log exporter fieldmapping.xml - how to exclusions?

Ambross · ‎2024-04-22

Hello Everyone,

i would like to understand how to exclude certain log fields of certain blades.

As far as i unterstand and according to sk122323, you add a filterGroup to the fieldmapping.xml, so this is what i came up with so far:

<filterGroup operator="and">
	<!-- Firewall blade -->
	<product name="Firewall" operator="and">
		<field name="layer_name" operator="or"></field>
		<field name="layer_uuid" operator="or"></field>
		<field name="logid" operator="or"></field>
		<field name="nat_addtnl_rulenum" operator="or"></field>
		<field name="parent_rule" operator="or"></field>
		<required>false</required>
	</product>
	<!-- HTTPS Inspection blade -->
	<product name="HTTPS Inspection" operator="and">
		<field name="https_inspection_rule_id" operator="or"></field>
		<field name="service" operator="or"></field>
		<field name="proto" operator="or"></field>
		<field name="ifdir" operator="or"></field>
		<required>false</required>
	</product>
	<!-- Threat Emulation blade -->
	<product name="Threat Emulation" operator="and">
		<field name="file_sha1" operator="or"></field>
		<field name="file_sha256" operator="or"></field>
		<field name="layer_uuid" operator="or"></field>
		<required>false</required>
		</field>
	</product>
</filterGroup>

Am i on the right track? I feel like this is not a difficult task, but i cant wrap my head around about what the interpreter expects.

Has someone done this before and can give me some advise?

Amir_Senn · ‎2024-04-22

AFAIK the filter configuration of log exporter is to exclude entire logs and not specific fields.

Kind regards, Amir Senn

Are you a member of CheckMates?

log exporter fieldmapping.xml - how to exclusions?