Wasp-76b
asked on
Applying Filter with Syslog-NG
Hello Experts,
My in-house cybersecurity guy has a question regarding Syslog-ng filters.
He's trying to apply a filter that drops all powershell logs forwarded to a collector if it matches certain message criteria. On the script path, he wants to drop anything that contains a specific path with a wild card at the end to catch different auto generated folder path names/PS1 script names. See an example below
" Script Name = C:\Program Files (x86)\<program name>\<random generated folder name>\<random generated powershell script name.ps1>"
Currently has a filter applied that is not working.
{ not(message("C:\Program Files (x86)\<program name>\*")); };
Any feedback or whether this is the right place to ask is appreciated.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
his filter matches the message rather than the program name.
i do not have the doc at hand but i guess replacing "message" with "program" should do the trick.