In other articles, I discussed how to config rsyslog and how to syslog your program output, but what about you have a system that is old, you know there are lots of programs/daemons using syslog, now you want to identify it before upgrade the hardware, how?

There is one rule I mentioned it in rsyslog rules examples, but get mixed with other examples.

Below just some examples added in rule section of the /etc/rsyslog.conf

1. By selector

:programname, isequal, "sshd"      /var/log/sshd.log

Or

:programname, startswith, "ssh"   /var/log/ssh.log

2. By filter

if $programname == 'popa3d' and $syslogseverity <= '6' then /var/log/popa3d.log

3. Using templates

$template TmplAuth, "/var/log/%PROGRAMNAME%.log" 

authpriv.*   ?TmplAuth
*.info,mail.none,authpriv.none,cron.none   ?TmplMsg

4. By message filter

To be exact, this way usualy not to be used to seperate message by program, but under some circumstance, for example, the message generated by a driver seating in kernel, then you can't use the ways listed above to separate them.

Regular expression is mostly used in message filter, here are two examples:

:msg, regex, "mhvtl"	 /var/log/mhvtl.log
:msg, contains "vtllibrary" /var/log/mhvtl.log

In the examples above, when matched, they will be separated to /var/log/mhvtl.log