I'm pretty new to Kiwi.. Here is what I have.. I have a number of different device groups so I first created a new rule for these device grouping them by hostname/IP and have the syslog events going to different files, one file for each device group.
Now, within each device group I have a number of different events that I'd like to send email notifications out on, but I'd like customize the email subject and content based on the match string.. So for example.
1. I have a filter on one device group for "Failure" "user unknown" "max retries" etc, which all point to authentication issues.Which I would like to trigger an email stating something like, "Authentication issue with device group" in the subject line
2. I have a filter on the same device group for "config change" events, which I would like to trigger an email stating something like, "Configuration change made to device group" in the subject line.
The only way I've been able to figure out how to accomplish this so far has been to completely duplicate the rule with the list of the equipment hostnames/IP's and then have each rule have the different message trap and email contents.. Which means I have to maintain the IP/hostname for each of these different email's I want to send out..
It would be really nice if I could have multiple filters under a rule based on the event message trap and then launch an action for each specific filter/trap without having to duplicate everything.. Am I missing something? There must be a better way....