How can I apply many control flows without interfering with each other?
For example, many network devices will send messages to that port. I want to create rulesets that will drop logs according to different parameters.
input(type="imudp" port="514")
ruleset(name="drop_cisco") {
if ($msg contains "cisco") then {
stop
}
}
ruleset(name="drop_juniper") {
if ($msg contains "juniper") then {
stop
}
}
ruleset(name="drop_hp") {
if ($msg contains "hp") then {
stop
}
}
ruleset(name="drop_SilverPeak") {
if ($msg contains "SilverPeak") then {
stop
}
}
ruleset(name="action1") {
action(type="omfile" file="/app/rsyslog/output/devices1.log")
}
ruleset(name="action2") {
action(type="omfile" file="/app/rsyslog/output/devices2.log")
}
ruleset(name="action3") {
action(type="omfile" file="/app/rsyslog/output/devices3.log")
}
ruleset(name="action3") {
action(type="omfile" file="/app/rsyslog/output/devices3.log")
}
ruleset(name="rule1") {
call drop_cisco
call action1
}
ruleset(name="rule2") {
call drop_cisco
drop_SilverPeak
call action2
}
ruleset(name="rule3") {
call drop_juniper
call drop_SilverPeak
call drop_hp
call action3
}
ruleset(name="rule4") {
call drop_hp
call drop_juniper
call action4
}
call rule1
call rule2
call rule3
call rule4
Each time I call a rule, the filter will apply to the call below. Can I bind port 514 to each rule individually? Like so:
input(type="imudp" port="514" ruleset="rule1")
input(type="imudp" port="514" ruleset="rule2")
input(type="imudp" port="514" ruleset="rule3")
input(type="imudp" port="514" ruleset="rule4")
Is there a better way to do that?
Thank you,