I have a config that I thought would work, but it does not.  I would like to have the syslog service only send specific messages it finds in the log file and ignore all other and not send them to the syslog server.  Her is the config I currently have, but it seems to be sending everything.  Any help would be great.

<Input watchfile_m_LOGFILENAME>

  Module im_file
  File 'C:\\logs\\log.log'
  Exec $Message = $raw_event;
  Exec if $raw_event =~ /has failed/ $SyslogSeverityValue = 3;
  Exec if $raw_event =~ /Rx error in packet/ $SyslogSeverityValue = 3;
  Exec if $raw_event =~ /LossCounter non zero in packet/ $SyslogSeverityValue = 3;
  Exec $SyslogSeverityValue = 6;
  Exec if file_name() =~ /.*\\(.*)/ $SourceName = $1; 

Thank You,



AskedFebruary 23, 2016 - 6:03pm

Answer (1)

If you want to filter out log messages you should be using drop().

Also the following overrides everything else before this:

Exec $SyslogSeverityValue = 6;

Comments (1)

  • yman182's picture


    What line do I have to add to filter out everything but the specific lines that I already have. I do want those to be sent to our syslog server. I will also remove the line you mentioned.

    Thank you.