I have an application which is writing to syslog. The messages written to the syslog are for various buckets which need to be filtered out. Every message starts with a bucket number, so the messages are written as:
1: Message for bucket 1
14: Message for bucket 14
123: Message for bucket 123
I want to filter these messages based on the bucket number, which I suppose can be done with a regex. These buckets are numeric and can be in the range 1-999. The output for these buckets should go different files, one for each bucket. For the above example, it should be:
/var/log/myapp/1.log
/var/log/myapp/14.log
/var/log/myapp/123.log
Can someone help me with how this can be done with rsyslog?
I guess I am a bit late with this answer, but actually rsyslog lets you create log file names dynamically, so you could create a template that constructs the log file name based on the msg contents, using either field.number or regex.submatch properties to extract the bucket number - see http://www.rsyslog.com/doc/master/configuration/templates.html for details.
However, is you are happy with the 999 lines, it is certainly simpler, and the matter addressed by Ronaldo Nascimento can be taken care of by using contains_i instead of contains - contains_i is case insensitive.
I do a simple filter in the rsyslog config.
In mine it would look like this:
This will search the msg property of incoming syslog messages for that string, and log it to the file I specify.
If you want to learn more about configuring rsyslog in here is an excellent place to start: http://www.rsyslog.com/doc/rsyslog_conf.html