I have a Ruby application on my server, let's call it "alpha". The application emits syslog messages with the program name "alpha". I want to separate my log messages into separate files based on what type of message it is, for instance "auth" messages (logins) or system resource warnings.
I don't have any way of specifying "message type" to syslog other than my program name, so I'm just adding "AUTH:", "SYSTEM:" etc. at the start of my message.
Using Google and man pages, I've come up with these conditions:
:programname,isequal,"alpha" /var/log/alpha.log
This logs all messages from the "alpha" application to the correct log file.
:msg,startswith," AUTH:" /var/log/alpha-auth.log
This logs all messages starting with "AUTH:" to the correct log file.
Now obviously, the last condition doesn't just apply to "alpha", but to all messages. I would like to combine these conditions to one that says "all messages from alpha that starts with AUTH: ...". Is it possible to combine filters with "and" like that?
"BSD-style blocks" seem perfect, as I can define a block for my application and all conditions apply only to messages from that application. Unfortunately, according to the docs the feature is no longer supported (deprecated?), and I don't want to rely on a deprecated feature. Does rsyslog v7+ introduce an alternative to such blocks?
Using an expression-based filter I've managed to get my desired outcome, but I feel like I'm using a bazooka to kill a fly:
if $programname == "alpha" and $msg startswith " AUTH:" then \
/var/log/alpha-auth.log
What would be the "correct" (i.e. simplest and least error prone) way to do this?
I'm using Debian Jessie, which currently means rsyslog 8.4.2
First, make a config file in /etc/rsyslog.d, such as 01-alpha.conf, to make things organized. This way, your 01-alpha.conf will be read first than 50-default.conf. 50-default.conf has a rule to log everything in /var/log/syslog, so in this example we will be discarding the message after writing it in alpha's logs.
In 01-alpha.conf:
The message only enter in this filter if the program name is alpha, then it will log in /var/log/alpha.log. If it's an auth log, logs it in /var/log/alpha-auth.log. In the end, discard the message so it won't be written elsewhere.