3

I need to take several actions for some log messages. For example I want to log them to different files according to severity.

Everything is ok if I use this:

if $programname == 'myprog'                                       then -/var/log/myprog.log
if $programname == 'myprog' and $syslogseverity-text >= 'warning' then -/var/log/myprog-alert.log
if $programname == 'myprog' ~

This log every messages emitted by 'myprog' to /var/log/myprog.log
This log only warning and error message emitted by 'myprog' to -/var/log/myprog-alert.log
And the processing is then stopped (thanks to '~')

.

I's like to have something sexier:

if $programname == 'myprog' then {
    *.*         -/var/log/myprog.log
    *.warning   -/var/log/myprog-alert.log
    ~
}

But this later construction, albeit accepted by rsyslog, do not filter against programname.
For example every messages are written to /var/log/myprog.log even when originating from whatever process.

.

Anyone can explain where is my mistake or misunderstanding ?

.

Final method, from answers below:

use a "modern" rsyslogd. Version > 7.x.y
use this syntax: 

if $programname == 'myprog' then {
    *.warning   -/var/log/myprog-alert.log
    *.*         -/var/log/myprog.log
    *.*         stop
}

or this one: 

if $programname == 'myprog' then {
    *.warning   -/var/log/myprog-alert.log
                -/var/log/myprog.log
                stop
}
Gregory MOUSSAT
  • 1,673
  • 2
  • 25
  • 50

2 Answers2

2

Per the rsyslog docs for filters and RanierScript, the multi-line { .. } syntax isn't supported. Rsyslog's parser doesn't often give errors, preferring to just ignore problems or interpret them in a way you didn't intend. Your "sexier" example is probably executing the { action for events matching "myprog" (and I can't find such an action, so I suspect that means "do nothing"). The second and third lines are being treated as legacy-style syslog configuration, and the fourth and fifth are invalid (so again, probably "do nothing")

djmitche
  • 247
  • 2
  • 6
  • 1
    Some official examples are very clear about the fact multiline syntax is supported : http://www.rsyslog.com/doc/rsyslog_conf_filter.html – Gregory MOUSSAT Oct 06 '14 at 08:04
2

Your line containing only '~' is wrong. It should be "*.* ~".

I know you mostly use Debian stable. Your rsyslog version is 5.x.y and doesn't accept RanierScript.
You can update to the backports version (7.6.3 currently), then your second example should work.

Bertrand SCHITS
  • 2,922
  • 1
  • 13
  • 15
  • 2
    Tested and approved. Note the '~' is now deprecated with modern versions (replaced by 'stop'). And now we can omit '\*.\*', so the wrong line is (unintentionally) good. – Gregory MOUSSAT Oct 09 '14 at 10:17