template (name="trendmicro" type="string" string="/PROD/trendmicro/%fromhost-ip%/trendmicro.log") template (name="asa" type="string" string="/PROD/asa/%fromhost-ip%/asa.log")   ruleset(name="remote-udp"){ if $fromhost-ip == '10.100.' then { action(type="omfile" dynafile="trendmicro") } if $fromhost-ip == '10.0.4' then { action(type="omfile" dynafile="trendmicro") } if $fromhost-ip == '10.135.' or $fromhost-ip == '10.0.' then { action(type="omfile" dynafile="asa") } if $fromhost-ip=='10.19' or $fromhost-ip == '10.19' then { action(type="omfile" dynafile="fireeye") } stop }   # bind ruleset to tcp listener and activate it: input(type="imudp" port="514" ruleset="remote-udp")     template (name="rsyslog-fmt" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" ) template (name="Checkpoint" type="string" string="/var/log/splunk/Checkpoint/%HOSTNAME%/checkpoint.log") template (name="Checkpoint_sys" type="string" string="/var/log/splunk/Checkpoint_sys/%HOSTNAME%/checkpoint.log") template (name="F5" type="string" string="/var/log/splunk/F5/%HOSTNAME%/f5_waf.log") ruleset (name="network-logs") { #if $HOSTNAME startswith "SCMD-SPL-DEPS" then { action (type="omfile" dynafile="test" template="rsyslog-fmt") stop } #if $fromhost-ip=="10.40.71" then { action (type="omfile" dynafile="test" template="rsyslog-fmt") stop } action (type="omfile" file="/var/log/splunk/uncategorised.log" template="rsyslog-fmt-unc") stop } #input (type="imtcp" port="514" ruleset="network-logs") ... View more