Versions Compared

Version Old Version 5 New Version Current
Changes made by

maria ieropoulos

maria ieropoulos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Image RemovedImage Added

Each destination can be configured to forward only particular events. The default behaviour for each destination depends on the first filter.

...

Info
titleExample: Match a particular hostname in an event sent by a Snare Agent

Snare agents transmit the hostname as the first element of the event, followed by a tab. Some options to capture 'myhostname' are shown below. Which option you use, will depend on the format your log source uses to send through events.

 

^myhostname\t

^myhostname(\.mydomain)\t

^([Mm]y[Hh]ostname|MYHOSTNAME)


Info
titleMatch syslog events

How specific your regular expression matches are will depend on your requirements.

 

^<[0-9]+>
^<[0-9]{1,3}>
^<[0-9]+>(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) [1-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] 


Info
titleSearch for events that contain a particular word (eg: username)

Search for a 'whitespace' character, followed by the text 'myword' followed by another whitespace character, or an end-of-line marker.

 

\smyword(\s|$)


...