rsyslog single filter conditional syntax

Question

I'm looking for a way to write a single rule with multiple match values, don't write those rows to logfile if the message contain first word or second word.

This works but isn't DRY:

if $msg contains "WARNING:" then { Action (type="omfile" File="/var/log/ignorethis") stop }
if $msg contains "IGNORE THIS MESSAGE:" then { Action (type="omfile" File="/var/log/ignorethis") stop }

this one doesn't work:

if $msg contains "WARNING: || IGNORE THIS MESSAGE:" then { Action (type="omfile" File="/var/log/ignorethis") stop }

score 0 · Accepted Answer · answered Jan 13 '21 at 18:29

0

Does this work?

if ($msg contains "WARNING:") or ($msg contains "IGNORE THIS MESSAGE:") then { Action (type="omfile" File="/var/log/ignorethis") stop }

The rsyslog expression documentation may help a little.

answered Jan 13 '21 at 18:29

Andrew Schulman

8,811
21
32
47

rsyslog single filter conditional syntax

1 Answers1