English
To define multiple facilities and priorities, separate them with a comma (`,`). To define multiple selectors on one line, separate them with a semi-colon (`;`). Note that each selector in the selector field is capable of overwriting the preceding ones, which can exclude some priorities from the pattern.
Facility/Priority-based Filters
The following are a few examples of simple facility/priority-based filters that can be specified in `/etc/rsyslog.conf`. To select all kernel syslog messages with any priority, add the following text into the configuration file:
kern.*
To select all mail syslog messages with priority [command]#crit# and higher, use this form:
mail.crit
To select all cron syslog messages except those with the [command]#info# or [command]#debug# priority, set the configuration in the following form:
cron.!info,!debug
Property-based filters
Property-based filters let you filter syslog messages by any property, such as `timegenerated` or `syslogtag`. For more information on properties, see xref:Viewing_and_Managing_Log_Files.adoc#brid-properties[Properties]. You can compare each of the specified properties to a particular value using one of the compare-operations listed in xref:Viewing_and_Managing_Log_Files.adoc#table-compare-operations[Property-based compare-operations]. Both property names and compare operations are case-sensitive.
Property-based filter must start with a colon (`:`). To define the filter, use the following syntax:
:pass:quotes[_PROPERTY_], [!]pass:quotes[_COMPARE_OPERATION_], "pass:quotes[_STRING_]"
where:
The _PROPERTY_ attribute specifies the desired property.
The optional exclamation point (`!`) negates the output of the compare-operation. Other Boolean operators are currently not supported in property-based filters.
The _COMPARE_OPERATION_ attribute specifies one of the compare-operations listed in xref:Viewing_and_Managing_Log_Files.adoc#table-compare-operations[Property-based compare-operations].
The _STRING_ attribute specifies the value that the text provided by the property is compared to. This value must be enclosed in quotation marks. To escape certain character inside the string (for example a quotation mark (`"`)), use the backslash character (`\`).
Property-based compare-operations
|Compare-operation|Description
|`contains`|Checks whether the provided string matches any part of the text provided by the property. To perform case-insensitive comparisons, use `contains_i`.
|`isequal`|Compares the provided string against all of the text provided by the property. These two values must be exactly equal to match.
|`startswith`|Checks whether the provided string is found exactly at the beginning of the text provided by the property. To perform case-insensitive comparisons, use `startswith_i`.
|`regex`|Compares the provided POSIX BRE (Basic Regular Expression) against the text provided by the property.
|`ereregex`|Compares the provided POSIX ERE (Extended Regular Expression) regular expression against the text provided by the property.
|`isempty`|Checks if the property is empty. The value is discarded. This is especially useful when working with normalized data, where some fields may be populated based on normalization result.
Property-based Filters