[rsyslog-notify] Forum Thread: Re: Filtering on Multiple Network Device Types Does Not Work - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Thu Dec 31 13:56:22 CET 2015
User: miles
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26262#p26262
Message:
----------
I rolled back to one of my previous configs, it is more programmatically
aligned with the newer configuration standards in the documentation.
It also addresses your point on having the {} enclose the two statements.
Thanks for the tips David.
[code:39pn54a7]
ruleset (name="network-logs") {
if $msg contains "%ASA-" then { action (type="omfile"
file="/var/log/splunk/cisco-firewall.log" template="rsyslog-fmt")
stop }
if $programname contains "SFIMS" then { action (type="omfile"
file="/var/log/splunk/cisco-sourcefire.log" template="rsyslog-fmt")
stop }
if $msg contains "Check Point" then { action (type="omfile"
file="/var/log/splunk/checkpoint-firewall" template="rsyslog-fmt") stop }
# Catch the remaining log events which passed through our previous
filters.
action (type="omfile" file="/var/log/splunk/uncategorised.log"
template="RSYSLOG_DebugFormat") stop
}
[/code:39pn54a7]
More information about the rsyslog-notify
mailing list