This is what I want, but I can't make it work.
I want to receive all error messages if it's an error or higher.
But I receive some error messages that I want to suppress because they are more informational than a real error message.
I have a configured alert which sends an email on all events of the type error and higher. ( Last rule )
I have a configured alert where I use the "discard syslog message" action for a specific pattern. ( TOP most rule )
I would have thought that because I used this specific sequence ( 1st the more specific rule followed by the general rule ) these messages would be suppressed.
The error is removed from the syslog view ( as it is configured ) but the mail is still send.
How do I solve this ?
Bu