i need only recieve events with action=blocked from farwrders,
my logs are :
Aug 18 12:56:13 192.168.X.X date=2018-08-18 time=12:50:36 devname="XXX" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1534580436 srcip=192.168.x.x srcname="SPLUNK" srcport=138 srcintf="internal" srcintfrole="lan" dstip=192.168.x.x dstport=138 dstintf=unknown-0 dstintfrole="undefined" sessionid=76899473 proto=17 action="deny" policyid=0 policytype="local-in-policy" service="udp/138" dstcountry="Reserved"
i config my props.conf:
[host::192.168.X.X]
TRANSFORMS-null= setnull,setparsing
and transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (?m)^action=(blocked)
DEST_KEY = queue
FORMAT = indexQueue
but when i do this forwarder doesn't receive any logs from my device,can you tell me where is my mistake?
↧