Use "if" to only run filters on filters that can match

[widhalmt]

The current implementation is one pipeline for all logs within /var/log/secure on RedHat and derivates. So we should have big if blocks` to keep events being checked for data that can never match.

Another option would be to split rules into different pipelines. This option is still valid after the change - but we shouldn't forget to remove the (then redundant) if clauses.

By changing this we can rename files to clarify that they work in parallel as well.