Closed rucete closed 6 days ago
The fields are not available to sc4s to filter , the main fields to filter is usually start with sc4s_* fields , Best will using regexes based on MATCH() and MESSAGE()
https://axoflow.com/docs/axosyslog-core/chapter-parsers/sdata-parser/_print/?highlight=sdata#prefix
Official document to read about what is implemented.
@rucete Since we have not heard back, I am closing this issue. Feel free to reopen or create a new issue if you have further queries.
Hi,
I'm trying to implement a block parser for for fortigate events. Pretty straightforward:
The thing is I cannot seem to find documentation on how to correctly reference this value:
"${.values.action}" eq "allowed";
I'm just trying to filter out allowed traffic. I know the rest of the parser works because without that ".values.action" line, it drops all events. No errors are reported in the sc4s logs.
I'm not just looking to resolve this issue, but a link to the documentation where this is explained (besides SC4S's docs on github, which I've read) is also appreciated.
Thank you.