[rsyslog-notify] Forum Thread: Re: Filtering on Multiple Network Device Types Does Not Work - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Thu Dec 31 05:00:39 CET 2015
User: miles
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26258#p26258
Message:
----------
Thanks for reply dlang. I did notice some differences in nesting, which
I've adjusted my config to match.
rsyslogd -N1 still says everything is fine, even with new nesting, however
it still is not working as expected.
I've updated my configuration to check for more values, hoping to gets some
more hits / logs, but the filtering still only goes into the 1st and last
log definition; none of the intermediaries are working. When I grep
uncategorised.log, all the values are found, so I know they exist.
[code:tkkyoxhi]
ruleset (name="network-logs") {
if ($msg contains "%ASA-") then {
action(type="omfile" file="/var/log/splunk/cisco-firewall.log")
stop
} else {
if ($msg contains "SFIMS") then {
action(type="omfile"
file="/var/log/splunk/cisco-sourcefire.log") stop
} else {
if ($msg contains "CEF") then {
action(type="omfile"
file="/var/log/splunk/checkpoint-firewall.log") stop
} else {
if ($msg contains "SourceFire") then {
action(type="omfile"
file="/var/log/splunk/SourceFire-firewall.log") stop
} else {
if ($msg contains "eu-der-kv-frwll") then {
action(type="omfile"
file="/var/log/splunk/eu-der-kv-frwll.log") stop
} else {
action(type="omfile" file="/var/log/splunk/uncategorised.log")
stop
} } } } } }
[/code:tkkyoxhi]
More information about the rsyslog-notify
mailing list