Hi,
I've got an issue by suppressing syslog messages upon content. Even by stating the following rule in config.php
$config['syslog']['filter'][] = 'action=pass';
I still see messages with the intended phrase inside:
id=firewall time="2018-07-25 12:36:32" fw="xxxxxxxxxx" tz=+0200 startime="2018-07-25 12:36:31" pri=4 confid=01 slotlevel=2 ruleid=53 srcif="Ethernet3" srcifname="prod" ipproto=tcp dstif="Ethernet0" dstifname="wan1" proto=ssl src=xxxxxxxxxxx srcport=32827 srcportname=ephemeral_fw_tcp srcname=xxxxxxxxxxxx srcmac=xxxxxxxxxxxxxx dst=xxxxxxxx dstport=443 dstportname=https dstname=xxxxxxxxxxxxxxxxxxxx dstcontinent="eu" dstcountry="ie" modsrc=xxxxxxxxxxxx modsrcport=32827 ipv=4 action=pass msg="Early ChangeCipherSpec" class=protocol classification=0 alarmid=312 target=dst logtype="alarm"
This doesn't apply to every message containing the specified string, only to a few of them. Perhaps a message length issue?
Best Luca