7

I have found examples of how to filter based on the contents of a log entry with rsyslog. But is there a way to do this so it is only filtering on the contents of a certain facility? For example something like:

if local0.* msg contains "foo"

But with a real syntax instead of what I just made up.

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448

1 Answers1

5

You'll need to do two sequential filters rather than both on one line.

:msg, contains, "some-text"
if $syslogfacility-text == "facility" then /var/log/somelog.log
~

Edit:

I take that back. I have seen it done both ways now. I just found this example in the rsyslog Wiki that should be able to be adapted.

if $programname == 'popa3d' and $syslogseverity <= '6' then /var/log/popa3d.log

You of course will substitute your conditions in to the example.

if $syslogfacility-text == 'local0' and $msg contains 'some-text' then /var/log/somelog.log
& ~

Rsyslog Wiki
Rsyslog Docs

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
  • Can you show me an example of the sequential filters work? I thought in general the previous line doesn't effect following lines unless you have `& ~` – Kyle Brandt Nov 02 '10 at 15:30
  • I just edited my post to give some additional information. When a message is received by rsyslog it is processed top down. It will continue being processed by rules until it is discarded or no longer matched. – Aaron Copley Nov 02 '10 at 15:35
  • @AaronCopley: I thought the manual was incomplete. In the DOCs you link to the Headings are the same font/style as links to other sections. So I thought those were heading that were yet to be complete ... :-P – Kyle Brandt Nov 02 '10 at 17:05
  • 5
    Yes, the documentation for rsyslog is sad. Not just at their site but across the web. The formatting, the completeness, consistency... etc. It seems rsyslog has gone under three iterations of redevelopment and the release and compatibility mode you are running can drastically change syntax as well. – Aaron Copley Nov 02 '10 at 17:29
  • @AaronCopley: Nonetheless, its flexibility seems to be helpful for me at the moment. Thanks for the help, I got this working. The only change was that instead of `somelog.log ~` at the end I dropped the ~ and made a new `& ~` line. When I didn't do that I had a file called `somelog.log ~` ;-) – Kyle Brandt Nov 02 '10 at 17:37
  • Oh, whoops! The hazards of typing this stuff without testing. Sorry about that. :) – Aaron Copley Nov 02 '10 at 17:54
  • You should replace `& ~` (deprecated) with `& stop`. Use `rsyslod -N1` for configuration validation. Not that you could also use the $syslogfacility property using the numeric ID of syslog facilities (a list of which might be found on Wikipedia: https://en.wikipedia.org/wiki/Syslog#Facility). – Bernard Rosset Dec 05 '15 at 14:10