Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
tsimeonov_FTNT
Staff
Staff

Created on ‎02-10-2015 12:49 PM Edited on ‎10-06-2025 07:48 AM By Moderator

Article Id 198194

Technical Tip: Use of Operators in Event Handler General Filter (syntax)

Description

 

When configuring an event handler, the Generic Text Filter (Log Filter By Text) allows more precise and flexible control over which logs trigger an event.

 

Scope


FortiAnalyzer.

 

Solution


FortiAnalyzer supports multiple comparison and logical operators in the Generic Text Filter (Log Filter By Text) fields of the event handlers  and log forwarders.

It is also possible to use Glibc POSIX Regex patterns after the 'contain' operators ~ and !~.

 

  • Comparison operators:

Operator

Meaning

Example

== / =

Equal

dstip == '8.8.8.8' OR dstip = '8.8.4.4'

!=

Not equal

dstip != '1.1.1.1'

<

Smaller than

duration < 60

<=

Smaller than or equal

bytes <= 500

>

Bigger than

severity > 3

>=

Bigger than or equal

bytes >= 1000

~

Contains (supports Regex)

msg ~ attack

!~

Not contain (supports Regex)

msg !~ facebook

 

 

  • Logical operators:

Operator

Meaning

Example

( )

Grouping

(logid = 12345 or logid = 12346) & action…

& / AND

Both must be true

srcip = 10.0.0.1 AND action = 'blocked'

| / OR

Either can be true

logid = 12345 or logid = 23456 | action='deny'

NOT

Negates

not action = 'allowed'

 

  • Basic regex examples with the '~' operator:

Pattern

Matches

error

Any line containing 'error'

^error

Lines starting with 'error'

error$

Lines ending with 'error'

A.C

A then any char then C (ABC, AXC)

a\.c

a.c literally, since the . is escaped by \

[0-9]+

One or more digits

192\.168\.\d+\.\d+

Any IP in 192.168.x.x

https?

http or https

 

  • Filter examples with regex:

Match all blocked connections from the 10.231.1.0/24 subnet:


action = 'deny' & srcip ~ ^10\.231\.1\.

 

To make sure the regex only matches valid IPv4 addresses:


action = 'deny' & srcip ~ ^10\.231\.1\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])$

 

Note: The Fortinet Technical Support department does not provide programming-related assistance, including help with custom regular expressions. See: Technical support on customization. 

 

Related Article:

Technical Tip: How to configure an Event Handler with a generic text filter

17844
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.