How to tell what is in CONTENT Field
I have read the correlation rules document and it says:
Note: The value of the [CONTENT[ variable in the Set Statement Filter Window is the
same as the value of payload.
I am looking at windows messages and almost none of the messages in the XML have a !payload variable used. Does this mean that the entire "content=" part of the message goes into [CONTENT]?
Is there a way to see what is actually in [CONTENT] so that I can write an appropriate regex?
The <!payload> marker is only found in the content parameter of the HEADER tags, so you will never see it in a MESSAGE tag.
The [CONTENT] option in the filter drop downs represents the remaining payload of the log event, i.e. where the <!payload> marker defined the MESSAGE tag to begin.
I found that overall, the absolute best way to get some transparency into what goes into each field (as it shows in the XML) is to use the ESI tool. Select the XML for the device you are writing an alert for, use some of your test data, and it will show you exactly how it will parse and what goes into each field.
The overall confusion for me seems to be the way that the variables in the XML don't always seem to clearly correspond to column names in a report and field names in an alert.
You are right and that is because the variable name can be different than the "Display Name".
You can check the manage variables under System Configuration or you can check the table files in:
The second field is the Display Name for the field in the table.
Hopefully, this helps.