...
The next step is to create a file, with the same name as the Token you wish to use as an FToken, appended with ".php" - eg: USERFLOOR.php. The file can be stored in /data/SnareUI/Global/FTokens, if this FToken should apply to ANY field called 'USERFLOOR', regardless of the log data source - or, it can be stored in /data/SnareUI/Global/FTokens/DATASOURCENAME - where DATASOURCENAME is the name of the data source (eg: CISCORouterLog, WinSecurity, Tru64Audit)
| Info |
|---|
|
This file will utilise a function called 'GetData' to attempt to retrieve the floor that the user is a member of. The GetData function will replace the username, with the floor/level number, BEFORE the modular objective match query runs.
...
Using this information, we can now construct a query in our modular objective something along the following lines:
| Info |
|---|
|
| Info |
|---|
Note that Snare Central version 7.5.1 and above include the updated 'SnareStore' datastore query engine. SnareStore provides significantly increased speed and flexibility for queries, but does not currently support FTOKEN capabilities. If the Snare Server detects that your objective uses an FTOKEN, the query will be delgated back to the legacy "IPDB" environment, which may result in slower query response. |