Hello all, I am trying to setup a search that logs ufw commands, while ignoring any ufw status commands. I have tried a number of methods so far but cannot get the COMMAND field to filter appropriately. Here is a version of the search: ``` index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw" | table _time host user _raw | where COMMAND!="*/usr/sbin/ufw status*" ``` I've tried a number of things including trying NOT instead of !, searching for various strings (status, *status*, etc.), filtering on the _raw field instead of COMMAND, using search instead of where, putting the table after the where, etc. I cannot get the events to filter out. It seems like I either get all the events or none of the events depending on the filter I choose. Any help here? Thank you!
... View more