How to route syslog messages to a file in rsyslog

A dedicated rsyslog file route keeps one class of messages visible without forcing an operator to search through the default system log. The route needs a match condition, a writable destination, and a clear decision about whether matching messages should continue into later rules.

rsyslog writes local files through the omfile output module. A RainerScript rule can test a message property, run an omfile action for matching records, and then use stop when the matching records should leave the remaining default rule flow.

The example uses a temporary route-demo program tag and /var/log/route-demo.log as the proof destination on a systemd Linux host where rsyslog is already installed. Keep the proof file small, validate the full master configuration before restarting the service, and add log rotation before leaving a high-volume route in production.

Steps to route matching syslog messages to a local file:

Choose the match condition, destination file, and stop behavior.
```
Match condition: $programname == "route-demo"
Destination file: /var/log/route-demo.log
File mode: 0640
Stop behavior: matching messages do not continue to later rules
```
Use a program-name match for the first proof because logger --tag route-demo can generate matching and non-matching messages without changing any application.
Create or clear the destination file with the usual Ubuntu rsyslog log ownership.
```
$ sudo install -o syslog -g adm -m 0640 /dev/null /var/log/route-demo.log
```
If the host uses different ownership for local log files, match the owner and group used by existing files under /var/log.
Create a dedicated rsyslog drop-in file before the packaged default file rules.
```
$ sudoedit /etc/rsyslog.d/30-route-demo.conf
```
On Debian and Ubuntu packages, /etc/rsyslog.d/50-default.conf contains common local file rules. A lower-numbered drop-in lets stop prevent matching messages from reaching those later defaults.
Add the property filter and omfile action.
```
if ($programname == "route-demo") then {
    action(type="omfile" file="/var/log/route-demo.log" fileCreateMode="0640")
    stop
}
```
Remove stop when the same matching messages should also continue to later local files or forwarding rules.

Use the facility and priority filter workflow when a selector should drive the route instead of $programname. Related: How to filter syslog messages by facility and priority in rsyslog
Validate the full rsyslog configuration before applying the route.
```
$ sudo rsyslogd -N1
rsyslogd: version 8.x, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
```
Run validation through /etc/rsyslog.conf so the master file and included drop-ins are checked in service order. Related: How to test rsyslog configuration syntax
Restart rsyslog so the daemon reads the new drop-in file.
```
$ sudo systemctl restart rsyslog
```
Related: How to manage the syslog service
Send one matching test message with the configured tag.
```
$ logger -t route-demo -- "routed message for file rule"
```
Related: How to send a test syslog message

Send one non-matching test message with a different tag.

$ logger -t other-demo -- "message that should stay out"

Confirm the matching message reached the route destination.

$ sudo grep "routed message for file rule" /var/log/route-demo.log
2026-06-05T09:00:00+00:00 loghost route-demo: routed message for file rule

Confirm the non-matching message did not reach the route destination.
```
$ sudo grep "message that should stay out" /var/log/route-demo.log
```
No output confirms that the other-demo message did not enter the dedicated file route.
Check the created file mode before using the route for production messages.
```
$ sudo stat -c "%a %n" /var/log/route-demo.log
640 /var/log/route-demo.log
```
If rsyslog reports suspended omfile actions or the file stays empty after matching tests, check path ownership, directory permissions, and service logs. Related: How to fix rsyslog output file permission errors
Replace the temporary tag, path, and message text with the production match and destination.

Add a matching logrotate rule for any dedicated file that can grow beyond a short proof test. Related: How to rotate syslog log files with logrotate

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.