Laurent CARON <lcaron@apartia.fr> - Tue, Aug 31, 2004:
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
This requests to keep only messages which aren't of facility auth or authpriv and which aren't of facility mail. A filter says which messages to keep. Matching messages are kept, the others are removed.
filter f_syslog { not facility(auth, authpriv) or facility(mail) and level(warn .. emerg); };
This is ambiguous, because of the priority of and over or, I think it means to keep messages which aren't from facility auth or authpriv and also keep message from facility mail with a level at least of warning. You should write it: filter f_syslog { not facility(auth, authpriv) or (facility(mail) and level(warn .. emerg)); };
I'm trying to exclude certain messages from my syslog (facility mail which are inferior to warning)
I would write two filters to do this: filter f_mail { facility(mail); }; filter f_less_than_warn { level(debug..notice); }; and your filter would look like: filter exclude_what_i_don_t_want { not( filter(f_mail) and filter(f_less_than_warn) ); }; Now if you've done some boolean logic, you probably know you can develop the not() like this: filter exclude_what_i_don_t_want { not(filter(f_mail)) or not(filter(f_less_than_warn)); }; (sorry for missing ";" if they are some) And you could decide that this is even clearer (with the appropriate f_at_least_warn): filter exclude_what_i_don_t_want { not(filter(f_mail)) or filter(f_at_least_warn); }; Which basically means 'keep messages not coming from mail and also keep messages which are from level warn or above'. Regards, -- Loïc Minier <lool@dooz.org>