Rsyslog offers three different types "filter conditions":
* "traditional" severity and facility based selectors
* property-based filters
* expression-based filters
Selectors
Selectors are the traditional way of filtering syslog messages.
They have been kept in rsyslog with their original syntax,
because it is well-known, highly effective and also needed for
compatibility with stock syslogd configuration files. If you just
need to filter based on priority and facility, you should do this
with selector lines. They are not second-class citizens in
rsyslog and offer the best performance for this job.
Property-Based Filters
Property-based filters are unique to rsyslogd. They allow to
filter on any property, like HOSTNAME, syslogtag and msg.
A property-based filter must start with a colon in column 0. This
tells rsyslogd that it is the new filter type. The colon must be
followed by the property name, a comma, the name of the compare
operation to carry out, another comma and then the value to
compare against. This value must be quoted. There can be spaces
and tabs between the commas. Property names and compare
operations are case-sensitive, so "msg" works, while "MSG" is an
invalid property name. In brief, the syntax is as follows:
:property, [!]compare-operation, "value"
The following compare-operations are currently supported:
contains
Checks if the string provided in value is contained
in the property
isequal
Compares the "value" string provided and the
property contents. These two values must be exactly
equal to match.
startswith
Checks if the value is found exactly at the
beginning of the property value
regex
Compares the property against the provided regular
expression.
Expression-Based Filters
See the HTML documentation for this feature.
