# save syslog and auth.log from remote machines
# and stop processing them to not send them to another
# log aggregator
ruleset(name="from-remote"){
  if prifilt("auth.*") or prifilt("authpriv.*") then {
    -/var/log/aggregator-auth.log
    stop
  }
  -/var/log/aggregator-syslog
  stop
}