000037698 - RSA NetWitness Logs & Network: Regex usage for Event Filters in Log Collector

Document created by RSA Customer Support Employee on Jul 16, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037698
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance, Collector
RSA Version/Condition: 10.6.X,11.X
Platform: CentOS
O/S Version: 6,7
 
IssueThe Document Log Collection: Configure Event Filters for Log Collector has step by step instructions to have Event Filters in Log Collector. However, The regex usage samples may help to apply this configuration for multiple values.
 
TasksPlease use below steps for basic Event Filter configuration without Regex.
  1. Navigate to Log Collector->Config->Event Sources page.
  2. From drop-down choose Collection type and Filter.
  3. Click  + under Filters Section to enter Name and Description as below sample.
    filter1
  4. Click  + under Filter Rules Section to enter Rule Description and Rule Conditions as below sample.
    filter2
  5. Then Apply this Filter Configuration for Specific Collection Type by switching From Filter to Config Tab from dropdown. In This Sample Syslog UDP Config used this Event Filter.
    filter3

    This Configuration Stops logging from 10.1.1.1 IP addresses.
ResolutionThese steps outline the usage of complex regex for dropping event from a range of IP addresses.

Sample regex: 
filter4
Above regex stops logs from Source IP range 10.1.1.100-10.1.1.199.

More details on IP Regex usage elaborated in Interpreting Regex for IP range

Attachments

    Outcomes