<pre name="code" class="html">Using negation can be useful if you would like to do some generic processing but exclude some specific events. You can use the discard action in conjunction with that. A sample would be: *.* /var/log/allmsgs-including-informational.log
:msg, contains, "informational" ~
*.* /var/log/allmsgs-but-informational.log
Do not overlook the tilde in line 2! In this sample, all messages are written to the file allmsgs-including-informational.log. Then, all messages containing the string “informational” are discarded. That means the config file lines below the “discard line” (number 2 in our sample) will not be applied to this message. Then, all remaining lines will also be written to the file allmsgs-but-informational.log. 使用否定是有用的,如果 你想要做一些通用的处理 但是需要排除一些特定的事件,你可以使用discard action 连接它 例子如下: *.* /var/log/allmsgs-including-informational.log
:msg, contains, "informational" ~
*.* /var/log/allmsgs-but-informational.log 不要忽视 波浪号 在第2行!在这个例子,所有的消息是写入到文件 allmsgs-including-informational.log. 然后,所有的消息包含字符串 “informational” 是被丢弃的,这意味着 配置文件行 在‘discard line’下 在我们的例子中第2行不会应用这个消息,那么,所有剩下的行业会被写入到文件 allmsgs-but-informational.log.
:msg, contains, “error” ~ # 忽略包含error的日志