Home / server / Questions / 522405
Accepted
Jeff
Asked: 2013-07-11 16:49:28 +0800 CST

How can you filter mail.info from syslog?

  • 772

How do I filter mail.info from /var/log/syslog (rsyslog.conf/Debian) while keeping messages greater than or equal to mail.warn?

I've tried just about every different variation of appending and prepending different combinations of mail, mail.info, mail.!info, mail.*, mail.warn, mail.!warn, but apparently the docs are smarter than me.

Currently I'm at this, but alas, she's a no-go:

*.*;auth,authpriv.none;mail.warn,mail.!info -/var/log/syslog

Edit: I'm having a really hard time understanding the semicolon delimeter and how it "restricts" previous entries.

syslog

2 Answers

  1. Best Answer

    From the man rsyslog.conf page:

    Rsyslogd has a syntax extension to the original BSD source, that makes its use more intuitively. You may precede every priority with an equals sign (=) to specify only this single priority and not any of the above. You may also (both is valid, too) precede the priority with an exclamation mark (!) to ignore all that priorities, either exact this one or this and any higher priority. If you use both extensions than the exclamation mark must occur before the equals sign, just use it intuitively.

    So mail.!info means that you are ignoring info priority and any higher priority. Try this:

    *.*;auth,authpriv.none;mail.warn,mail.!=info -/var/log/syslog
    • 5

  2. I found a couple of other variations to quanta's answer that also seem to work. I have an idea of why they work, but I'm not confident enough with rsyslog.conf's delimeters and operators to be able to say for sure. Hopefully they help someone else.

    One.

    *.*;\
    auth,authpriv.none;\
    mail.!info,mail.warn     -/var/log/syslog

    Two.

    *.*;\
    mail.none;\
    mail.error;\
    auth,authpriv.none       -/var/log/syslog

    Any comments on these from someone who knows better would be welcome.

    • 2