Technical Tip: Use of Operators in Event Handler General Filter (syntax)
Description
This article describes that when configuring an event handler, the Generic Text Filter (Log Filter by text) allows more precise and flexible control over which logs trigger an event.
Scope
FortiAnalyzer.
Solution
FortiAnalyzer supports multiple comparison and logical operators in the Generic Text Filter (Log Filter By Text) fields of the event handlers and log forwarders.
It is also possible to use Glibc POSIX Regex patterns after the 'contain' operators ~ and !~.
- Comparison operators:
| Operator | Meaning | Example |
| == / = | Equal | dstip == '8.8.8.8' OR dstip = '8.8.4.4' |
| != | Not equal | dstip != '1.1.1.1' |
| < | Smaller than | duration < 60 |
| <= | Smaller than or equal | bytes <= 500 |
| > | Bigger than | severity > 3 |
| >= | Bigger than or equal | bytes >= 1000 |
| ~ | Contains (supports Regex) | msg ~ attack |
| !~ | Not contain (supports Regex) | msg !~ facebook |
- Logical operators:
| Operator | Meaning | Example |
| ( ) | Grouping | (logid = 12345 or logid = 12346) & action… |
| & / AND | Both must be true | srcip = 10.0.0.1 AND action = 'blocked' |
| | / OR | Either can be true | logid = 12345 or logid = 23456 | action='deny' |
| NOT | Negates | not action = 'allowed' |
- Basic regex examples with the '~' operator:
| Pattern | Matches |
| error | Any line containing 'error' |
| ^error | Lines starting with 'error' |
| error$ | Lines ending with 'error' |
| A.C | A then any char then C (ABC, AXC) |
| a\.c | a.c literally, since the . is escaped by \ |
| [0-9]+ | One or more digits |
| 192\.168\.\d+\.\d+ | Any IP in 192.168.x.x |
| https? | http or https |
- Filter examples with regex:
Match all blocked connections from the 10.231.1.0/24 subnet:
action = 'deny' & srcip ~ ^10\.231\.1\.
To make sure the regex only matches valid IPv4 addresses:
action = 'deny' & srcip ~ ^10\.231\.1\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])$
Note: The Fortinet Technical Support department does not provide programming-related assistance, including help with custom regular expressions. See: Customer Service Tip: FortiCare Technical Support eligibility by feature and product.
Related articles:
Technical Tip: How to configure an Event Handler with a generic text filter
Technical Tip: How to create Event handler in FortiAnalyzer for Policy delete in FortiGate