I need to filter out some events on the heavy forwarder. I know how to do this but I need some help with the regex.
If dstip=123.123.123.123 and dstport=514 and rule_name not ="this is my rule"
drop the events.
These are the events I want to see.......
Jan 31 04:09:39 gwz auditd: date="2012-01-31 09:09:39 +0000",fac=f_kernel_ipfilter,area=z_general_area,type=t_nettraffic,pri=p_major,hostname=abc.cbs.com,event="session end",app_risk=low,app_categories=infrastructure,netsessid=54c044f265c90,srcip=123.15.3.19,srcport=41868,srczone=internal,protocol=17,dstip=123.123.123.123,dstport=514,dstzone=dmz,bytes_written_to_client=0,bytes_written_to_server=136491133,rule_name="this is my rule",cache_hit=0,start_time="2012-01-30 09:02:08 +0000",application=Syslog
I did something similar for someone else on here today, and for you I think something like this would work:
props.conf
[yoursourcetype]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = dstip=123.123.123.123,dstport=514,.+,rule_name="this is my rule"
DEST_KEY = queue
FORMAT = nullQueue
Well, what does the event you're trying to filter look like? The example you provided seems to refer just to field names, not to actual event text.