Hi all,
Could you help me to write a rule to drop unnecessary messages before they are written into indexes.
I have messages as the following
full_message
<164>Feb 09 2018 14:48:02 fwmain: %ASA: Deny tcp src inside:xxx.xxx.xxx.xx/9372 dst outside:xxx.xxx.xxx.xxx/445 by access-group "acl_in" [0x0, 0x0]
message
Feb 09 2018 14:48:02 fwmain: %ASA: Deny tcp src inside:xxx.xxx.xxx.xxx/9372 dst outside:xxx.xxx.xxx.xxx/445 by access-group "acl_in" [0x0, 0x0]
source
How can I drop messages using matching with phrase "Deny tcp src inside"
I tried to use the following rule but it doesn’t work.
rule "Drop unnecessary messages"
when
$message.message == "Deny tcp src inside"
then
drop_message();
end