syslog: process specific priority

Question

I have two user processes A and B. Both use syslog using facility LOG_USER.

I want to have different threshold levels for them:

• For A, only messages of priority ERR-and-above must be logged
• For B, only messages of priority CRIT-and-above must be logged

I found that if I setup /etc/syslog.conf as

user.err    /var/log/messages

then messages of ERR-and-above are logged, but, from both A and B.

How can I have different minimum threshold levels for different processes?

Note: I am exploring if there is a config file based solution. Otherwise, there is another approach that works. In each process, we can use setlogmask() to install process specific priority mask.

EDIT (Nov 18): I want to use syslog and some portable solution.

Answer 1

This tutorial http://www.freebsd.org/cgi/man.cgi?query=syslog.conf&sektion=5 helped me. The following seem to work:

# process A: log only error and above
!A
*.err                /var/log/messages

# process B: log only critical and above
!B
*.critical           /var/log/messages

# all processes other than A and B: log only info and above
!-A,B
*.info               /var/log/messages

Answer 2

A config file based solution is available. I think CentOS by default ships with rsyslog and even if it does not, you can always install rsyslog with yum. This solution works only with rsyslog and nothing else.

The is a catch, though. You can not separate log messages with rsyslog (or pretty much any syslog daemon implementation) between processes with same name ie. the same executable path. However, rsyslog does allow you to filter messages based on program name. Here lies a possible solution: most programs call openlog(3) using argv[0], ie. the executable name, as the first argument. Now since you don't reveal the actual program you're running, there is no way to determine this for you, but you can always read the sources of your own program, I guess.

In most cases the executable path is the program name, though some daemons do fiddle with argv[0] (notable examples are postfix and sendmail). Rsyslog on the other hand provides a filtering mechanism which allows one to filter messages based on the name of the sending program (you can now probably see how this is all connected to how openlog(3) is called). So, instead of trying to filter directly processes, we can do filtering on program names. And that we can affect by creating symbolic links.

So, this solution only works given following conditions: a) the process you're running does not fiddle with argv[0] after beginning execution; b) you can create symlinks to the binary, thus creating two different names for the same program; c) your program is calling openlog(3) using argv[0] as the first parameter to the call.

Given those two conditions, you can simply filter messages on /etc/rsyslog.conf like this (example directly from rsyslog documentation):

if $programname == 'prog1' then {
   action(type="omfile" file="/var/log/prog1.log")
}
if $programname == 'prog2' then {
   action(type="omfile" file="/var/log/prog2.log")
}

E.g. if your program is called /usr/bin/foobar and you've created symbolic links /usr/bin/prog1 and /usr/bin/prog2 both pointing at /usr/bin/foobar, the above configuration file example will then direct messages from processes started as "prog1" and "prog2" to different log files respectively. This example will not fiddle with anything else, so all those messages are still going to general log files, unless you filter them out explicitly.