On 3/13/2018 11:57 AM, LuKreme wrote:
I would like to log warnings for a service to a separate file, but not warning 
or higher, just warnings.

So, for example if I wanted all the ftp info to go to ftp.log, but all the 
warnings to go to ftp-warn.log and everything with a higher level to go to 
ftp-error.log how would I set that up in rsyslog.conf?

ftp.info;ftp.warn;ftp.crit;ftp.err      /var/log/ftp.log
ftp.warn;ftp.crit;ftp.err                       /var/log/ftp-warn.log


I suspect I am missing something here, but I am just reading through he 
documentation for the first time.

You can probably pull it off using the older format, but I'm personally a fan of the newer format. It's a bit verbose, but IMO it makes the intention a lot clearer.

Here is an untested solution using the "advanced" format:

# /etc/rsyslog.d/20-ftp.conf

# Goals from mailing list post:
# all the ftp info to go to ftp.log
# all the warnings to ftp-warn.log
# everything higher to ftp-error.log

# References:
# http://lists.adiscon.net/pipermail/rsyslog/2018-March/045208.html
# https://wiki.gentoo.org/wiki/Rsyslog#Severity
# https://wiki.gentoo.org/wiki/Rsyslog#Facility
# http://www.rsyslog.com/doc/v8-stable/configuration/properties.html

# Proposed (untested) configuration fragment

if ($syslogfacility-text == 'ftp') then {

    action(type="omfile" file="/var/log/ftp.log")

    # 'warning' = numerical code of 4
    if syslogseverity-text == 'warning' then {
        action(type="omfile" file="/var/log/ftp-warn.log")

    # 4 is warning
    # 3 is error
    # 2 is crit
    # 1 is alert
    # 0 is emerg
    else if syslogseverity < 4 then {
        action(type="omfile" file="/var/log/ftp-error.log")

    # Drop all 'ftp' facility messages. By this point those messages
    # should have already been logged in one of the previously
    # specified files.


Link to file on GitHub:


More info on config formats:

rsyslog mailing list
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 

Reply via email to