Rsyslog – How to Exclude Logs – Valuable Tech Notes

i have a custom daemon that gives logs to rsyslog facility "local1" with two security levels – "info" and "debug". I need to write "info" logs to /var/log/info and "debug" logs to /var/log/debug.

I edited rsyslog.conf

local1.*;local1.debug       /var/log/info.log

local1.debug                /var/log/debug.log

When daemon gives "info" logs it works well, it writes to info.log and debug.log is empty.
But when i get "debug" logs it writes to both files.

Help me to exclude debug logs from info.log.

;local1.=debug not working.
I also tried to write

local1.!debug /var/log/info.log

But still not working (in this config info logs is empty)

rsyslog 8.24.0-12

Centos 7.4

UPDATE

local1.info                     /var/log/info.log
local1.debug;local1.info        /var/log/debug.log

Not working too, info goes to info.log, it's ok. But in debug.log there is info+debug, and i can't exclude info from it. ;local1.info not working

Best Answer

The key is in the man page:

The behavior of the original BSD syslogd is that all messages of the specified priority and higher are logged according to the given action. Rsyslogd behaves the same, but has some extensions.

So if you want to exclude debug, just state the next highest priority, which is info:

local1.info       /var/log/info.log

This will mean that all messages of priority info and higher will go to /var/log/info.log.

For the debug log, the solution is also in the man page:

You may precede every priority with an equals sign ('=') to specify only this single priority and not any of the above.

So that line should read

local1.=debug       /var/log/debug.log

to get only debug messages.

Best Answer

Related Solutions

Iptables – Remove Iptables log from kern.log syslog messages

Sending logs to remote server with rsyslog

Related Topic