hey folks - its been a while, but I have a quick one, I hope.
I need to write a syslog rule to alert us when we see syslog messages containing "/9100" but NOT containing "10.253.1.63".
We have a IPS that scans port 9100 (network printers) and from time to time, these hit our firewall, which causes an alert to trigger. Most times, its because someone moved to a new office and didn't update their printers.
I have a VERY basic rule now - Is what I need possible?
