3

I need to take several actions for some log messages. For example I want to log them to different files according to severity.

Everything is ok if I use this:

if $programname == 'myprog' then -/var/log/myprog.log if $programname == 'myprog' and $syslogseverity-text >= 'warning' then -/var/log/myprog-alert.log if $programname == 'myprog' ~

This log every messages emitted by 'myprog' to /var/log/myprog.log
This log only warning and error message emitted by 'myprog' to -/var/log/myprog-alert.log
And the processing is then stopped (thanks to '~')

.

I's like to have something sexier:

if $programname == 'myprog' then { *.* -/var/log/myprog.log *.warning -/var/log/myprog-alert.log ~ }

But this later construction, albeit accepted by rsyslog, do not filter against programname.
For example every messages are written to /var/log/myprog.log even when originating from whatever process.

.

Anyone can explain where is my mistake or misunderstanding ?

.

Final method, from answers below:

use a "modern" rsyslogd. Version > 7.x.y
use this syntax: 

if $programname == 'myprog' then { *.warning -/var/log/myprog-alert.log *.* -/var/log/myprog.log *.* stop }

or this one: 

if $programname == 'myprog' then { *.warning -/var/log/myprog-alert.log -/var/log/myprog.log stop }
Improve this question

2 Answers 2

Reset to default
3

Your line containing only '~' is wrong. It should be "*.* ~".

I know you mostly use Debian stable. Your rsyslog version is 5.x.y and doesn't accept RanierScript.
You can update to the backports version (7.6.3 currently), then your second example should work.

Improve this answer
1
  • 2
    Tested and approved. Note the '~' is now deprecated with modern versions (replaced by 'stop'). And now we can omit '*.*', so the wrong line is (unintentionally) good. Commented Oct 9, 2014 at 10:17
2

Per the rsyslog docs for filters and RanierScript, the multi-line { .. } syntax isn't supported. Rsyslog's parser doesn't often give errors, preferring to just ignore problems or interpret them in a way you didn't intend. Your "sexier" example is probably executing the { action for events matching "myprog" (and I can't find such an action, so I suspect that means "do nothing"). The second and third lines are being treated as legacy-style syslog configuration, and the fourth and fifth are invalid (so again, probably "do nothing")

Improve this answer
1

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.