Elepheye - Filter - Rule

• Modify records by a rule text file.
• The file must be encoded by Unicode (UTF-16LE) with BOM.

rule PATH

PATH

Path to a rule text file.

Rule text file

ENTRY [newline ENTRY] ...

Entries are evaluated from top to bottom, each time reading a new record.

ENTRY

MATCH [--and MATCH] ... COMMAND ...

If matches are evaluated as true, commands are executed.

MATCH

FIELD_NAME [--not] [--ignore-case] PATTERN

FIELD_NAME

A field name which is defined by the source record.

--not

Invert the result of the match.

--ignroe-case

Do the case-insensitive match.

PATTERN

The pattern to match the field value. It can contain wildcards `*' and `?'.

--and

Make logical AND.

COMMAND

--exit

Ignore following rule entries.

--drop

Skip the current record.

--disable FIELD_NAME ...

Replace field values with empty strings. If the key field is disabled, the entire record is dropped.

--ignore-case FIELD_NAME ...

Convert field values to uppercase.

--set OPTION_NAME ...

Set options.

• Empty lines are just ignored.
• Characters between a sharp (`#') and a newline, are ignored as a comment.
• To specify a token which contains sharps (`#'), whitespaces or newlines, enclose it with double quotes (`"').
• To specify a token which contains double quote (`"'), enclose it with double quotes (`"'), and put a couple of double quotes ('""').
• To specify an empty token, just put a couple of double quotes ('""').

path * --disable md5 sha1

Disable `md5' and `sha1' fields of all records.

path * --ignore-case path

Convert `path' field of all records to uppercase.

attributes *DIRECTORY* --drop

Drop all directories.

path --not *:\*:* --drop
path --not \\?\UNC\*:* --drop

Find only streams.

reparse_tag "" --drop

Find only reparse points.

path --ignore-case *.log --and attributes --not *DIRECTORY* --drop
path --ignore-case *.evt --and attributes --not *DIRECTORY* --drop

Drop non-directories which have extension `log' or `evt'.

attributes *DIRECTORY* --exit
path --ignore-case *.log --drop
path --ignore-case *.evt --drop

Same result in another way.

path \\?\C:\Temp --drop
path \\?\C:\Temp:* --drop
path \\?\C:\Temp\* --drop

Drop `\\?\C:\Temp' and its streams and contents.

path \\?\C:\Temp --drop --set ignore_children

Same result in more efficient way, because it stops to find children.