Lets say that I have a syslog record like this:
Nov 20 16:59:36 Server100 service111: "url:http://www.badlink.com, attributes:[Malware, Bad Location, No SSL]"
And I have parser rules for each of the attributes(malware,bad location, no ssl), how can I create three different events for each match on the log. As it stands now it is only creating an event for the first attribute it sees and moves on to the next syslog entry.
The Event Message is just 1 as the syslog message is just one if you want more then just put alarms to monitor for speciefic field matches.
Also create a parser that will parse the entire message not just fragments.
Hope that help.
Sorry for the short reply