
SR Linux implements logging via the standard Linux rsyslogd package. With dynamic configuration, log filters can be defined and passed to remote servers or other specified destinations.

SR Linux log_mgr application supports the standard RFC5424 message format when relaying syslog messages to remote servers.

RFC 5424 introduces a more structured and extensible syslog message format designed to overcome the limitations of the earlier syslog formats, such as RFC 3164. RFC 5424 includes features like high-precision time-stamping with timezone information and support for embedding structured log data.

The main configuration file for rsyslogd is /etc/rsyslog.conf. SR Linux installs a minimal version of the /etc/rsyslog.conf file and maintains an SR Linux-specific configuration under the /etc/rsyslog.d/ directory.

You can configure SR Linux logging using the CLI or a northbound API. Although you can add *.conf files manually in the /etc/rsyslog.d directory, it is not recommended.

SR Linux .conf files under /etc/rsyslog.d use standard rsyslog syntax for configuring filters and actions within rules.

SR Linux supports configuration of Linux facilities and SR Linux subsystems as sources for log messages to filter. See the SR Linux Log Events Guide for properties and descriptions of the log messages that can be generated by SR Linux subsystems.

Logging configuration consists of specifying a source for input log messages, possibly filtering messages by some pattern, and specifying an output destination.

Templates are easy-to-reuse message formats. rsyslog contains pre-defined templates identified by the RSYSLOG_ prefix. For information about the supported rsyslog templates, see sections Rsyslog templates for local buffer, file, or console output and Rsyslog templates for forwarding messages to remote servers.

Input sources for log messages

SR Linux supports using messages logged to Linux syslog facilities and messages generated by SR Linux subsystems as input sources for log messages.

Linux syslog facilities describes the Linux syslog facilities that can be used as input sources for log messages.

Table 1. Linux syslog facilities




All supported Linux syslog facilities


Audit messages


Security/authorization messages that do not contain secret information


Security/authorization messages that may contain secret information


Alert messages


Messages generated by cron


Messages generated by system daemons without their own facility


Messages generated by an FTP daemon


Messages generated by the kernel


Local use 0


Local use 1


Local use 2


Local use 3


Local use 4


Local use 5


Local use 6


Local use 7


Messages generated by the line printer subsystem


Messages generated by a mail client or server


Messages generated by the network news subsystem


Messages generated by NTP subsystem


Messages generated internally by syslog


Messages generated by a user


Messages generated by the UUCP (UNIX-to-UNIX copy) subsystem

SR Linux logging subsystem names lists the SR Linux subsystems that produce messages that can serve as input sources for log messages. By default, SR Linux subsystem messages are logged to Linux syslog facility local6.

Table 2. SR Linux logging subsystem names




Messages generated by the aaa_mgr application (not including accounting messages)


Accounting messages generated by the aaa_mgr application


Messages generated through an ACL log action


Messages generated by the app_mgr application


Messages generated by the arp_nd_mgr application


Messages generated by the bfd_mgr application


Messages generated by the bgp_mgr application


Messages generated by the chassis_mgr application


Messages generated by the fib_mgr application


Messages generated by the grpc_server application


Messages generated by the json_rpc_server application


Messages generated by the linux_mgr application


Messages generated by the lldp_mgr application


Messages generated by the mgmt_svr application


Messages generated by the mpls_mgr application


Messages generated by the net_inst_mgr application


Messages generated by the policy_mgr application


Messages generated by the sdk_mgr application


Messages generated by the static_route_mgr application


Messages generated by the xdp_mgr application

Filters for log messages

You can configure filters to target specific messages or groups of log messages captured within the input message source.

A filter can specify the set of messages generated by a Linux facility at a specified priority. For example, messages generated by the kernel that have a priority of warning or higher, or mail facility messages that have a priority of critical.

Filtering can be performed for messages generated by a specific SR Linux subsystem. For example, messages generated by the aaa_mgr application or messages generated by the chassis_mgr application. SR Linux subsystem messages go to a specified Linux facility (by default it is local6), and you can create filters for subsystem-specific messages from this facility.

Logging priorities describes the logging priorities in order of severity.

Table 3. Logging priorities


Priority name




System is unusable



Action must be taken immediately



Critical conditions



Error conditions



Warning conditions



Normal but significant conditions



Informational messages



Debug-level messages

Output destinations for log messages

You can set the action that the SR Linux takes for input messages that meet the criteria specified in a filter. This action can include sending the messages to a destination such as a log file, the console, or a remote host.

For example, you can configure the SR Linux to send messages generated by the kernel that have priority warning to a file called /var/log/srlinux/file/kernel-warning.

Messages generated by an SR Linux subsystem, such as the bgp_mgr or grpc_server application, can be sent to specified destinations.

Actions for messages matching a filter can include the following:

  • Send the messages to a specified file in the /var/log/srlinux/file/ directory.

  • Send the messages to a buffer. A buffer is similar to a file, but uses memory as storage and is not persistent across system reboots. Messages sent to a buffer are stored in the /var/log/srlinux/buffer/ directory.

  • Send the messages to the console; that is, the Linux device /dev/console, which may be assigned to a serial device in hardware.

  • Send the messages to one or more remote servers. You can specify a network-instance where rsyslogd is run and which serves as the source for the messages.

Defining filters

Filters target specific messages or groups of log messages in the input message source. You can define the following filter criteria for log messages:

  • specific text in a message

  • prefix text at the beginning of a message

  • Linux facility that generated the message

  • regular expression matching text in the message

  • syslog tag of the message

Match kernel messages with warning or higher priority

The following example shows a configuration that creates a filter that matches messages from the Linux facility kernel that have a priority of warning or higher. See Logging priorities for a list of logging priorities.

--{ * candidate shared default }--[  ]--
# info system logging
    system {
        logging {
            filter fl {
                facility kern {
                    priority {
                        match-above warning

Match informational or higher accounting messages

The following example creates a filter that matches messages from the Linux facility local6 (where SR Linux subsystem messages are logged by default) that have a priority of informational or higher and contain the text accounting. This filter can be used to match messages from the SR Linux accounting subsystem.

--{ * candidate shared default }--[  ]--
# info system logging
    system {
        logging {
            filter f2 {
                contains accounting
                facility local6 {
                    priority {
                        match-above informational

Logging destination configuration

You can configure the SR Linux to send logging information to the following destinations:

  • log file
  • memory buffer storage
  • console (/dev/console)
  • one or more remote servers

Specifying a log file destination

The SR Linux can send log messages to a specified log file. By default, the log file resides in the /var/log/srlinux/file directory. You can specify the retention policy for the file, including the maximum size (default 10 Mb), as well as the number of files to keep in the rotation (default four files).

Send critical cron messages to a file

The following example uses messages from Linux facility cron as input, filters the messages for those that have critical priority, and sends the filtered messages to the file /var/log/srlinux/file/cron-critical:

--{ * candidate shared default }--[  ]--
# info system logging
    system {
        logging {
            file cron-critical {
                facility cron {
                    priority {
                        match-exact [

Send messages matching a filter to a file

The following example sends messages matching criteria specified in filter f1 to the file /var/log/srlinux/file/f1-match:

--{ * candidate shared default }--[  ]--
# info system logging
    system {
        logging {
            file fl-match {
                filter [

Send specific message types to a file

The following example uses messages generated by the SR Linux AAA subsystem (that is, messages generated by the aaa_mgr application, but not including accounting messages) as input. The messages are filtered for those that have warning or informational priority, and the filtered messages are sent to the file /var/log/srlinux/file/aaa-warn-info.

--{ * candidate shared default }--[  ]--
# info system logging
    system {
        logging {
            file aaa-warn-info {
                subsystem aaa {
                    priority {
                        match-exact [

Specifying a buffer destination

You can configure SR Linux to send log messages to a buffer. A buffer is similar to a file, except that a buffer uses memory as storage and is not persistent across system reboots.

When the SR Linux device boots, it creates a non-swappable tmpfs virtual filesystem at /var/log/srlinux/buffer. This tmpfs filesystem has a fixed size of 512 Mb, which is reserved for buffer usage.

When a buffer is created through a commit transaction, the SR Linux verifies that there is enough buffer space available to contain all configured buffers based on their retention policies. If sufficient space is not available, the commit transaction fails.

The following example sends messages matching criteria specified in filter f1 to the buffer /var/log/srlinux/buffer/f1-match. A retention policy is specified so that when the buffer reaches 5,000,000 bytes, messages are written to a new buffer. After five buffers are filled, the oldest one is overwritten.

--{ * candidate shared default }--[  ]--
# info system logging
    system {
        logging {
            buffer f1-match {
                rotate 5
                size 5000000
                filter [

Specifying the console as destination

You can specify the console as a destination for log messages. The console refers to Linux device /dev/console, The console may be assigned to a serial device in hardware.

The following example uses messages generated by the SR Linux accounting subsystem as input, filters the messages for those that have informational priority or higher, and sends the filtered messages to /dev/console:

--{ * candidate shared default }--[  ]--
# info system logging
    system {
        logging {
            console {
                subsystem accounting {
                    priority {
                        match-above informational

Specifying a remote server destination

The SR Linux can send log messages to one or more remote servers. You can specify the network-instance that the SR Linux uses to contact the remote servers. The rsyslogd process is run within the specified network-instance.

The following example uses messages generated by the SR Linux BGP subsystem (that is, messages generated by the bgp_mgr application) as input, filters the messages for those that have alert priority or higher, and sends the filtered messages to a remote server. The messages are sourced from the mgmt network-instance.

--{ * candidate shared default }--[  ]--
# info system logging
    system {
        logging {
            network-instance mgmt
            remote-server {
                   subsystem bgp {
                       priority {
                           match-above alert

Specifying a Linux syslog facility for SR Linux subsystem messages

All of the messages generated by SR Linux subsystems (see SR Linux logging subsystem names) are logged to the same Linux syslog facility. This behavior allows you to filter messages from all SR Linux subsystems by capturing logs from this facility.

By default, SR Linux subsystem messages are logged to the Linux syslog facility local6. You can optionally specify a different syslog facility. See Linux syslog facilities for the syslog facilities.

The following example changes the Linux syslog facility where messages generated by SR Linux subsystems are logged from the default of local6 to local7:

--{ * candidate shared default }--[  ]--
# info system logging
    system {
        logging {
            subsystem-facility local7

Specifying FQDN for logging hostnames

SR Linux allows you to configure the logging system to use either the system hostname or the system FQDN in the hostname field of the message

The following example configures SR Linux to use the system FQDN for logging messages.

--{ * candidate shared default }--[  ]--
# info system logging
    system {
        logging {
            use-fqdn true

When the use-fqdn option is set to true, the system FQDN is used in the syslog server hostname field. The default is false. This ensures backward compatibility with previous releases that only supported using the system hostname for logging messages. The domain name must be configured for the FQDN to take effect. See Configuring a domain name.

Rsyslog templates for local buffer, file, or console output

SR Linux log_mgr application supports the following rsyslog templates for local buffer, file, or console output.
  • RSYSLOG_DebugFormat
  • RSYSLOG_TraditionalFileFormat
  • RSYSLOG_FileFormat

Using RSYSLOG_DebugFormat

The RSYSLOG_DebugFormat template is mainly meant for debugging and diagnostic purposes and must not be used for remote forwarding or production environment.

--{ * candidate shared default }--[  ]--
# info system logging file messages
    system {
        logging {
            file messages {
                format RSYSLOG_DebugFormat
                rotate 3
                size 10000000
                facility local6 {
                    priority {
                        match-above warning

Using RSYSLOG_TraditionalFileFormat

The message formatRSYSLOG_TraditionalFileFormat has low-precision timestamps.

--{ * candidate shared default }--[  ]--
# info system logging file messages
    system {
        logging {
            file messages {
                format RSYSLOG_TraditionalFileFormat
                rotate 3
                size 10000000
                facility local6 {
                    priority {
                        match-above warning

Using RSYSLOG_FileFormat

The default message format RSYSLOG_FileFormat supports high-precision timestamps and timezone information, as described in RFC 3339.

--{ * candidate shared default }--[  ]--
# info system logging file messages
    system {
        logging {
            file messages {
                format RSYSLOG_FileFormat
                rotate 3
                size 10000000
                facility local6 {
                    priority {
                        match-above warning

Rsyslog templates for forwarding messages to remote servers

SR Linux log_mgr application supports the following rsyslog templates for forwarding messages to remote servers.
  • RSYSLOG_ForwardFormat
  • RSYSLOG_SyslogProtocol23Format
  • RSYSLOG_TraditionalForwardFormat

Using RSYSLOG_ForwardFormat

The message format RSYSLOG_ForwardFormat forwards logs with high-precision timestamps.
--{ * candidate shared default }--[  ]--
# info system logging remote-server format
    system {
        logging {
            remote-server {
                format RSYSLOG_ForwardFormat

Using RSYSLOG_SyslogProtocol23Format

The message format RSYSLOG_SyslogProtocol23Format guarantees reliable and efficient logging of important system events. This default message format is defined in IETF internet-draft ietf-syslog-protocol-23 and closely adheres to the syslog standard RFC5424.

--{ * candidate shared default }--[  ]--
# info system logging remote-server format
    system {
        logging {
            remote-server {
                format RSYSLOG_SyslogProtocol23Format

Using RSYSLOG_TraditionalForwardFormat

The message format RSYSLOG_TraditionalForwardFormat forwards logs with low-precision timestamps.

--{ * candidate shared default }--[  ]--
# info system logging remote-server format    system {
        logging {
            remote-server {
                format RSYSLOG_TraditionalForwardFormat