[CentOS] rsyslog.conf

Thu Jul 23 17:19:44 UTC 2015
m.roth at 5-cent.us <m.roth at 5-cent.us>

Physically dragging the thread back on topic...

I really am going crazy, trying to deal with the hourly logs from the
loghost. We've got 170+ servers and workstations... but a *very* large
percentage of what's showing up is from his bloody new fedora 22, with its
idiot systemd logging of *ever* selinux message to /var/log/messages.

I tried creating a rule, /etc/rsyslog.d/audit.conf, that reads:

if $msg contains "audit" and $msg,contains,'res=success' then -

but that seemed to send *everything* to /dev/null. That was my best guess,
based on googling (yahooing?) and man pages. Can anyone tell me what's
wrong with that syntax?