...
There, create a rule to handle all events that are not matching any other rules, yet:
General properties
Setup → Events → Event Console rule packs → Add Rule
Matching Criteria
Here, we need two regular expressions:
The first one is applied to the message text and defines three matching groups using the brackets:
Code Block language bash theme RDark .{3} [0-9]+ [0-9:]{8} [0-9]+\.([0-9]{4}) ([^ ]+) (.*)
The website https://regex101.com helps you to understand how the regex matches the message text and which groups are created:
These groups can later be accessed using the placeholders \1, \2, and \3 in the message text rewriting. They might also become important when automatic duplicate detection is used. We'll come to that later on.- The second regular expression "^(.*)$" simply matches on any Application text (in our case, it's always "Security", though), and puts it into a matching group. Later, we can access this group using the macro "$MATCH_GROUPS_SYSLOG_APPLICATION_1$".
...
The "Outcome & Action" section can remain unchanged, but in the Counting & Timing, we have two definitions:
The counting is done based on the hostname and the application. Forcing separate events for different match groups makes no sense here because the message text is stored in group 3, and as we all know, these texts sometimes contain IDs, timestamps, and similar unique strings.
...
In the Rewriting section, we can adjust the message text, application, and other variables that will be shown in the event views:
The message text will be replaced using the groups from above:
...