Link to home
Create AccountLog in
Avatar of Wasp-76b
Wasp-76bFlag for United States of America

asked on

Applying Filter with Syslog-NG

Hello Experts,


My in-house cybersecurity guy has a question regarding Syslog-ng filters. 


He's trying to apply a filter that drops all powershell logs forwarded to a collector if it matches certain message criteria. On the script path, he wants to drop anything that contains a specific path with a wild card at the end to catch different auto generated folder path names/PS1 script names. See an example below


" Script Name = C:\Program Files (x86)\<program name>\<random generated folder name>\<random generated powershell script name.ps1>" 


Currently has a filter applied that is not working.


{ not(message("C:\Program Files (x86)\<program name>\*")); };


Any feedback or whether this is the right place to ask is appreciated. 

Avatar of skullnobrains
skullnobrains

his filter matches the message rather than the program name.


i do not have the doc at hand but i guess replacing "message" with "program" should do the trick.

ASKER CERTIFIED SOLUTION
Avatar of Wasp-76b
Wasp-76b
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer