I've been setting up a bunch of compliance reporting as of late and, while I now have a rule that looks for the correct logging servers, I would also like to have one that looks for any other logging servers that might be setup.
I've been banging away at it for a while now, but I just don't seem to have found a filter that doesn't either fail everything or pass everything...
Here's what I've got at the moment:
------------------------------------
Match if String is Found
Must NOT Contain String: logging host x.x.x.x
Must NOT Contain String: logging host y.y.y.y
Must NOT Contain String: logging host z.z.z.z
Must Contain String: logging host
All four are "AND" with no use of parenthesis.
------------------------------------
This ALWAYS comes through as a "Pass," even if there is a fourth logging host that is NOT one of those other three. I have tried a variety of regex variations, but it seems to invariably pass or fail 100% of the devices. It is totally possible that I got close with the regex, but just didn't know enough.
In the case of the current, simplified string-only attempt, is is possible that it is excluding the first three strings, then going right back and matching the fourth filter against those same three lines? In my head, it should only cause a match if a logging host is in the config and does NOT match one of the three known IPs.
Thanks for any advice!