hi guys need to send only audit syslogs to remote servers but w/o pollutions described in ID 880565 will below do the job as expected? thanks in advance
include " filter f_audit{ match(AUDIT); }; filter f_audit_pollution { not (facility(local0) and message(\"AUDIT\") and match(\"cmd_data=list cm device recursive|cmd_data=cd /\")); }; destination d_syslog_server { tcp(\"IP1\" port (514)); tcp(\"IP2\" port (514)); }; log { source(s_syslog_pipe); filter(f_audit); filter(f_audit_pollution); destination(d_syslog_server); };"
1-Log in to the Configuration utility. 2-Go to System > Logs > Configuration > Remote Logging. 3-For Remote IP, enter the destination syslog server IP address, or FQDN. (DNS server configuration required) 4-For Remote Port, enter the remote syslog server UDP port (default is514). 5-Select Add. 6-Select Update.
in reality, that "01420002:5: AUDIT - pid=20740 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm device recursive" were polluting audit logs even with recommended configuration.
so, i introduced above config & it worked for me. thanks
