I have a simple case here. I want a specific log event to be added to my Stream. The messages exist and I can use search query in All Messages and it pulls up fine. I’m having a difficult time getting it to pipe into my new stream.
when logdesc == “Compromised host detected”, add to stream
My Question.
Can I use logdesc -->maches exactly → for a string that has white spaces?
If so, Do I need quotes around the string?
OR
Do I have to use regular expression even though the sentence will never change?
If so, What would that look like?
These events do occur several times per day. I realize a stream will not show you data before the stream was created, but it should have picked up a few and it isn’t.
Thanks for trying to help. I’m not even sure where I’d write that code. I’m just trying to get a simple string rule setup in a Stream using the rule interface.
This should work and it doesn’t. If remove this rule, and just leave the rule that ask if this is fortigate, this stream gets populated. I don’t know if its the quotes, or if this can not match exactly with white space.
Hey thanks for your help. Please disregard my previous reply. I discovered it’s working with the quotes in the string. I got confused because clicking on the stream showed 0 messages per second, which would be correct as we only get about 100 in 24 hours. The stream populated with valid data.
I will definitely try to work with your first example and practice making extractors.
