I'd like to understand the XML filtering mechanism a little better. The basic examples provided in SK122313 and in the community don't get too deep into its capabilities and limitations.
Log Exporter seems designed to identify logs to be forwarded to a remote server; filterGroups are defined in SK122323 as "a group of fields that determine what to export."
Is it possible to invert that approach? For example, to forward everything by default and then granularly define multiple independent set of criteria to not forward?
A very simple use case like just applying a "neq" comparison to a single value seems pretty straightforward, but how do you go about defining multiple independent exclusionary criteria? For example:
- exclude by rule_uid
- exclude HTTPS traffic to a set of destinations IPs
- exclude echo_requests to a different set of destination IPs
A few questions about how the filtering mechanism works:
What is the intended way to define multiple independent sets of filtering criteria? Defining multiple <filterGroup> or <filters> sections does not seem to work, and defining separate <dynamicFilter> sections in the targetConfiguration.xml (pointing to different XML files) does not seem to work.
Can multiple set of criteria be defined at all, and if so how do they interact in cases of a conflict, like where one set of criteria would define a log to be forwarded and another set would define the same log to not be forwarded?
Is there significance in many examples of the XML filtering having field definitions with no value comparisons, like so:
<field name="action" operator="and">