Pipeline rules to drop unnecessary messages


(Evgeny) #1

Hi all,
Could you help me to write a rule to drop unnecessary messages before they are written into indexes.
I have messages as the following

full_message

<164>Feb 09 2018 14:48:02 fwmain: %ASA: Deny tcp src inside:xxx.xxx.xxx.xx/9372 dst outside:xxx.xxx.xxx.xxx/445 by access-group "acl_in" [0x0, 0x0]

message

Feb 09 2018 14:48:02  fwmain: %ASA: Deny tcp src inside:xxx.xxx.xxx.xxx/9372 dst outside:xxx.xxx.xxx.xxx/445 by access-group "acl_in" [0x0, 0x0]
source

How can I drop messages using matching with phrase "Deny tcp src inside"
I tried to use the following rule but it doesn’t work.

rule "Drop unnecessary messages"
when
 $message.message == "Deny tcp src inside"
then
    drop_message();
end

(Jochen) #2

Take a look at the contains() function.


(Evgeny) #3

Thank you. Indeed, contains function is exactly what I need.


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.