I tried searching for documentation on how to implement filters for directories ( in fschange)
Could someone let me know where could I find documentation on this? the documentation page has an example to blacklist all the contents within a directory, how about a particular directory?
Here is my windows fschange implementation
[filter:blacklist:pamping]
regex1=\*\ignore\* ( tried c:\pamping\ignore\* didnt work)
[fschange:c:\pamping]
index = _audit
sourcetype = fschange
signedaudit = false
sendEventMaxSize = -1
recurse = true
disabled = false
pollPeriod = 60
filesPerDelay = 10
delayInMills = 100
followLinks = false
fullEvent = false
filters=pamping
The above filter which was set wasnt filtering events within the ignore directory, am i applying the filter incorrectly?
Looks like your regex is incorrect. Try using the filter:
[filter:blacklist:pamping]
regex1 = .*ignore.*
Or, for your origional path:
[filter:blacklist:pamping]
regex1 = c:\\pamping\\ignore\\.*
Keep in mind that when you are writting a regex, you have to use "\\" to match a single "\". And you have to use ".*" to mean match any character 0 or more times.
Your origional regex of "\*\ignore\*
" is literally interpreted as match a literal "*
" followed by an "i
" (I don't think that "\i
" means anything in regex speak, so this is my best guess) followed by gnore
followed by a literal "*
"; which isn't at all what you want. For a general regex introduction and other helpful resources, check out: http://www.regular-expressions.info/
Looks like your regex is incorrect. Try using the filter:
[filter:blacklist:pamping]
regex1 = .*ignore.*
Or, for your origional path:
[filter:blacklist:pamping]
regex1 = c:\\pamping\\ignore\\.*
Keep in mind that when you are writting a regex, you have to use "\\" to match a single "\". And you have to use ".*" to mean match any character 0 or more times.
Your origional regex of "\*\ignore\*
" is literally interpreted as match a literal "*
" followed by an "i
" (I don't think that "\i
" means anything in regex speak, so this is my best guess) followed by gnore
followed by a literal "*
"; which isn't at all what you want. For a general regex introduction and other helpful resources, check out: http://www.regular-expressions.info/
Yeah. You can use either a literal forward slash like "/", or if you are writing rules that can be used on either location, then I use [/\\]
which will match a single forwarder slash for unix, or a backslash for windows. As far as the delete parent stuff, I don't full get how that works myself. If you keep getting them after your initial filter change, then I would suggest posting another question about it.
Thank you so much, is this format specifically for windowS? or would it apply for Linux as well? For Linux I generally use the format
/Folder/Subfolder/* format, and it generally filters the data, but does a strange delete-parent, delete etc...