The rocket-fast system for log processing

Writing specific messages to a file and discarding them

Messages with the text "error" inside the text part of the message shall be written to a specific file. They shall not be written to any other file or be processed in any other way.

Things to think about

The configuration given here should be placed on top of the rsyslog.conf file.

Config Statements

:msg, contains, "error" /var/log/error.log
& ~
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log

How it works

The configuration uses a property-based filter to see if the string "error is contained" inside the MSG part of the syslog message. If so, the message is written to /var/log/error.log. The next line then discards all messages that have been written. Thus, no additional rules will be applied to the message. As such, it will not be written to /var/log/other.log.

Note the difference to this invalid sequence:

*.* /var/log/other.log
:msg, contains, "error" /var/log/error.log
& ~

Here everything is first written to /var/log/other.log and only then the message content is checked. In the later case, the message with "error" in them will be written to both files.


Sequence of configuration statements is very important. Invalid sequence of otherwise perfectly legal configuration statements can lead to totally wrong results.