Rsyslog Filtering
Hi,
I'm trying to configure rsyslog to filter logs being sent by a firewall. I am filtering according to the event id in the logs, which is a string of the form "m=x" where x is the event id number. The firewall has hundreds of such event id's and I only want a small subset of these to appear in my logs.
I am using property based filtering with regex. My problem is that I can successfully configure rsyslog to filter one event id only. When I try to configure more that one event id, it allows everything through without filtering. Below is my working config for one event id:
local0
:msg, regex, "m=14" -/var/log/firewall.log
& stop
If I add a second line for another event id eg:
local0
:msg, regex, "m=14" -/var/log/firewall.log
:msg, regex, "m=15" -/var/log/firewall.log
& stop
then all event id's are processed, not just 14 and 15 as I would like.
Please advise where I am going wrong here.
Many thanks.
|