Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joe_Matthews
Participant

log exporter filterconfiguration

Hello.  I am wondering if anyone has experience in working with the filterconfiguration.xml file.  We are trying to filter out so we get all logs for certain blades and then only logs with certain severity for other blades.  We would like all Identity Awareness, Content, Application Control and URL filtering.  Then severity 3 or 4 for Threat, AV, IPS, etc.  Below is the config we are trying to use but as soon as we put in the severity we get almost no logs for any blades. I suspect that is because it is applying severity to the other blades which do not have that field.  Do we need to put the severity field under each blade that we want only those severity levels? 

 

<filters>
        <filterGroup operator="and">
                <field name="action" operator="and">
                </field>
                <field name="origin" operator="and">
                </field>
                <field name="product" operator="or">
                        <value operation="eq">Identity Awareness</value>
                        <value operation="eq">Content Awareness</value>
                        <value operation="eq">Application Control</value>
                        <value operation="eq">URL Filtering</value>
                </field>
                <field name="product" operator="or">
                        <value operation="eq">Anti-Bot</value>
                        <value operation="eq">Anti Malware</value>
                        <value operation="eq">IPS</value>
                        <value operation="eq">IPS-1</value>
                        <value operation="eq">SmartDefense</value>
                        <value operation="eq">Anti-Virus</value>
                        <value operation="eq">New Anti Virus</value>
                        <value operation="eq">Anti Virus</value>
                        <value operation="eq">Threat Extraction</value>
                </field>
                <field name="severity" operator="and">
                        <value operation="eq">3</value>
                        <value operation="eq">4</value>
                </field>
        </filterGroup>
</filters>

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Edited your original post for clarity.
I don't think this will match anything:

                <field name="severity" operator="and">
                        <value operation="eq">3</value>
                        <value operation="eq">4</value>
                </field>

 

It should be an operator="or" in this case, at least if I'm understanding sk122323 correctly.
Also, everything in the filterGroup must match (e.g. product = X AND severity = Y).

That basically means you'll need to create two different filterGroups (one with the blades you want to send based on priority and one with the blades you want to send irrespective of priority).
Whether you can put that in one filterConfiguration.xml or you'll need to configure a second export to the same server with the other filterConfiguration, I'm not sure. 

0 Kudos