[rsyslog-notify] Forum Thread: Re: Filtering on Multiple Network Device Types Does Not Work - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Thu Dec 31 03:45:45 CET 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26257#p26257
Message:
----------
I would make the nesting much more explicit (additional braces and changing
the format to make the nesting clearer). check that rsyslogd -N1 doesn't
complain about any errors. I'll bet it's not going to be happy about
something.
Also, check that the values you are looking for actually appear in $msg, I
would expect %ASA to appear in $programname instead (log with
RSYSLOG_DebugFormat to see exactly what ends up in each field)
try:
ruleset (name="network-logs") {
if ($msg contains "%ASA-") then {
action(type="omfile" file="/var/log/splunk/cisco-firewall.log"
template="rsyslog-fmt") stop
} else {
if ($msg contains "SFIMS") then {
action(type="omfile" file="/var/log/splunk/cisco-sourcefire.log"
template="rsyslog-fmt") stop
} else {
if ($msg contains "CEF") then {
action(type="omfile" file="/var/log/splunk/checkpoint-firewall"
template="rsyslog-fmt") stop
} else {
action(type="omfile" file="/var/log/splunk/uncategorised.log"
template="rsyslog-fmt") stop
}
}
}
More information about the rsyslog-notify
mailing list