How to filter syslog messages by facility and priority in rsyslog
Facility and priority filters are useful when daemon, auth, kernel, mail, or local application messages need their own file or forwarding action without catching unrelated traffic. A selector such as local0.warning matches local0 messages at warning severity and higher, so the proof needs both a matching message and nearby messages that should miss the rule.
rsyslog supports classic selectors for facility and severity, and those selectors are clearer for this job than property filters against message text. The example below writes matching local0 warning-or-higher messages to a proof file, then uses stop so those messages do not continue into later default rules.
These steps assume a systemd Linux host where rsyslog is already installed and reads drop-in files from /etc/rsyslog.d/. Use a temporary proof destination first; after validation, replace the file action with the production file or forwarding target and keep the same inclusion and exclusion tests.
Steps to filter rsyslog messages by facility and priority:
- Choose the facility, priority threshold, and destination.
Facility: local0 Priority threshold: warning Matches: local0.warning, local0.err, local0.crit, local0.alert, local0.emerg Does not match: local0.info, local1.error Destination: /var/log/rsyslog-local0-warning.log
A selector priority is a threshold. Use local0.=warning only when the rule must match exactly warning and exclude err, crit, alert, and emerg.
- Create a dedicated rsyslog drop-in file for the selector.
$ sudoedit /etc/rsyslog.d/40-local0-warning.conf
- Add the selector, destination, and stop action.
template(name="FacilityPriorityFormat" type="string" string="%syslogfacility-text%.%syslogseverity-text% %syslogtag%%msg%\n") local0.warning /var/log/rsyslog-local0-warning.log;FacilityPriorityFormat & stopThe & stop line applies to the previous selector. Keep it when matching messages should leave the remaining default rule flow; remove it when the same messages should also continue to later rules.
For TCP forwarding after testing, replace the file destination with a forwarding action such as @@syslog.example.net:514 and validate the receiver path separately.
- Validate the full rsyslog configuration before applying it.
$ sudo rsyslogd -N1 rsyslogd: version 8.2512.0, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: End of config validation run. Bye.
Run validation through the master configuration so rsyslog reads /etc/rsyslog.conf and the included drop-in files in service order. Related: How to test rsyslog configuration syntax
- Restart rsyslog so the daemon reads the new rule.
$ sudo systemctl restart rsyslog
Restart is the portable systemd apply step for the Ubuntu package used in validation. Related: How to manage the syslog service
- Clear or create the proof file with the usual Ubuntu rsyslog log ownership.
$ sudo install -o syslog -g adm -m 0640 /dev/null /var/log/rsyslog-local0-warning.log
If your distribution uses a different owner or group for rsyslog log files, match the ownership used by the existing system log files.
- Send one matching message through logger.
$ logger --priority local0.warning --tag facility-priority "facility priority match"
- Send two non-matching messages for the priority and facility checks.
$ logger --priority local0.info --tag facility-priority "priority too low" $ logger --priority local1.error --tag facility-priority "facility mismatch"
Related: How to send a test syslog message
- Confirm that only the matching message reached the filtered destination.
$ sudo cat /var/log/rsyslog-local0-warning.log local0.warning facility-priority: facility priority match
- Remove or adapt the temporary proof rule after the selector has been verified.
If this was a test-only rule, delete /etc/rsyslog.d/40-local0-warning.conf, run sudo rsyslogd -N1, and restart rsyslog again. If it is the production rule, keep the selector but replace the test file path with the intended destination.