Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fransmoonen
Explorer

LogExporter Regex based filtering

Hi,

 

I checked various sources of information regarding LogExporter, like sk122323.

Customer is running R80.40, and send logs to a SIEM.

We want to limit the amount of logs send to SIEM by use of LogExporter filtering

 

I want to exclude all logs from internal 10.x.x.x host and networks to internal servers also with 10.x.x.x regarding dhcp and dns via filters.

Can regex be used?

 

For DNS I think of a filter like:

<filterGroup operator="and">
<field name="src" operator="and">
<value operation="neq">10."\d{3}\.\d{3}\.\d{3}"</value>
</field>
<field name="dst" operator="and">
<value operation="neq">10."\d{3}\.\d{3}\.\d{3}"</value>
</field>
<field name="port" operator="and">
<value operation="neq">53</value>
</field>
</filterGroup>

 

For DHCP

<filterGroup operator="or">
<field name="port" operator="or">
<value operation="neq">67</value>
<field name="port" operator="or">
<value operation="neq">68</value>
</field>
</filterGroup>

 

Any help is welcome.

 

Thanks,

 

Frans

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Pretty sure regex cannot be used and this is an RFE.
Recommend reaching out to your local office with this requirement.

0 Kudos