Log Files Filters
Filtering events is accomplished via the audit policy capability. Any number of audit policies may be specified, and are displayed within the Log Filter Configuration window [previously referred to as Objectives Configuration]. Each of the audit policies provides a high level of control over which events are selected and reported. Events are selected using specific log filters. A default log filter is defined to ensure events are captured, that will then be passed directly to the configured network destination.
Click Add to add a log filter, or Modify if required to edit an existing log filter.
The following parameters of the audit policy may be set:
- Select the Match Type. Any matching entries defined in the General Search Term may be included or excluded depending on the option selected. All entries are included by default.
- General Search Term. Used to perform a case insensitive search against each log entry collected (including wildcards such as '*' and '?').
- Regular Expression: The search string may be treated as a Perl Compatible Regular Expression if this checkbox is selected. This allows a more powerful and refined text matching and targeted audit policies allowing sophisticated forensic analysis and reporting, particularly when small details get lost in noisy log environments. Some common useful regular expressions include:
Event contains email address:
([a-z0-9_\.-]+@([\da-z\.-]+\.([a-z\.]{2,6})
Event contains URL:
(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?
Event contains IP address:
(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
Event contains hex-numbers:
#?([a-f0-9]{6}|[a-f0-9]{3})
- Select the Alert Level. A criticality level may be assigned to enable the Snare user to designate audit events to their most pressing business security audit policies, and to quickly identify the level of importance via the criticality options in the drop down list. The Latest Events page will highlight the event in the selected Snare criticality color assigned to your audit policy. User can choose the criticality level depending on the destination the event is being sent. There are options to assign criticality for each destination based on the format Snare, Syslog, CEF or LEEF. Each of these criticalites is then assigned to the event. While sending to the destination, specific criticality is assigned to the final event string depending on the destination type ie Snare, Syslog, CEF or LEEF.
- Snare - Critical, Priority, Warning, Information, Clear
- Syslog - Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug
- CEF - 0 - 10, 0 is least severe and 10 is most severe.
- LEEF - 1 - 10, 1 is least severe and 10 is most severe.
To save and set the changes to the above settings, and to ensure the registry has received the new configuration perform the following:
- Click on Change Configuration to save any changes to the registry.
- Click on the Apply Configuration & Restart Service menu item.
Alternatively, the service may also be restarted by selecting the restart service via the Windows services control panel.
To clear the form before changes were made, click Reset Form.