I’ve added some Cisco devices as Raw Log event sources in InsightIDR and I’d like to create custom alerts for some specific events. I’m having trouble getting the query correct. If I wanted to trigger an alert on a log that contains BGP-5-ADJCHANGE, what would that query look like when setting up the custom rule?
Here’s an example of a log:
01 Dec 2023 08:47:00.870<189>142: Dec 1 16:47:00.916: %BGP-5-ADJCHANGE: neighbor x.x.x.x Down Peer closed the session Raw Log/Cisco Router1