8

I have an application which logs to syslog facility local1. I would like to configure syslog to send all local1 messages to a log file separate from /var/log/messages -- that turned out to be easy. But the messages are also going to /var/log/messages. is there some way to tell syslog to send *.info to /var/log/messages but exclude local1.info? (Something like *^loacl1.info ?)

syslog.conf:

#kern.*                                                 /dev/console

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

local0.notice;local0.debug;mail.*;mail.none;mail.info;local0.info /var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

#My Custom App Logging
local1.*                                             /var/log/application.log
Josh
  • 9,190
  • 28
  • 80
  • 128

2 Answers2

9

Try replacing

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

by

*.info;mail.none;authpriv.none;cron.none;local1.!=info                /var/log/messages

This will log message that match : any facility with level info AND facility not mail AND facility not authpriv AND facility local1 execpt when level is info.

radius
  • 9,633
  • 25
  • 45
  • Ah ha -- thanks to your edited post I now see what I want is local1.none, not local1.!=info. I didn't realize what the behavior of .none was. – Josh Jul 24 '09 at 22:23
  • 1
    @Radius: Shouldn't that be 'local1.none', not 'local1.!=info'? Also, I believe that 'local1.!=info' doesn't work with all Syslog daemons. 'local1.none' is more universal. – Stefan Lasiewski Apr 30 '10 at 17:14
  • 2
    @Stefan, the original request was to exclude local1.info not all local1 message. So local1.!=info is the right syntax. But in fact Josh need was to exclude all local1 messages (from his comment), so in this case local1.none is the right syntax – radius Apr 30 '10 at 23:24
2

You should use either

#My Custom App Logging
local1.*                                             /var/log/application.log
& ~

for syslog or

#My Custom App Logging
local1.*                                             /var/log/application.log
& stop

for rsyslog 7+ to prevent the log message from being processed further. Make sure this comes before the default rules which log *.* to /var/log/syslog.

ColinM
  • 701
  • 8
  • 19