Deploying a combined Syslog/CEF forwarder

Ah I think the penny has dropped :-). So it looks as though rsyslog includes all config files contained within /etc/rsyslog.d/ and processes messages using these config files in order. So I'm adding an additional config file as suggested by Ofer Shezaf to be processed before 95-omsagent.conf, to include the statement mentioned earlier ('if $rawmsg contains "CEF:".......). Then messages identified as CEF messages will be processed and forwarded, then processing stops to prevent the message from being handled by the general syslog 95-omsagent.conf file. Raw syslog messages will not match the CEF rule and will therefore be handled as syslog.

The documentation could be much clearer around this I think.