Thank you very much for all your help Rick! Unfortunately the original host is a syslog server that has a few different input files - however the file that holds all the forti events is a single input as it's aggregated byour Fortianalyzer device. Plan B i think will have to be a fairly lengthy regexp that has both the policy ID and deviceid. Our Heavy Forwarders have resonable processing power however they are already sitting around 50% util - hopefully this extra pattern matching will not create too much of an overhead.
... View more