How to Exclude Specific Facility (local1) from /var/log/messages in Syslog Configuration


34 views

When working with syslog (rsyslog/syslog-ng), messages matching multiple rules will be processed by all matching rules. This explains why your local1 messages appear in both /var/log/application.log and /var/log/messages.

Modern syslog implementations support negative filtering using != or !.* syntax. Here's how to modify your configuration:

# Original messages rule with local1 exclusion
*.info;mail.none;authpriv.none;cron.none;local1.none    /var/log/messages

# Dedicated local1 logging
local1.*                                                /var/log/application.log

For systems without negative filter support, use priority-based filtering:

# Log everything info and above except local1
*.=info;*.=notice;*.=warn;mail.none;authpriv.none;cron.none;local1.!* /var/log/messages

After modifying /etc/rsyslog.conf (or equivalent), test with:

# Reload configuration
sudo systemctl restart rsyslog

# Test logging
logger -p local1.info "Test message should only appear in application.log"
logger -p local2.info "Test message should appear in both files"

For more complex filtering in rsyslog:

# Using property-based filters
if $syslogfacility-text != 'local1' and $syslogseverity <= 6 then /var/log/messages

When dealing with high-volume logging:

  • Negative filters add minimal overhead
  • Consider using rsyslog's rate limiting for busy systems
  • For very high throughput, investigate syslog-ng's filter performance

When dealing with syslog configurations, many administrators encounter a common scenario where custom application logs (using facility local1) appear both in their dedicated log file and in the general /var/log/messages. This happens because of the catch-all nature of the *.info rule.

In a typical rsyslog.conf or syslog.conf, you'll find these relevant lines:

*.info;mail.none;authpriv.none;cron.none /var/log/messages
local1.* /var/log/application.log

The *.info directive captures all info-level messages regardless of facility, unless explicitly excluded.

Modern syslog implementations (like rsyslog) support negative filtering using the ! operator:

*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages
local1.* /var/log/application.log

For legacy syslogd systems, use this syntax:

*.info;mail.none;authpriv.none;cron.none;local1.=none /var/log/messages

If you need to exclude multiple facilities from messages:

*.info;mail.none;authpriv.none;cron.none;local1.none;local2.none /var/log/messages

After modifying your configuration:

  1. Restart syslog: systemctl restart rsyslog or service syslog restart
  2. Test with logger: logger -p local1.info "Test message"
  3. Check both files: grep "Test message" /var/log/{messages,application.log}

For high-volume logging scenarios, consider these optimizations:

$ModLoad imuxsock
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0

If logs still appear in both files:

  • Check for duplicate rules in included config files (/etc/rsyslog.d/*.conf)
  • Verify the syslog daemon actually reloaded the configuration
  • Ensure no legacy syslog rules exist (like in /etc/syslog.conf on older systems)