A Basic Introduction to Rsyslog Filters

Hello folks, welcome to our tutorial on a basic introduction to rsyslog filters. In this tutorial, we are going to learn different ways of filtering log messages on a system using rsyslog.

Rsyslog is the default logging utility on most Linux systems. Its main configuration file is /etc/rsyslog.conf where global directives, modules, and rules that consist of filter and action parts can be specified.

A filter can be used to specify a rule applied on syslog messages while action specifies what to do with the selected messages.

Rsyslog offers different methods for filtering syslog messages;

• Facility/Priority-based filter method
• Property-based filter method
• Expression-based filter method

Facility/Priority-based method

This is the most common method of filtering messages on rsyslog. It filters messages based on facility and priority conditions. The facility priority condition is separated by a dot with the syntax:

FACILITY.PRIORITY ACTION

where:

• facility specifies type of program or tool that generated the message to be logged.
• priority is the parameter for the importance of this message.
• action is a file, remote computer, or other location that’s to accept the message.

The facility and priority are often referred to collectively as the selector.

Valid parameters for the facility and their numerical codes are as follows:

• kern (0) – Kernel messages
• user (1) – User-level messages
• mail (2) – Mail system messages
• daemon (3) – Various system daemon messages
• auth (4) – Security and authorization messages
• syslog (5) – Internally generated syslog messages
• lpr (6) – Printing system messages
• news (7) – News daemon messages
• uucp (8) – Unix-to-Unix copy program (uucp) daemon messages
• cron (9) – cron daemon messages
• authpriv (10) -Security and authorization messages
• ftp(11) – FTP daemon messages
• ntp (12) – NTP messages
• security (13) – log audit
• console (14) – log alert
• solaris-cron (15) – scheduling daemon
• local0 – local7 – Locally defined application messages

Note that the mapping between facility code and keyword is not uniform in different operating systems and syslog implementations.

Valid parameters for priority, their key words and numerical codes are as follows:

• Emergency (emerg, 0) – Panic messages indicating system is unusable (most important)
• Alert (alert,1) – Indicates that action must be taken immediately
• Critical (crit , 2) – Critical conditions
• Error (err, 3) – Non-urgent failure and error messages
• Warning (warning, 4) – Warning conditions
• Notice (notice, 5) – Normal but significant conditions
• Informational (info,6) – Informational messages
• Debug (debug, 7) -Debug level messages

Points to note:

• Preceding any priority keyword with an equal sign (=), selects syslog messages with the specified priority only. All other priorities will be ignored.
• Preceding a priority keyword with an exclamation mark (!) selects all syslog messages
  except those with the defined priority.
• An asterisk (*) can be used to define all facilities or priorities.
• Specifying the priority keyword none serves for facilities with no given priorities.
• Both facility and priority conditions are case-insensitive.
• Multiple facilities and priorities can be defined by separating them with a comma (,).
• multiple selectors can be defined on one line by separating them with a semi-colon (;).
• Note that each selector in the selector field is capable of overwriting the preceding ones, which can exclude some priorities from the pattern
• Rsyslog logs messages with the defined or higher priority e.g if you define alert level, the system will log messages that are classified as alert or emerg but not messages of crit or below.
• In most cases, the action parameter is a filename, typically in the /var/log directory tree e.g messages, syslog, and secure files.
• Remote logging location can be specified by preceding the remote machine with an at sign (@).

Examples of Facility/Priority-based Filters

The following examples can be defined in /etc/rsyslog.conf

Send critical kernel messages to remote.example.com

kern.crit @remote.example.com

Send mail related messages of all security level to /var/log/mail

mail.* /var/log/mail

Send all emergency-level messages to all users who are logged into the computer using text-mode tools.

*.emerg   *

Send all kernel related messaged to /var/log/kernel

kern.* /var/log/kernel

Log kernel messages of emerg, alert, crtitical, warning, informational level but not error level.

kern.info;kern.!err /var/log/kernel-info

To select all cron syslog messages except those with the info or debug priority, set the
configuration in the following form:

cron.!info,!debug