    $ sudoedit /etc/rsyslog.d/30-route-demo.conf

    On Debian and Ubuntu packages, /etc/rsyslog.d/50-default.conf contains common local file rules. A lower-numbered drop-in lets stop prevent matching messages from reaching those later defaults.

  4. Add the property filter and omfile action. 
    if ($programname == "route-demo") then {
    action(type="omfile" file="/var/log/route-demo.log" fileCreateMode="0640")
    stop
}

    Remove stop when the same matching messages should also continue to later local files or forwarding rules.

    Use the facility and priority filter workflow when a selector should drive the route instead of $programname. Related: How to filter syslog messages by facility and priority in rsyslog

  5. Validate the full rsyslog configuration before applying the route. 
    $ sudo rsyslogd -N1
rsyslogd: version 8.x, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

    Run validation through /etc/rsyslog.conf so the master file and included drop-ins are checked in service order. Related: How to test rsyslog configuration syntax

  6. Restart rsyslog so the daemon reads the new drop-in file. 
    $ sudo systemctl restart rsyslog

    Related: How to manage the syslog service

  7. Send one matching test message with the configured tag. 
    $ logger -t route-demo -- "routed message for file rule"

    Related: How to send a test syslog message

  8. Send one non-matching test message with a different tag. 
    $ logger -t other-demo -- "message that should stay out"
  9. Confirm the matching message reached the route destination. 
    $ sudo grep "routed message for file rule" /var/log/route-demo.log
2026-06-05T09:00:00+00:00 loghost route-demo: routed message for file rule
  10. Confirm the non-matching message did not reach the route destination. 
    $ sudo grep "message that should stay out" /var/log/route-demo.log

    No output confirms that the other-demo message did not enter the dedicated file route.

  11. Check the created file mode before using the route for production messages. 
    $ sudo stat -c "%a %n" /var/log/route-demo.log
640 /var/log/route-demo.log

    If rsyslog reports suspended omfile actions or the file stays empty after matching tests, check path ownership, directory permissions, and service logs. Related: How to fix rsyslog output file permission errors

  12. Replace the temporary tag, path, and message text with the production match and destination.

    Add a matching logrotate rule for any dedicated file that can grow beyond a short proof test. Related: How to rotate syslog log files with logrotate