An element containing the patterns of the rule. If a <patterns> element contains multiple <pattern> elements, the class of the <rule> is assigned to every syslog message matching any of the patterns.
N/A
pattern: A pattern describing a log message. This element is also called message pattern. For example:
<pattern>+ ??? root-</pattern>
|
NOTE:
Support for XML entities is limited, you can use only the following entities: & < > " '. User-defined entities are not supported. |
description: OPTIONAL — A description of the pattern or the log message matching the pattern.
<patterns> <pattern>Accepted @QSTRING:SSH.AUTH_METHOD: @ for@QSTRING:SSH_USERNAME: @from\ @QSTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern> </patterns>
OPTIONAL — An element containing one or more URLs referring to further information about the patterns or the matching log messages.
N/A
url: OPTIONAL — An URL referring to further information about the patterns or the matching log messages.
N/A
OPTIONAL — Name-value pairs that are assigned to messages matching the patterns, for example, the representation of the event in the message according to the Common Event Format (CEF) or Common Event Exchange (CEE). The names can be used as macros to reference the assigned values.
N/A
value: OPTIONAL — Contains the value of the name-value pair that is assigned to the message.
The <value> element of name-value pairs can include template functions. For details, see Using template functions, for examples, see if.
When used together with message correlation, the <value> element of name-value pairs can include references to the values of earlier messages from the same context. For details, see Correlating log messages using pattern databases.
name: The name of the name-value pair. It can also be used as a macro to reference the assigned value.
<values> <value name=".classifier.outcome">/Success</value> </values>
OPTIONAL — A container element for sample log messages that should be recognized by the pattern. These messages can be used also to test the patterns and the parsers.
N/A
<examples> <example> <test_message>Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2</test_message> <test_values> <test_value name="SSH.AUTH_METHOD">password</test_value> <test_value name="SSH_USERNAME">sampleuser</test_value> <test_value name="SSH_CLIENT_ADDRESS">10.50.0.247</test_value> <test_value name="SSH_PORT_NUMBER">42156</test_value> </test_values> </example> </examples>
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center