Link Search Menu Expand Document

Selecting Events

Rules need to be able to select an event to apply an action to.

Multiple “select” options will combined into a logical “and” operation.

Logical “or” operations can be achieved by:

  • specifying an array of values for a “select” field
  • using a regular expression | operator
  • specifying an additional rule in the ruleset

match

Search a field for a match.

When you supply some string the match becomes /some string/ with any regex literals escaped:

    match:
      this_field: "some string"

You can also specify a regex directly with js-yaml type syntax

    match:
      that_field: !!js/regexp /some \d+ digit/

You can achieve a logical “or” by specifying an array of objects

    match:
      other_field:
        - string search
        - !!js/regexp /regex search/
        - more

You can achieve a logical “and” by specifying a dictionary of values

    match:
      this_field: "some string"
      other_field: "also this string"

You can combine the two by specifying a dictionary with an array of values:

    match:
      this_field:
        - this string
        - or this string
      other_field:
        - also one
        - of these strings

equals

Exact match of the field some_field against the value 7:

    equals:
      some_field: 7

You can achieve a logical “or” by specifying an array of values:

    equals:
      other_field:
        - value
        - temp
        - over

You can achieve a logical “and” by specifying a dictionary of values:

    equals:
      some_field: 7
      other_field: value

You can combine the two by specifying a dictionary with an array of values:

    equals:
      some_field:
        - 7
        - 8
        - 9
      other_field:
        - value
        - temp
        - over

field_exists

Test for the existence of a field:

    field_exists: some_name_of_existing_field

field_missing

Test whether a field is missing:

    field_missing: some_name_of_missing_field

starts_with

Field starts with the string Starting Text. Like a regular expression /^Starting Text/

    starts_with
      a_field_name: 'Starting Text'

ends_with

Field ends with the string Ending Text. Like a regular expression /Ending Text$/

    ends_with
      a_field_name: 'Ending Text'

Actions

set

  • Set a field to a value:
    - name: super_set
      equals:
        node: 'super.man.com'
      set:
        group: 'Krypton'
  • Set a field by using the value from another field:
    - name: prefix summary with node name
      set:
        summary: '{node} - {summary}'
      match:
        summary: /hello world/
  • Set a field using a paramaterized pattern match:
    - name: change the words around
      set:
        summary: '{match.2} {match.1} number: {match.2}'
      match:
        summary: /^(\w+) (\d+) (\w+).*/

replace

A field holding the value to be replaced must be specified using field and the value to be replaced using this. The new value must be specified using with:

    - name: other_replace
      match:
        summary: 'repeating repeating repeating'
      replace:
        field: message
        this: 'repeating'
        with: 'newrepeat'

A warning will be logged if the replacement doesn’t find a match.

discard

Sets the severity of the event to -1 and stops further rule processing. The event will be discarded:

    - name: other_replace
      match::
        node: 'spurious.alerts'
      discard: true

TODO: is this incomplete? regex replace a value