Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
tsimeonov_FTNT
Staff
Staff

Created on ‎02-10-2015 12:49 PM Edited on ‎01-04-2022 12:54 PM By Anonymous

Article Id 198194

Technical Note: Use of Operators in Event Handler General Filter (syntax)

Description
When configuring an event handler, the generic filter allows more precise and flexible control over which logs trigger an event.

FortiAnalyzer supports multiple operators and logic in Generic filters.

The operators currently supported by FortiAnalyzer are as follows:

Operator Meaning
== Equal (Exact match)
!= Not equal  (Not matching)
< Smaller than
<= Smaller than or equal
> Greater than
>= Greater than or equal
~ Contained (Included somewhere in the string)
!~ Not contained (Not included)


Tokens: '(', ')', '&', '|', 'and', 'or',  'not'

Example:  type=='traffic' AND ((dstport>=80 AND srcip=192.168.1.12) OR (subtype='local' AND NOT action='timeout'))


Scope
The use of multiple operators is supported starting in FortiAnalyzer v5.0.3 and up.

Note: Starting in FortiAnalyzer 5.2.2, logs of type syslog can also trigger events.


Related Articles

Technical Note: How to configure an Event Handler with a generic text filter

14989
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.