7.1.4. Filters

To fine-tune what log entries are needed for or how they are forwarded to different destinations, it is possible to use filters in syslog-ng configurations. Although their usage is optional, they are highly recommended because they represent the real flexibility of syslog-ng.

Filtering can be defined to use seven different criteria that are summarized in the following list.

facility()

It filters the type of messages referring to the nature of the log entry. For example, auth, cron, daemon, kern, mail.

priority()

It filters the assigned priority level of the log message.

The possible priority levels are the following in the order of severity: none, debug, info, notice, warning, err, crit, alert, emerg.

level()

It is the same as priority.

program()

It is the name of the software component that generated the log entry.

host()

It is the machine that the log message arrived from.

match()

It is a regular expression that is compared to the contents of the log message.

filter()

It is an additional filter.

By combining these elements you can manually configure a fairly complex logging environment in a couple of lines of “code”, with basic knowledge on the syntax of syslog-ng rules. If you use ZMC, ZMC takes care of the correct syntax and allows you to focus on the actual rule creation process.

For more detailed information on syslog-ng, see Appendix C, Further readings.