On 2015-10-02 15:54, Knurpht - Gertjan Lettink wrote:
Your filters should be entirely one line each.
No, that's not so. I have this working filter on 13.1: if ($programname startswith 'org.gtk.' and $msg contains '### debug:') or ($programname startswith 'org.gtk.vfs.Daemon') or ($programname startswith 'org.freedesktop.Tracker1') \ or ($programname startswith 'org.gnome.evince.Daemon' and ($msg contains 'egisterDocument' or $msg contains 'Watch name')) \ or ($programname startswith 'org.gnome.zeitgeist.Engine') \ or ($programname startswith 'org.xfce.FileManager' and ($msg contains 'fixme:' )) \ or ($programname == 'systemd' and ($msg contains 'Failed to open private bus connection: Failed to connect to socket' )) \ then -/var/log/pruned & stop Notice the "\" symbol at the end of each line: it signifies it continues on the next. Or this other rule, in the original LEAP file: # # firewall messages into separate file and stop their further processing # if ($syslogfacility-text == 'kern') and \ ($msg contains 'IN=' and $msg contains 'OUT=') \ then { -/var/log/firewall stop } -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)