if  ($syslogfacility-text == 'kern') and \\
($msg contains ' netfilter ') \\
then    -/var/log/netfilter/all.log
#    &   ~

if  ($syslogfacility-text == 'kern') and \\
($msg contains ' netfilter dropped') \\
then    -/var/log/netfilter/drop.log
#    &   ~

if  ($syslogfacility-text == 'kern') and \\
($msg contains ' netfilter rejected') \\
then    -/var/log/netfilter/reject.log
#    &   ~

if  ($syslogfacility-text == 'kern') and \\
($msg contains ' netfilter ' and $msg contains ' DHCP') \\
then    -/var/log/netfilter/dhcp.log
#    &   ~

iptables allowed DHCP
if  ($syslogfacility-text == 'kern') and \\
($msg contains ' netfilter dropped' or $msg contains ' netfilter rejected') \\
then    -/var/log/netfilter/troubleshooot.log
#    &   ~

if  ($syslogfacility-text == 'kern') and \\
($msg contains ' netfilter clutter') \\
then    -/var/log/netfilter/clutter.log
#    &   ~