1 of 1 people found this helpful
On your default rule you can add a complex filter and exclude device names. if it’s more than 7-8 you may want to make the default logging rule the second rule.
in this case, create a new rule. Have it match on the devices you want and take the action(s) needed. As the last action in the rule add ‘Stop Processing’. This will keep any subsequent rules from seeing the messages. Then your default rule will only see the messages that did not match your first, explicit, rule.
kstone is correct. Put your most specific rule at the top of the list and have it filter to do the action desired and stop processing the messages. If you do not need that syslog entry handled in another way after that rule is applied then add the Stop Processing action to it. I generally suggest that the first rule(s) in an environment be built to eliminate all noisy/unwanted syslog data with a stop processing action so that the syslog server doesn't waste cycles on that data. Then it goes from most specific to least specific where a stop processing needs to be added.
Thanks guys. I tried using the stop processing after my action to write the log to file and the rules are the first ones to process but it still didn't work. The Default action is still processing and writing those specific IP logs to it's folder. BTW, I did exclude the IPs from displaying in the default screen, which works but it still writes the logs to file.
Are the rules before the default rule working? Are they creating the logs as you configured it? If you have 'Stop Processing' as the last action in the first rule and the default rule still sees the messages I would think that the first, specific, rule isn't matching.
Yes, all the rules before the default are working and creating the logs as configured. BUT the default still includes the IPs of the above rules even with the exclude IPs and Stop Processing after each rule.
Above is my setup: The info are been logged to file twice, both in the Test and Default locations.
The same setting are
Filter: Filter the desire IP ex: 192.168.1.1 Exclude Range “blank”
Action 1: Display the IP (Display 3)
Action 2: Log IP to file (c:\.....)
Action 3: Stop processing message
Then comes the Default
Filter: Include Ranges is “blank” Exclude Range: 192.168.1.1
Action 1: Display the IPs (Display 0)
Action 2: Log all IPs to file (c:\....)
Are you using the IP Address filter and selecting IPV4 Range filter type?
I would use the IP Address filter and the 'Simple' filter type unless you truly have a large range of contiguous addresses.
You can have one rule per IP address or something like this:
The Include would look like this: "192.168.1.1","192.168.1.2", "192.168.3"
Then I would have a Log to File action. The path and file name would be something like C:\logs\%Hostname.txt. %Hostname is an Auto-split variable that will use the hostname(or IP address if there is no hostname) to generate the file name. I prefer this over the IP Address Auto-split because it handles both hostname and IP address.
Any other actions(displays, etc)
The last action would be 'Stop Processing'.
This will generate 1 file for each IP Address.
The default rule does not need any filters/excludes for these IP addresses. The Stop processing command in the prior rule(s) will prevent them from hitting the next rule.