Despite all the options so far discussed, it is often required to enable another layer of filtering to the collection of log files, and this can be achieved by the addition of a 'Filter'.

Together with splitting the network feed using the ‘Log File Splitting’ methods described, further filtering can be achieved by the following three methods;

  • Network Segment
  • Hostname
  • Regular expression

This would, for example, enable us to filter by both Host and Severity if we required, and as shown in the example below. Notice that color has been added to visually distinguish between the Source(red), Filter(green) and Destination(blue).

Filter by Host

In order to create a Filter, select the 'Add Filter' option from the vertical ellipsis menu at the Source of the rule in question. The following gives an example of what can be achieved.

The filter has been created to specifically locate the Host 'firewall1' using a regular expression against the source network feed.

As can be seen here, the Destination for this filter is further split by the 'Severity' value.

The destination file can be seen in the value of the ‘Full Path’.

Filter by Netmask

By choosing the Netmask option, filters can be used to segregate between different Networks by adding notation in the form of network_address/network_mask or by CIDR notation.

For example, by selecting the ‘Netmask’ filter type, and adding ‘10.1.5.0/24’ to the Filter entry box, we can segregate the events from this network from others.

Filter by Match

By choosing the Match option, filters can be setup for any number of categories by using a series of regular expressions.

For example, by selecting the ‘Match’ filter type, and adding ‘%PIX’ to the Filter entry box, we can filter specifically for Cisco-PIX firewall messages.