I’m looking for a quick pointer (struggling to find an example) of a pipeline rule which will keep any received message which contains the string “NAT Mapping” and drop everything else.
I have used extractors to sort messages (example below) and have the field “msg”
id=firewall sn=C0EAEXXXXXX time=“2019-10-22 11:52:53” fw=XXX.XXX.XXX.X pri=5 c=0 m=1197 msg=“NAT Mapping” n=6546585 src=192.168.XXX.41:44460:X4-V130 dst=XX;XXX:XXX:X:8736:X1 proto=udp/1813 note=“Source: XX:XXX:XXX:XXX, 31733, Destination: XXX:XX:XX:XX, 1813, Protocol: 17” rule=“286 (Managed->WAN)” fw_action=“NA”
Not sure if i’m anywhere near on the right track here but think i want the inverse of the rule below…
rule “Drop NAT Mapping”
contains(to_string($message.msg), “NAT Mapping”, true)
Any help would be greatly appreciated.