|
1 | | -It's the window where you can see all the events that the daemon has registered. |
| 1 | +The events window is where you can see all the events that the daemon has registered. |
2 | 2 |
|
3 | | -It's divided by tabs, where you can search for events based on the type: nodes, rules, hosts, applications, etc. |
| 3 | +It's divided in tabs, where you can search for events based on the type: nodes, rules, hosts, applications, etc. |
| 4 | + |
| 5 | +* [Events tab](#the-events-tab) |
| 6 | +* [Rules tab](#the-rules-tab) |
| 7 | +* [Netstat tab](#the-netstat-tab) |
| 8 | +* [Filtering data](#filtering-data) |
4 | 9 |
|
5 | 10 | The Events tab |
6 | 11 | --- |
@@ -50,3 +55,54 @@ This view lists all the connections of a node. It's similar to `netstat` or `ss` |
50 | 55 | <img width="1100" height="553" alt="Captura de pantalla de 2026-02-12 00-35-34" src="https://github.com/user-attachments/assets/a32ef8eb-5619-448e-bc1d-f4a991732f88" /> |
51 | 56 |
|
52 | 57 | Double click on a row to view the details of the item. |
| 58 | + |
| 59 | +Filtering data |
| 60 | +--- |
| 61 | + |
| 62 | +The search text box allows to filter data of the current view: |
| 63 | + |
| 64 | +<img width="743" height="91" alt="Captura de pantalla de 2026-02-11 00-33-59" src="https://github.com/user-attachments/assets/98d8be11-f39f-48bb-b85e-10427201f800" /> |
| 65 | + |
| 66 | +By default it'll search the text in all columns of the view. |
| 67 | + |
| 68 | +<img width="858" height="167" alt="Captura de pantalla de 2026-02-13 00-20-32" src="https://github.com/user-attachments/assets/952700d2-9f56-43c5-85ae-95faec333fda" /> |
| 69 | + |
| 70 | +#### Advanced filtering |
| 71 | + |
| 72 | +If you type one of the keywords (`conn.`, `rule.`, `node.`) you can build complex queries: |
| 73 | + |
| 74 | +<img width="866" height="141" alt="Captura de pantalla de 2026-02-13 00-24-09" src="https://github.com/user-attachments/assets/829dfbb2-c8ab-4c02-80fa-9384c04c1f08" /> |
| 75 | + |
| 76 | +You can type `.` to show the list of available fields. |
| 77 | + |
| 78 | +Syntaxis: |
| 79 | + |
| 80 | +|Field|description| |
| 81 | +|-------|-----------| |
| 82 | +|conn.time| Creation time| |
| 83 | +|conn.srcip| Source IP| |
| 84 | +|conn.srcport| Source port| |
| 85 | +|conn.dstip| Destination IP| |
| 86 | +|conn.dstport| Destination port| |
| 87 | +|conn.dsthost| Destination host| |
| 88 | +|conn.uid| UID of the connection | |
| 89 | +|conn.pid| PID of the connection | |
| 90 | +|conn.process| Absolute path of the process| |
| 91 | +|conn.process_args| Command line (what the user typed)| |
| 92 | +|conn.process_cwd | Current Working Directory of the process | |
| 93 | +|conn.rule| The rule that was applied on this connection| |
| 94 | +|conn.node| The node where the connection was originated| |
| 95 | +|node.addr| alias of conn.node| |
| 96 | +|rule.name| alias of conn.rule| |
| 97 | +|rule.action| The action that was applied on the connection| |
| 98 | + |
| 99 | +|Operand|Description| |
| 100 | +|-------|-----------| |
| 101 | +|=|matches the item exactlly| |
| 102 | +|>=| Matches an item equal or greater than the value| |
| 103 | +|<=| Matches an item equal or less than the value| |
| 104 | +|~| Searches for strings with the value typed: `github.com` -> `*github.com*`| |
| 105 | +|>~| Searches for right side of the string: `github.com` -> `github.com*` | |
| 106 | +|<~| Searches for left side of the string: `github.com` -> `*github.com` | |
| 107 | +|and| combines expressions: `conn.dstport=53 and conn.dsthost<~github.com`| |
| 108 | +|or| combines expressions: `conn.dstport=53 or conn.dsthost<~github.com`| |
0 commit comments