On Tue Oct 27 04:03 PM, [email protected] wrote: > On Tue, 27 Oct 2009, Jonathan Bond-Caron wrote: > > > Date: Tue, 27 Oct 2009 15:40:42 -0400 > > From: Jonathan Bond-Caron <[email protected]> > > Reply-To: rsyslog-users <[email protected]> > > To: [email protected] > > Subject: [rsyslog] Property-Based Filters, not working? > > > > I tried adding the following to my config file: > > > > > > :msg,contains,"MSWinEventLog" > > > > *.* /var/log/windows.log > > > > :msg, !contains, "MSWinEventLog" > > > > *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err > > /var/log/messages > > this is not how the property based filters work. > > I made the same mistake > > instead of > > :msg,contains,"MSWinEventLog" *.* /var/log/windows.log > > it should be > > :msg,contains,"MSWinEventLog" /var/log/windows.log > > when you do filter rules those filters are everything, you don't also > do facility/priority filters as well (or if you need to do so, you > need to make a compound if (() and ()) type rule) >
Thanks a lot, that works well. The docs are bit misleading: http://www.rsyslog.com/doc-rsyslog_conf_filter.html It could show something like this: :msg, contains, "error" /var/log/error.log :msg, !contains, "error" ~ All messages that contain the word "error" are logged to /var/log/error.log All messages that do not contain the word "error" are thrown away. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
