Hi, There is a syslog message that triggers rule 1002 for syslog, which is about alerting on certain keyword. The message happens when we try to set an ssh tunnel when the port has already been used by someone else and has the keyword "error" generated by sshd. I don't want to remove the keyword from rule 1002 or even less ignore the rule completely, but I was wondering if there was a way to whitelist certain specific syslog messages? I could not find the information in the wiki, so I hope I didn't just overlook it :-)
Thanks, Steve Johnson
