The rsyslogd daemon offers three different ways to filter rsyslog messages:
1. Facility/Priority-Based Filters
2. Property-Based Filters
3. Expression-Based Filters
Facility/Priority-Based Filters
Facility/priority-based filters filter rsyslog messages based on two conditions:
1. facility
2. priority
Facility specifies the subsystem that produces the message. Examples of facilities include mail, kernel, and cron. Priority represents the priority of the message. Examples of priorities include debug (7), warning (4), and alert (1).
A facility-priority pair is called a selector. To create a selector, use the syntax:
Facility.Priority
Facility
Facility specifies the subsystem that produces a specific rsyslog message and can be represented by one of the following keywords:
| Facility | Sub-system |
|---|---|
| auth/authpriv | Security/authorization messages |
| cron | crond messages |
| daemon | Other system daemons |
| kern | Kernel messages |
| lpr | Line printer subsystem |
| Mail system | |
| news | Network news subsystem |
| syslog | Messages generated internally by rsyslogd |
| user | User-level messages |
| uucp | UUCP subsystem |
| local0 through local7 | Local use |
Priority
Priority can be represented by one of these keywords (listed in an ascending order). All messages of the specified priority and higher are logged according to the given action.
| Priority | Type of Message |
|---|---|
| debug | Debug-level messages |
| info | Informational messages |
| notice | Normal bug significant condition |
| warning | Warning conditions |
| err | Error conditions |
| crit | Critical conditions |
| alert | Action must be taken immediately. |
| emerg | System is unstable. |
Examples of facility/priority based selectors
The following are examples of facility/priority-based selectors.
1. To select all mail messages with priority err and higher:
mail.err
2. Special characters can be used. Use an asterisk (*) to specify all facilities or priorities. For example, to select all auth messages with any priority:
auth.*
3. Use a comma (,) to specify multiple facilities and priorities. For example, to select both the uucp and news facilities with priority of warning or higher:
uucp,news.warning
4. Use a semicolon (;) to define multiple selectors on one line. Example:
*.info;mail.none;auth.none;cron.none
5. Use an equal sign (=) to specify a single priority. All other priorities are ignored. For example, to select cron messages of only emerg priority:
cron.=emerg
6. Precede a priority with an exclamation mark (!) to select all rsyslog messages except those with the defined priority. The following example selects all user messages, except those with the info or debug priority:
user.!info,!debug
Property-Based Filters
Filter rsyslog messages by any property, such as timegenerated or msg. You can compare a property to a value by using one of several property-based compare operations. Compare operations include contains, isequal, and startswith. The following example filters for messages that contain the string “error” in the message text (msg):
:msg, contains, “error”
Expression-Based Filters
Select rsyslog messages according to arithmetic, Boolean, or string operations by using an rsyslog scripting language. The following shows the basic syntax of expression-based filters:
if EXPRESSION then ACTION else ACTION