Combining multiple Property-Based Filters for Rsyslog

Question

I was trying to set up a specific Rsyslog configuration file to catch all incoming kernel messages of a few types. For example, I want to dump all logs containing "example message 1" and "example message 2" into a custom log.

For example, this rule in rsyslog.conf works.

:msg, contains, "example message 1" /var/log/custom-log
:msg, contains, "example message 2" /var/log/custom-log

However, is there a way to make it any cleaner? For example, using "example message 1"|"example message 2" as a value instead, or something equivalent. The rsyslog documentation is a tad cryptic about this.

Thanks!

Clarification: you want to dump all logs containing either "example message 1" **OR** "example message 2" into a custom log, right? — Daniel Griscom, Jul 28 '23 at 20:36

score 0 · Answer 1 · answered Oct 03 '22 at 09:06

0

This should work as well:

if $msg contains ['string 1', 'string 2'] then /var/log/somelog

Or maybe some other inspiration: https://www.rsyslog.com/doc/master/configuration/filters.html

answered Oct 03 '22 at 09:06

JozefSK

36
2

Combining multiple Property-Based Filters for Rsyslog

1 Answers1