topic Re: fschange filters for windows in Getting Data In

fschange filters for windows

heterodyned — Fri, 16 Jul 2010 16:11:21 GMT

I tried searching for documentation on how to implement filters for directories ( in fschange)

Could someone let me know where could I find documentation on this? the documentation page has an example to blacklist all the contents within a directory, how about a particular directory?

Here is my windows fschange implementation

[filter:blacklist:pamping]
regex1=\*\ignore\* ( tried c:\pamping\ignore\* didnt work)

[fschange:c:\pamping]
index = _audit
sourcetype = fschange
signedaudit = false
sendEventMaxSize = -1
recurse = true
disabled = false
pollPeriod = 60
filesPerDelay = 10
delayInMills = 100
followLinks = false
fullEvent = false
filters=pamping

The above filter which was set wasnt filtering events within the ignore directory, am i applying the filter incorrectly?

Re: fschange filters for windows

Lowell — Fri, 16 Jul 2010 20:17:31 GMT

Looks like your regex is incorrect. Try using the filter:

[filter:blacklist:pamping]
regex1 = .*ignore.*

Or, for your origional path:

[filter:blacklist:pamping]
regex1 = c:\\pamping\\ignore\\.*

Keep in mind that when you are writting a regex, you have to use "\\" to match a single "\". And you have to use ".*" to mean match any character 0 or more times.

Your origional regex of "\*\ignore\*" is literally interpreted as match a literal "*" followed by an "i" (I don't think that "\i" means anything in regex speak, so this is my best guess) followed by gnore followed by a literal "*"; which isn't at all what you want. For a general regex introduction and other helpful resources, check out: http://www.regular-expressions.info/

Re: fschange filters for windows

heterodyned — Sat, 17 Jul 2010 11:39:54 GMT

Thank you so much, is this format specifically for windowS? or would it apply for Linux as well? For Linux I generally use the format
/Folder/Subfolder/* format, and it generally filters the data, but does a strange delete-parent, delete etc...

Re: fschange filters for windows

Lowell — Mon, 19 Jul 2010 20:20:46 GMT

Yeah. You can use either a literal forward slash like "/", or if you are writing rules that can be used on either location, then I use [/\\] which will match a single forwarder slash for unix, or a backslash for windows. As far as the delete parent stuff, I don't full get how that works myself. If you keep getting them after your initial filter change, then I would suggest posting another question about it.