Juniper NETWORKS STRM - TECHNICAL NOTE REV 6-2008 Manual page 6

6
Release 2008.2
Table 4 Matcher Field Names (continued)
Field Name
Protocol
UserName
HostName
GroupName
NetBIOSName
Single-Event Modifier (
Single-event modifier (
modifies) exactly one type of event, as specified by the required, case-sensitive
EventName parameter. This entity allows mutation of successful events by
changing the device event category, severity, or the method for sending identity
events.
When events matching this event name are parsed, the device category, severity,
and identity properties are imposed upon the resulting event. An
event-match-single entity consists of three optional properties:
Table 5 Single-Event Modifier Parameters
Parameter
device-event-category Specify a new category for searching in the QID for the
severity
Description
Specify the protocol associated with the event; for
example, TCP, UDP, or ICMP.
If a protocol is not properly parsed out of a message, ports
that were parsed may not appear in STRM (it only displays
ports for port-based protocols).
Specify the user name associated with the event.
Specify the host name associated with the event. This field
is usually only associated with identity events.
Specify the group name associated with the event. This
field is usually only associated with identity events.
Specify the NetBIOS name associated with the event. This
field is usually only associated with identity events.
event-match-single
event-match-single
Description
event. This is an optimizing parameter, since some
devices have the same category for all events.
Specify the severity of the event. This parameter must
be an integer value between 1 and 10.
If a severity of less than 1 or greater than 10 is
specified, the system defaults to 5.
If not specified, the default is whatever is found in the
QID.
)
) matches (and subsequently