Hi Fabien, On Thursday, April 17, 2014 8:47 AM, you wrote:
On Thu, Apr 17, 2014 at 02:57:32PM +0000, David Hauck wrote:
I would expect only the rules defined in each 'program pattern' block would be inspected for a match given a particular 'program pattern' match against $PROGRAM. For example, incoming messages from 'sshd' would be compared against rules in the first ruleset (and not the second) and incoming messages from 'login' would be compared against rules in the second ruleset (and not the first).
Do I have this right?
Yes, you do. In my example, where many programs have the same logs, you could implement it the following way:
<ruleset ...> <patterns> <pattern>login</pattern> <pattern>sshd</pattern> <pattern>pam_afs</pattern> <pattern>vsftpd</pattern> ... </patterns>
<rules> ... insert common rules but with specific examples here ... </rules> </ruleset>
Great, thanks for clarifying this. I'd asked this originally because I thought that I'd seen that this wasn't happening (I must have mistook the result for something else). By extension then I guess that rulesets without 'program pattern' elements provide default rules for *any* incoming message with a non-zero $PROGRAM value (right?). Cheers, -David