[rsyslog-notify] Forum Thread: Re: Property-Based Filters - where do they end? - (Mode 'edit_last_post')

[noreply at adiscon.com]

User: ScottRochford 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26636#p26636

Message: 
----------
Thanks for the reply.

Apparently expressions are supported in v5 as well, and I'm trying to use
those too, but I
[url=http://kb.monitorware.com/where-has-the-expression-documentation-gone-t12826.html?uid=22368:2p2g1ao7]can't
find the documentation[/url:2p2g1ao7].  

Basically I have an existing selector line, and I want to exclude messages
containing a certain string from it.  Do I surround it with expression
syntax something like this?

[code:2p2g1ao7]
if msg not contains "unwanted spam"
auth.info;authpriv.* /var/log/auth
endif
[/code:2p2g1ao7]

(I have tried that by the way and it doesn't work)

Or do I have to replace the selector line with a single line of pure
expression filter syntax?

Regards,
Scott


ETA:
Assuming it does have to be a line of pure expression filter syntax, and
also inferring from the examples on the Filters page that properties need
to be prefixed by "$", I tried this too:

[code:2p2g1ao7]if ( ($syslogfacility-text == "auth" and $syslogseverity <=
6) or $syslogfacility-text == "authpriv") and not ($msg contains "unwanted
spam") then /var/log/auth[/code:2p2g1ao7]

But in that case I get nothing at all being logged to the file.