Fortinet white logo
Fortinet white logo

Administration Guide

Using the Generic Text Filter

Using the Generic Text Filter

The Generic Text Filter field is available when creating filters for data selectors and rules for event handlers.

The generic text filter uses the glibc regex library for values with operators that support regular expression (~,!~, and not =,!=), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, and both upper and lower case characters are supported (for example, "and" is the same as "AND"). You must use an escape character when needed. For example, cfgpath=firewall.policy is the wrong syntax because it is missing an escape character. The correct syntax is cfgpath=firewall\.policy.

Operator Description

=

Exact match. Alternatively, you can use ==.

!=

Does not match.

<

Less than.

<=

Less than or equal to.

>

Greater than.

>=

Greater than or equal to.

~

Matches the regular expression.

!~

Does not match the regular expression.

Tokens:

  • (

  • )

  • &

  • |

  • and

  • or

Example:

dstip==192.168.1.168 and hostname ~ "facebook" dstip==192.168.1.168 and ( dstport == 514 or dstport == 515 )

To create an event handler using the Generic Text Filter to match raw log data:
  1. Go to Log View, and select a log type.

  2. In the toolbar, click Tools > Display Raw.

    The easiest method is to copy the text string you want from the raw log and paste it into the Generic Text Filter field. Ensure you insert an escape character when necessary, for example, cfgpath=firewall\.policy.

  3. Locate and copy the text in the raw log.

  4. Go to FortiSoC/Incidents & Events > Handlers > Event Handler List and click Create New.

  5. Click Add New Rule.

    You can also use the Generic Text Filter when creating a rule for a correlation handler. See Creating a custom correlation handler.

  6. In the Generic Text Filter box, paste the text you copied or type the text you want. Ensure you use the raw log field names, for example, mem (not memory) and setuprate (not setup-rate).

    For information on text format and operators, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

  7. Configure other settings for the rule, and click OK. For a description of the fields, see Creating a custom event handler.

    You can also use the Generic Text Filter in data selectors, which can be assigned to event handlers and correlation handlers. For more information, see Creating data selectors.

Using the Generic Text Filter

Using the Generic Text Filter

The Generic Text Filter field is available when creating filters for data selectors and rules for event handlers.

The generic text filter uses the glibc regex library for values with operators that support regular expression (~,!~, and not =,!=), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, and both upper and lower case characters are supported (for example, "and" is the same as "AND"). You must use an escape character when needed. For example, cfgpath=firewall.policy is the wrong syntax because it is missing an escape character. The correct syntax is cfgpath=firewall\.policy.

Operator Description

=

Exact match. Alternatively, you can use ==.

!=

Does not match.

<

Less than.

<=

Less than or equal to.

>

Greater than.

>=

Greater than or equal to.

~

Matches the regular expression.

!~

Does not match the regular expression.

Tokens:

  • (

  • )

  • &

  • |

  • and

  • or

Example:

dstip==192.168.1.168 and hostname ~ "facebook" dstip==192.168.1.168 and ( dstport == 514 or dstport == 515 )

To create an event handler using the Generic Text Filter to match raw log data:
  1. Go to Log View, and select a log type.

  2. In the toolbar, click Tools > Display Raw.

    The easiest method is to copy the text string you want from the raw log and paste it into the Generic Text Filter field. Ensure you insert an escape character when necessary, for example, cfgpath=firewall\.policy.

  3. Locate and copy the text in the raw log.

  4. Go to FortiSoC/Incidents & Events > Handlers > Event Handler List and click Create New.

  5. Click Add New Rule.

    You can also use the Generic Text Filter when creating a rule for a correlation handler. See Creating a custom correlation handler.

  6. In the Generic Text Filter box, paste the text you copied or type the text you want. Ensure you use the raw log field names, for example, mem (not memory) and setuprate (not setup-rate).

    For information on text format and operators, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

  7. Configure other settings for the rule, and click OK. For a description of the fields, see Creating a custom event handler.

    You can also use the Generic Text Filter in data selectors, which can be assigned to event handlers and correlation handlers. For more information, see Creating data selectors.