Hello, How can I make the normalization rule to stop on first match?
I' trying to normalize the audit logs and I have at the end a rule that catches all. Example of rule.rb: prefix= node=%hostname:word% type=%audit_type:word% msg=audit(%unix_time:number%.%milisec:number%:%audittag:number%): rule=SYSCALL: arch=%arch:word% syscall=%syscall:number% success=%success:word% exit=%exit:word% %rest_msg:rest% rule=NO_NORMALIZATION: %rest_msg:rest% I would like that, for example, the lines that match the rule=SYSCALL to return immediately. Currently all messages return with event.tags="NO_NORMALIZATION". Best regards, Cristian Falcas _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
