rsyslog conf file syntax multiple filters

Question

I'm setting up rsyslog on a Red Hat 8 system. I have the the first part working, that filters based on source IP, and writes logs in a specific file, like this:

if $fromhost-ip startswith '10.1.2.45' then /var/log/test_all.log
& ~

What I'd like to do, that I cannot figure out the correct syntax for, is to check for the host IP and the authpriv facility and write it to a file.

I know, that I need that statement before the one I listed above, but I can't get it to work. I've also tried the local7 (boot logs) and that didn't work either. The next two examples are syntaxes I tried which didn't work:

Example 1:

if $fromhost-ip startswith '10.1.2.45' and $syslogfacility-text == 'local7' then /var/log/test_boot.log
& stop

if $fromhost-ip startswith '10.1.2.45' and $syslogfacility-text == 'local10' then /var/log/test_secure.log
& stop

if $fromhost-ip startswith '10.1.2.45' then /var/log/test_all.log
& stop

Example 2:

if $fromhost-ip startswith '10.1.2.45' and $syslogfacility-text == 'authpriv.*' then /var/log/test_secure.log
& stop

if $fromhost-ip startswith '10.1.2.45' then /var/log/test_all.log
& stop

user3271408 · Accepted Answer · 2021-01-13T19:58:01.533

0

Solution found here: rsyslog configuration syntax

if $fromhost-ip startswith '10.1.2.45' then { 

    authpriv.*  -/var/log/test_secure.log
                -/var/log/test_all.log
    & stop
}

edited Jan 13 '21 at 19:58

answered Jan 13 '21 at 19:51

user3271408

175
1
5
17

rsyslog conf file syntax multiple filters

1 Answers1