|
# logfile /var/log/paloalto/threat.log
|
|
|
|
watchfor /TRAFFIC,end,[^,]+,[^,]+,([^,]+),([^,]+),/
|
|
threshold track_by=$1:$2,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 10.69.100.14 3"
|
|
|
|
watchfor /THREAT,[^,]+,[^,]+,[^,]+,([^,]+),([^,]+),/
|
|
threshold track_by=$1:$2,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 10.69.100.14 3"
|