I noticed that the syslog parser for User-ID allows you to enter multiple filters for each server... does anyone know how adding multiple filters of the same type (login for example) will work? I see there is a way to move the filters up and down in the list so I'd assume there is an order of operation but if it is able to match the regex in one does it stop or does it still proceed to the next filter? If it goes through the entire list, I'm assuming it keeps whatever user-ID it was able to last grab?
As there is the option to move the parsing profiles up and down, I am pretty sure that only the first one will match and if there is a match the profiles below in that list will not be checked - but it looks like this works to add multiple possibilities for login events.
Anothe rpossibility for parsing very different syslog messages is if you create your own regex whith which the firewall theoretically is able to combine multiple of the predefined strings into one. But the complexity of the regex string probably has - at least a small - impact on the mgmt cpu.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!