rsyslog: How do I split the events in a log file into separate files if it contains a keyword?

timestamp logging rsyslog

Solution 1:

The rsyslog documentation on filters says that $msg can help here:

Probably, “msg” is the most prominent use case of property based
filters. It is the actual message text. If you would like to filter
based on some message content (e.g. the presence of a specific code),
this can be done easily by:

    :msg, contains, "ID-4711"

This filter will match when the message contains the string “ID-4711”.

and

*.* /var/log/file1 # the traditional way
if $msg contains 'error' then /var/log/errlog # the expression-based way

If I understand your question correctly, you can do what you intend by editing your configuration file to check $msg for timestamp= If you find that value, write to a separate file.

This is the documentation for rsyslog version 8. I'd recommend checking the version of rsyslog you are using against any examples you find (in the documentation or on the Internet).

Related

It is enough secure enabling WireCrypt when connecting over internet
How do I setup an Ookla server for speed test?
What is the overhead of ZFS RAIDz1/2 in HPC SSD Environment?
Postfix not receiving bounce mails
App engine Instances placement
Ansible PHP Update with zypper (with vendor change)
iPhone stuck on Connect to iTunes [duplicate]
Why I'm getting "macOS can't repair the disk" [duplicate]
Cannot unmount external HDD. Only "force unmount" works
Can I make all viewable windows active (responsive to mouse clicks)? [duplicate]
Can't download or update apps [duplicate]
What game is being played in this Crash Course: Computer Science video?