AnsweredAssumed Answered

Retention Rules & Purge logs from Archiver

Question asked by Omar Garcia Gilio on Oct 4, 2019
Latest reply on Nov 12, 2019 by Sravan Kumar Koneti

Hello,

 

I need to filter logs to be storage on Archiver. I need to disscard any log from device ip 1.1.1.1 and any log from device type 'winevent_nic' and from the device type 'winevent_snare' just need to keep any log that start with 'security' word and finally keep all the rest of the logs.

So far I got this rules (in that order):

 

1 device.ip != 1.1.1.1
2 device.type != 'winevent_nic'
3 device.type = 'winevent_snare' && msg.id begins 'security'
default *

 

I wonder if that set of rules gonna work the way I want. Also I need to purge log, older than 3 years, from Archiver (from specific Ip device or device type).

Outcomes