I have covered Log Insight event forwarding in the past, but wanted to discuss a potential gotcha when leveraging filters that contain the backslash character. Read on to learn more!
As you know, Log Insight supports sending events over cfapi and syslog with as well as without filters. Some of the filter operators are a little different than what you get on Interactive Analytics because event forwarding happens before the ingestion pipeline so keyword indices are not available. One additional nuance this introduces is around escaped characters. It turns out, one character needs to be escaped when using event forwarding filters. Any idea which one it is? Yup, backslash.
So, if you want to have a filter like:
filepath matches C:\DNS
then you actually need to write:
filepath matches C:\\DNS
Now you know!
© 2017, Steve Flanders. All rights reserved.