Event Handlers Not Working as Expected in 5.6.0

AlexRG · ‎08-24-2017

My filters are:

Level [Equal To] Notice
Destination IP [Not Equal To] serverIP_A
Text filter:
srcintf=port30 and service~RDP and action=start

The log:

itime=2017-08-24 13:12:44 sentbyte=0 rcvdbyte=0 srccountry=Reserved app=UDP_RDP date=2017-08-24 dstip=serverIP_B duration=0 vd=VD1 group=IT service=UDP_RDP proto=17 user=ME dstcountry=Reserved policytype=policy poluuid=45840192-88ea-51e7-b403-e3009408d646 devid=FG000000 dstport=3389 type=traffic dtime=2017-08-24 13:12:43 devname=FG00 time=13:12:43 sessionid=884716921 itime_t=1503594764 policyid=111 srcintf=port30 srcip=10.0.21.101 sentpkt=0 level=notice appcat=unscanned srcport=55887 logid=0000000015 subtype=forward trandisp=noop action=start dstintf=VLAN_6

I'm not getting any hits from that filter.

sgao_FTNT · ‎08-24-2017

Hi Alex,

Please check which type log and category you select, I tried in the lab with "Traffic" log and "Others" category, with similar filter setting, it works.

View solution in original post

sgao_FTNT · ‎08-24-2017

Hi Alex,

Please check which type log and category you select, I tried in the lab with "Traffic" log and "Others" category, with similar filter setting, it works.

AlexRG · ‎08-24-2017

Bah. Don't know how I missed that. Thanks!

I'm was also having trouble with the keyword filter. I had a filter working fine in previous versions and it suddenly stopped.

The settings are:

[ul]

Type: Web Filter

Group by: Category

Level [Equal To] Notice

keyword~'some text' or keyword~'some other text' or keyword~'some more text'[/ul]

I even just tried firing on msg="Search phrase detected" but got nothing.

sgao_FTNT · ‎08-24-2017

not sure how you configured for web filter handler. Here is my test example in lab, please attach a screenshot if still have issue, then I can check it in lab.

AlexRG · ‎08-24-2017

Handler settings attached.

The log:

itime=2017-08-24 15:07:05 sentbyte=0 rcvdbyte=0 agent=Chrome/60.0.3112.101 date=2017-08-24 dstip=13.107.21.200 vd=VD1 group=IT service=HTTP proto=6 eventtype=content hostname=www.bing.com dstintf=port12 msg=Search phrase detected devid=FG000000 dstport=80 type=utm dtime=2017-08-24 15:07:04 profile=PROD_WEB direction=outgoing referralurl=http://www.bing.com/ devname=FG sessionid=885360102 itime_t=1503601625 user=ME srcintf=port32 reqtype=referral srcip=10.0.21.101 keyword=who fixed the event handler level=notice url=/search?q=who+fixed+the+event+handler&qs=n&form=QBLH&sp=-1&pq=who+fixed+the+event+handler&sc=0-25&sk=&cvid=90841C2E9796453D8C64907C4D3770C0 srcport=54561 logid=0314012293 subtype=webfilter time=15:07:04 action=passthrough policyid=4

sgao_FTNT · ‎08-24-2017

Alex,

The issue is caused by field "catdesc" is not present in the log, which is defined in handler <Group By>, change Group By to URL, then it works.

Shawn

AlexRG · ‎08-24-2017

Yep. That was it. Thanks again!