On Thu, Apr 17, 2014 at 02:57:32PM +0000, David Hauck wrote:
I would expect only the rules defined in each 'program pattern' block would be inspected for a match given a particular 'program pattern' match against $PROGRAM. For example, incoming messages from 'sshd' would be compared against rules in the first ruleset (and not the second) and incoming messages from 'login' would be compared against rules in the second ruleset (and not the first).
Do I have this right?
Yes, you do. In my example, where many programs have the same logs, you could implement it the following way: <ruleset ...> <patterns> <pattern>login</pattern> <pattern>sshd</pattern> <pattern>pam_afs</pattern> <pattern>vsftpd</pattern> ... </patterns> <rules> ... insert common rules but with specific examples here ... </rules> </ruleset>