2

Right now, the contents of /etc/rsyslog.conf which control disposition of the named log messages looks like:

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;;kern.none     /var/log/messages

Putting the following in front of that section correctly writes out the "named" messages to /var/log/named/named.log.

# Write named/bind messages to their own log file
:programname, isequal, "named"                          /var/log/named/named.log

The problem is that those "named" messages are still being written out to the /var/log/messages file. How would I modify the line that generates /var/log/messages to not write out "named" messages?

Note: This is rsyslog v5 as ships with RHEL/CentOS 6.

Addendum: The accepted answer from below is

# Write named/bind messages to their own log file, then discard (tilde)
:programname, isequal, "named"                          /var/log/named/named.log
:programname, isequal, "named"                          ~
tgharold
  • 609
  • 8
  • 19

1 Answers1

1

Using negation can be useful if you would like to do some generic processing but exclude some specific events. You can use the discard action in conjunction with that. A sample would be:

. /var/log/allmsgs-including-informational.log

:msg, contains, "informational" ~

. /var/log/allmsgs-but-informational.log

Do not overlook the red tilde in line 2! In this sample, all messages are written to the file allmsgs-including-informational.log. Then, all messages containing the string "informational" are discarded. That means the config file lines below the "discard line" (number 2 in our sample) will not be applied to this message. Then, all remaining lines will also be written to the file allmsgs-but-informational.log.

http://www.rsyslog.com/doc/rsyslog_conf_filter.html

Michael Tabolsky
  • 300
  • 1
  • 4