• Adding a forwarding rule to Operations for logs that catch 'FIREWALL-PKTLOGS' and 'DROP' events fails.
• The rule is configured with he filter 'appname' = 'FIREWALL-PKTLOGS' and 'Text'; != 'PASS'

• Aria Operations for Logs 8.18.x

The 'Log Forwarding' filter does not behave in the same way as the 'Explore Logs' filter. Machine learning is used to optimise results in 'Explore Logs' and is not available for 'Log Forwarding' 

To achieve the goal of sending the dropped DFW events to an endpoint, the following filters can be used.

• 'Text', 'Matches'. '*FIREWALL-PKTLOGS*'
• 'Text', 'Matches', '*DROP*'

• When designing filters to catch specific events, the 'Text' and 'Matches' are the most reliable. 
• Find unique strings within the events that are to be filtered and add wildcards (*) to the start and end of the string.