I'm trying to set a MESSAGE filter looking for the string "src=10.1.1." - then I want to append a regex to limit the IP Addresses in this Rule.
For example, the field input I use is:
"src=10.1.1."[1-9]|[1-4][0-9]
but all IP's are visible.
For testing, I use "src=10.1.1."[2], and make sure the test string IP Address is 10.1.1.2 - test passes.
So I change the string to "src=10.1.1."[4], and force an event on that server. It appears in the messages - but so still do all the other IP's.
Can someone identify why this regex is not working?
Thx