Split input to multiple outputs based on content
How can I select some messages from a single source for 1 output and some for another based on the syslog content, I'm using community edition I have RTFMed but haven't found anything describing how to do this. I've tried using the Route block to send to multiple outputs and then using the drop() option in the output inside some <Exec> tags but it doesn't seem to work and I end up with the same stuff in both outputs.
I was able to resolve this but it still doesn't make sense.
I changed
<Output out2>
Module om_file
File 'C:\syslog\server1.log'
<Exec>
if $Message !~ /192.168.1.62/ {
drop();
}
</Exec>
</Output>
to
<Output out2>
Module om_file
File 'C:\syslog\server1.log'
<Exec>
if not ($raw_event =~ /192.168.1.62/) drop();
</Exec>
</Output>
In the above output I was getting ALL messages (wat?) and the bottom was working as expected.
