Filter log messages by program name and log level at the same time in rsyslogd

Question

I want to save log messages from program foobar with log level err into file /var/log/foobar.log in rsyslogd. How can I do that?

This is how I can filter messages by program name:

:programname,contains,"foobar" /var/log/foobar.log

This is how I can filter messages by log level:

*.err /var/log/foobar.log

But I don't understand how to filter by both these filters at the same time.

coredump · Accepted Answer · 2011-02-02T14:18:55.493

7

This example on the rsyslogd wiki suggests a way to do something like you want. It's the Filtering by program name using the expression-based syntax part.

Using the example provided on the wiki:

if $programname == 'foobar' and $syslogseverity-text == 'error' then /var/log/foobar.log

Put that on rsyslogd.conf or as a snippet inside rsyslog.d

edited Feb 02 '11 at 14:18

answered Feb 02 '11 at 13:22

coredump

12,713
2
36
56

Please add a summary to your answer. – Dennis Williamson Feb 02 '11 at 13:28
Thank you! Where can I find list of all variables like $programname and $syslogseverity-text? – Marko Kevac Feb 02 '11 at 14:34
1

I found it on this list: http://www.rsyslog.com/doc/property_replacer.html – coredump Feb 03 '11 at 02:02

score 3 · Answer 2 · answered Feb 02 '11 at 13:38

3

a simple way to do that is ... if ( $program contains "foobar" ) and ( $severity contains "err" ) then /var/log/foobar.log

Of course there are many other ways, but i think that the above is quite straight forward.

answered Feb 02 '11 at 13:38

Nikolaidis Fotis

2,032
11
13

I like this syntax, but it doesn't work in version 8 (Debian 10). – Bill McGonigle Jul 12 '20 at 00:02

Filter log messages by program name and log level at the same time in rsyslogd

2 Answers2