I have Windows Log Forwarder setup on my DC to forward all Logon Account failures to the NPM syslog. This seems to be working fine, however I have had to setup a SYSLOG filter rule to look for '*0x19*' in the syslog message and the action is to discard the message from syslog viewer.
Again, this seems to work fine. However I want to send an email notification for all other messages that fall into the captured syslog. Unfortunately this doesn't seem to work very well.
1. I have setup the email action on the rule I setup above, but this just sends an email everything there is a syslog entry with '*0x19*' in it. This makes sense, so I deleted that.
2. I created an additional rule with a lower priority than the original rule, and setup the email action for that. However it is still sending an email with all syslog entries with '*0x19*' in it. Shouldn't this be excluded because of the original rule?
3. The only way I got this working was to create an additional rule that filtered the syslog message to look for '*0x18*' and then send an email. Unfortunately some syslog entries may be missed because I want everything except for '*0x19*' and I'm not sure if there are others.
Am I doing something wrong?
