Question about multiple filters in a User-ID Syslog Parser

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Question about multiple filters in a User-ID Syslog Parser

L4 Transporter

Greetings all,


I noticed that the syslog parser for User-ID allows you to enter multiple filters for each server... does anyone know how adding multiple filters of the same type (login for example) will work?  I see there is a way to move the filters up and down in the list so I'd assume there is an order of operation but if it is able to match the regex in one does it stop or does it still proceed to the next filter?  If it goes through the entire list, I'm assuming it keeps whatever user-ID it was able to last grab?




L7 Applicator

Hi @jsalmans 

As there is the option to move the parsing profiles up and down, I am pretty sure that only the first one will match and if there is a match the profiles below in that list will not be checked - but it looks like this works to add multiple possibilities for login events.

Anothe rpossibility for parsing very different syslog messages is if you create your own regex whith which the firewall theoretically is able to combine multiple of the predefined strings into one. But the complexity of the regex string probably has - at least a small - impact on the mgmt cpu.

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!