How can I set a message criteria?

Created on 2001-06-28 by Rainer Gerhards.

This is archived document for users of previous product versions. If you are using the current version, please visit WinSyslog for current and new contents.

Question: I am working with WinSyslog. I would like to set a filter criteria that matches only if the received message contains a certain string. For example, I want to set "when the message contains 'duplicate IP', do this...". How do you set the criteria for that?

Answer: This can be set by modifying the rule base. First, select "edit rules" from the rule base menu. The rule base editor appears. You can now either create a new rule (right click "Rules") or edit an existing one. Right click "criterias". A pop up menu appears. Select "Add Criteria" and "Message". The "Insert a Message" text box appears. There, enter the text you want to filter on. In this case, it is "duplicate IP" WITHOUT the quotes. Please note that the whole message is inspected to check if the string entered is part of it. It does not matter where inside the message text the string occurs. WinSyslog 3.x does not support wildcards. This will be added in the 4.x releases. After entering the search string, click "OK".

This is a hardcopy of the dialog:

This has set up a rule that is being processed if the string is part of the message. Now be sure to add the appropriate actions.