# This is used with redundant loghosts. When the
# filter_MYHOST.example.com context is set, filter out all lines that
# do not match the hostname. This way we report only on local events,
# not events passed in from other hosts. This should be one of the
# first rules files evaluated.

# Replace MYHOST.example.com with the local host's name.  echo the
# string "MYHOST.example.com_filter_enable" or
# "MYHOST.example.com_filter_disable" to the messages file or other
# input file to enable/disable the filtering.

# if the pattern MYHOST.example.com doesn't exist in the rule,
# and filtering is enabled then force other rules to skip this event
# by setting the handled context.
type=single
continue=dontcont
ptype=Nsubstr
pattern=MYHOST.example.com
desc=filter out non-MYHOST events
context=filter_MYHOST.example.com
action=create EVENT_PROCESSED

#these rules must always fire. So don't suppress on handled.
#type=single
#continue=dontcont
#ptype=RegExp
#pattern=.
#desc=guard for already handled
#action=logonly
#context = [EVENT_PROCESSED]

type=single
continue=dontcont
ptype=RegExp
pattern=MYHOST.example.com_filter_enable
desc=enable MYHOST only filtering
action=create filter_MYHOST.example.com; create EVENT_PROCESSED; \
       shellcmd /bin/mailx -s \
            "MYHOST.example.com only filtering enabled" admin

type=single
continue=dontcont
ptype=RegExp
pattern=MYHOST.example.com_filter_disable
desc=disable MYHOST.example.com only filtering
action=delete filter_MYHOST.example.com; create EVENT_PROCESSED; \
       shellcmd /bin/mailx -s \
                "MYHOST.example.com only filtering disabled" admin

# Remove the handled context by default since this is a pure filter ruleset.
# hence we do want other rulesets to apply and analyze the
# events.
type=single
continue=dontcont
ptype=RegExp
pattern=.
desc=delete EVENT_PROCESSED
action=delete EVENT_PROCESSED