Create Log Filters

Start creating a forwarding profile.
Under
Filters
, select
Add
.
Select a log type.
Enter a query that describes the log fields you want to forward, or select one of the predefined filters.
You can either write your own queries from scratch or use the Query Builder. You can also select the query field to choose from among a set of common predefined queries.
Log filters function like queries in Explore, with the following differences:
No double quotes (“”).
No subnet masks. To return IP addresses with subnets, use the
LIKE
operator. Example: src_ip.value LIKE “192.1.1.%”.
If you want to forward all logs of the type you selected, do not enter a query.
Learn more about queries and using the query builder to help you write them.
A green check mark indicates that the query is valid, and pressing enter or clicking the arrow should generate results that match the query. A red X means that the query is invalid and you will be unable to submit it.
(
Optional
) Customize how the field columns appear.
Hover over any column header and select the hamburger icon to choose the columns that you want to forward through the selected log type to the external destination.

The data for the selected columns is forwarded to the destination server. You can also edit the filter for an existing running log forwarding profile to add or remove columns you want to forward. After making edits, save the filter and the log forwarding profile for the changes to reflect in the log forwarding message.

Change column order by clicking anywhere on a column header and dragging to the left or right.

Rearranging columns changes the order of the fields in the Syslog message of the logs forwarded through the filter. For example, if you move

RULE

to the left of

APPLICATION

, the

Rule

field will appear before the

Application

field in the Syslog message.

Change column width by clicking in between column headers and dragging to the left or right.
Save
your filter.