I'm using a unified log on a server running Red Hat 6, receiving directed log messages from others servers and managing them with RSyslog. Until now, the /etc/rsyslog.conf have this rule:
if $fromhost-ip startswith '172.20.' then /var/log/mylog.log
But I don't want to log messages that contains "kernel" and "dnat", so I want to filter all messages, enhancing the rule.
How can I do that?
This looks like a question better suitable for Unix & Linux. Having appropriately notified that this is not the right place, I'll go and break the rules by answering it anyway.
Depending a bit on the version of Red Hat you're using, you can use rsyslogd's conditional filters or RainerScript in various ways to express a combination of several logical rules. On Red Hat 6 you could say something like this to accomplish what you want using a conditional filter:
if ( $fromhost-ip startswith '172.20.' and \
$syslog-facility-text != 'kern' ) then /var/log/mylog.log
You can find more examples from the Rsyslog v5 manual.