Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Advanced expressions

The Simple-match-expressions describes basic correlation match patterns that form the basic building blocks for threads, triggers, and actions. Using the basic expressions, you can match a message using keywords, wildcards, and logical operations joining several expressions together, possibly parenthetically nested to change the order of evaluation.

The simple match expressions functionality does not address certain common correlation needs such as testing specific fields of the message for certain values or testing data items that are not part of the message content.

If you are familiar with BMC Defender Server, you would note that the Thread and Actions screens provide further qualifiers In addition to the match expression. These screens allow you to specify match times, addresses, triggers, severities, and facilities. This provides a routine method of identifying the meaning of messages beyond their message content.

Additionally, you can specify all of these special correlation qualifiers with complete flexibility as a part of the correlation expression, using specific notation described in this section.

Example

You can match multiple trigger states, specific word positions, and not contiguous time intervals through the specification of special match expressions. These might be applied to any match expression, including trigger expressions.

This section provides a discussion of these advanced expressions, consisting of compare functions and global variables that reference message fields, triggers, and other values.

Following are the additional notes:

  1. Global variables—BMC Defender Server establishes various global variables that can be used in expressions. Global variables are all preceded with a $ dollar sign and are substituted in the expression before it evaluates.
  2. Word position references—You can use the $N global variable to refer to a particular word in the message, where $1 is the first word of the message and $2 is the second word of the message.
  3. Compare functions—You can specify compare functions, either eq, ne, lt, gt, le, ge, llt, lgt, lle, lge, in, and not in as part of the expression. You can use these to match global variables and word position references. For instance, ($3 eq test) matches if the third word in the message is test. Also, (test in $8) matches the message if the eighth word in the message is test or testfile or runtests.
  4. Mixing compare functions and keywords—Compare functions can be mixed with other expressions, such as keywords or wildcards, and can be parenthetically nested. For instance, the moderately complex expression ($2 eq username) and ($3 eq smith) and logon might indicate that username smith has logged into the system.
  5. Other global variables—In addition to word position references in the form of $1, $2, $3, there are other global variables such as $address, $severity$time that can be used in expressions, especially useful with compare functions. These are set each time a message is received. For instance, ($address eq 10.1.2.3) is set if the IP address for the received message equals 10.1.2.3.
  6. Unmatched global variables—If you do not set a global variable or misspell it, it is regarded as a keyword and is not substituted in the expression.

This section provides information about the following topics:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*