[rsyslog-notify] Forum Thread: Rule block issue - (Mode 'post')

[noreply at adiscon.com]

User: wpope 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=27194#p27194

Message: 
----------
Hello,

I'm new to the forum and Rsyslog.  I'm on rsyslog 7.4.10 still.
I'm having an issue with getting Symantec 14 syslog into a SIEM via
Rsyslog.
On the rsyslog box, there are 2 NICs.
one nic receives Syslog over UDP 514, at which point the log gets processed
against our rule blocks in our config.
Then if the log is destined for a SIEM tool, it gets routed to the IP of a
2nd NIC over 5514 on the same rsyslog server which has the SIEM agent
collecting and forwarding logs.
The problem is in the rule block I created, I'm assuming.

if $rawmsg contains_i ["ABC-DEFGH01"]
        then {
        action(
                name="Test123"
                type="omfwd"
                target="10.xxx.xxx.xxx"
                port="5514"
                protocol="tcp"
                template="raw"
        )
        stop
        }

I'm trying to obfuscate the hostname and target IP for public sharing here
in the forum, of course.

It appears the block works where it lives because when I change the prot
and target IP to a different location for testing, the logs come into that
other non-SIEM logging platform.
I also have other existing blocks that are working and able to route to the
2nd NIC, where the agent can send the logs to a SIEM tool.

I've also tried using "if $hostname contains_i", but no luck.
when I do a tcpdump on the second NIC, I should be seeing the
traffic/Symantec log, but I do not.

I know I'm on an older version, but would definitely appreciate some
assistance.

Thanks.