I have a simple case here. I want a specific log event to be added to my Stream. The messages exist and I can use search query in All Messages and it pulls up fine. I’m having a difficult time getting it to pipe into my new stream.
when logdesc == “Compromised host detected”, add to stream
Can I use logdesc -->maches exactly → for a string that has white spaces?
If so, Do I need quotes around the string?
Do I have to use regular expression even though the sentence will never change?
If so, What would that look like?
These events do occur several times per day. I realize a stream will not show you data before the stream was created, but it should have picked up a few and it isn’t.
Thanks for your help.
We have Fortigate firewalls also. What I did was create an extractor using Regular expression.
Here is an example:
View from INPUT
View message from Global search
Then I created a stream ( or you can add that field to an exsisting stream.
Hope that helps
As for using a pipeline and send that message to a stream maybe something like this. Using my example from above. Either way should work.
Rule "Route to stream"
Thanks for trying to help. I’m not even sure where I’d write that code. I’m just trying to get a simple string rule setup in a Stream using the rule interface.
This should work and it doesn’t. If remove this rule, and just leave the rule that ask if this is fortigate, this stream gets populated. I don’t know if its the quotes, or if this can not match exactly with white space.
Thanks for the help.
Hey thanks for your help. Please disregard my previous reply. I discovered it’s working with the quotes in the string. I got confused because clicking on the stream showed 0 messages per second, which would be correct as we only get about 100 in 24 hours. The stream populated with valid data.
I will definitely try to work with your first example and practice making extractors.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.