I need to filter logs to be storage on Archiver. I need to disscard any log from device ip 220.127.116.11 and any log from device type 'winevent_nic' and from the device type 'winevent_snare' just need to keep any log that start with 'security' word and finally keep all the rest of the logs.
So far I got this rules (in that order):
1 device.ip != 18.104.22.168
2 device.type != 'winevent_nic'
3 device.type = 'winevent_snare' && msg.id begins 'security'
I wonder if that set of rules gonna work the way I want. Also I need to purge log, older than 3 years, from Archiver (from specific Ip device or device type).