[rsyslog-notify] Forum Thread: Re: Rsyslog Message duplicates - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Mar 5 07:07:04 CET 2014
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24305#p24305
Message:
----------
In that case you will need to add entries to write the logs to the files
you want them to go to, and at the same time you can then throw away the
logs so that they won't be evaluated by any other filters.
If you are not using the LOCAL# facilities for anything else, you can
modify the imfile portions of your config to include
$InputFileFacility=local4 (pick a number 0-7 instead of 4 if you want)
then you can add lines ahead of the /var/log/messages line that does
something like
local4.=info /var/log/apache_access.log
& ~
local4.=error /var/log/apache_error.log
& ~
the local4.=severity filters will match only that severity with the
facility of local4 (what you have assigned the imfile input to use). If you
did local4.info that would include everything more severe than info
Then the next line, & says to use the same filter as the line above, and ~
says throw away this log message, don't evaluate any filters further in
this file.
If you were using a more current version (v7 or v8) you could do
if $syslogtag == 'apache-access' then {
/var/log/apache_access.log
stop
}
and a similar statement for the error logs, but the if is very inefficient
in v5
More information about the rsyslog-notify
mailing list