How to exclude facility?

[alkisg]

Hello, I've been googling / reading docs for a while but I didn't find what I needed, so I thought I'd ask here.
How can I express the following in the legacy format, or if not possible, in the new format?

"if the message priority is less than warning, stop processing, except if the facility is auth or authpriv"
So e.g. processing would stop for mail.info, but it would continue for auth.info.

I started with *.debug;*.!warning stop and tried to exclude auth,authpriv.*, but I couldn't make it. I tried with !=auth but I guess != can't be used for facilities; I tried with multiple semicolons but they didn't work as I thought...

[alkisg]

I think I got it, is this correct?

*.debug;*.!warning;auth,authpriv.none stop

The docs say The keyword none stands for no priority of the given facility; I'm not sure why I should match "no priority", but it appears to work...
So if we wanted to phrase that selector in English, we'd say the following?

• Match all messages with priority >= debug
• Exclude all messages with priority < warning
• Exclude all messages with facility=(auth or authpriv) and priority="no priority"? Why does that match auth.info then?

[alkisg]

And finally, the opposite/positive/inclusion way to write the same rule, would be this one?

*.err;auth,authpriv.none  @10.0.0.1
auth,authpriv.*  @10.0.0.1

(the inclusion way is needed on the sender, the exclusion on the receiver).
I can't write that ^ in a single line, can I?

[davidelang]

for something this complicated, just use the new if..then capabilities, if you have trouble writing it, in a few years you will have trouble understanding it. David Lang

…

On Sun, 12 May 2024, Alkis Georgopoulos wrote: Date: Sun, 12 May 2024 00:21:07 -0700 From: Alkis Georgopoulos ***@***.***> Reply-To: rsyslog/rsyslog ***@***.***> To: rsyslog/rsyslog ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [rsyslog/rsyslog] How to exclude facility? (Issue #5378) I think I got it, is this correct? *.debug;*.!warning;auth,authpriv.none

[alkisg]

Understanding the "multiple semicolons" and the "none" intricacies will also help me read the existing configuration files, e.g. here's a part from Ubuntu's /etc/rsyslog.d/50-default.conf:

#*.=debug;\
#       auth,authpriv.none;\
#       news.none;mail.none     -/var/log/debug

After reading the documentation, I still can't grasp why auth,authpriv.none is required in this case, instead of auth,authpriv.*.

For future re-reading of my configuration files, I'll just use comments like always, that part isn't a problem. Thank you!