Overview
Rules control how log messages are turned into events. They can be used to discard, de-duplicate or modify the events that appear in the Panther console.
Events are received from an external source, processed by user defined rules, and finally stored on the Panther server.
Processing order
The set of Syslog Mappings are processed first, followed by the Global Rules and, finally, any optional Groups Rules.
Details
Each rule definition is stored in yaml file.
A basic rule has a name
followed by a Select verb, such as match
, and an Action verb, such as discard
:
name: 'Rule name'
match:
some_field: value
discard: true
Multiple Selects are interpreted as logical “and” operations. This example is equivalent to “Select WHERE some_field
matches the regular expression /value/
AND where other_field
equals value
”:
match:
some_field: !!js/regexp /value/
equals:
other_field: value
Multiple Actions can be specified too:
discard: true
stop: true
A RuleSet, which groups the rules into logical areas, is made up of an array of Rules. These are processed in order, until the last rule is found or a stop
or stop_ruleset
action is encountered:
- name: 'Rule name'
match:
some_field: value
set:
new_field: 17
- name: 'No junk'
equals:
my_field: 'linux'
set:
that_field: 'Torvalds'
There are multiple RuleSets used during processing. The Global RuleSet is processed first, followed by any Group rules. Only one group will be matched, based on the Select verbs, and its rules then processed.
Discard and Dedupe are shortcuts for what end up as rules that are placed before the rest of the RuleSet.
Rule Order
Rules are applied in the following order:
- Syslog mapping
- Global discards
- Global de-duplication
- Global rules, in order
- Grouping, and the group rules. (group_order: if required? TODO - check)
- discard_first
- dedupe
- rules
- discard_last
- Discards that rely on other mappings
Shortcut helpers
There are some tasks that are repeated frequently, so the most reqular have shortcuts set up to make the rules more succinct.
TODO - not clear how or where to use these!
syslog_mapping
Takes the syslog levels and maps them to console severities.
- This is a required field (TODO - what is?)
deduplicate
Shortcut for matching on summary
with a regex and replacing it.
- [ /match/, 'replace' ]
Or supply a second regex if you want a more specific search replace
- [ /match/, /replace_match/, 'replace' ]
- A match will short-circuit dedupe execution, but continue on to any following rules.
discard
/ discard_last
Shortcuts for dumping messages, either before or after normal processing.
Discard on summary:
- '/trash/'
Or write a full rule
- name: 'To the bin'
match:
summary: /trash/
- Discard will short-circuit execution.
Table of contents
- Agent rules
- Server Global rules
- Server Group rules
- Event schedule selection
- Event selection
- Rules file (yaml)