8

I have an application which logs to syslog facility local1. I would like to configure syslog to send all local1 messages to a log file separate from /var/log/messages -- that turned out to be easy. But the messages are also going to /var/log/messages. is there some way to tell syslog to send *.info to /var/log/messages but exclude local1.info? (Something like *^loacl1.info ?)

syslog.conf:

#kern.* /dev/console *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure local0.notice;local0.debug;mail.*;mail.none;mail.info;local0.info /var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log #My Custom App Logging local1.* /var/log/application.log
Improve this question

3 Answers 3

Reset to default
10

Try replacing

*.info;mail.none;authpriv.none;cron.none /var/log/messages

by

*.info;mail.none;authpriv.none;cron.none;local1.!=info /var/log/messages

This will log message that match : any facility with level info AND facility not mail AND facility not authpriv AND facility local1 execpt when level is info.

Improve this answer
3
  • Ah ha -- thanks to your edited post I now see what I want is local1.none, not local1.!=info. I didn't realize what the behavior of .none was. Commented Jul 24, 2009 at 22:23
  • 1
    @Radius: Shouldn't that be 'local1.none', not 'local1.!=info'? Also, I believe that 'local1.!=info' doesn't work with all Syslog daemons. 'local1.none' is more universal. Commented Apr 30, 2010 at 17:14
  • 2
    @Stefan, the original request was to exclude local1.info not all local1 message. So local1.!=info is the right syntax. But in fact Josh need was to exclude all local1 messages (from his comment), so in this case local1.none is the right syntax Commented Apr 30, 2010 at 23:24
2

You should use either

#My Custom App Logging local1.* /var/log/application.log & ~

for syslog or

#My Custom App Logging local1.* /var/log/application.log & stop

for rsyslog 7+ to prevent the log message from being processed further. Make sure this comes before the default rules which log *.* to /var/log/syslog.

Improve this answer
0

just a compliment to @radius answer

based on rsyslog documentation https://www.rsyslog.com/doc/v8-stable/configuration/filters.html

You can specify multiple facilities with the same priority pattern in one statement using the comma (“,’’) operator

I prefer to use the below line

*.info;mail, authpriv, cron.none;local1.!=info /var/log/messages

BTW This will log messages that match : any facility with level info and higher, for limiting it to only info you can use

You may precede every priority with an equals sign (“=’’) to specify only this single priority and not any of the above

*.=info;mail, authpriv, cron.none;local1.!=info /var/log/messages
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.