Cadet 3rd Class
Cadet 3rd Class
431 views

Filter Events for a group of servers

I am trying to filter out windows event id 8003 for a  list of servers. The list is more than 100.  Is there easy way to filter out the events.I don't want to have filter which says Device hostname = server1 Device hostname = server2 Device hostname = server3

0 Likes
2 Replies
Commodore Commodore
Commodore

You will have to get a little creative with this.

  • Look for common strings in the hostnames to create a filter
    •  Are they in the same network or networks that only they reside in?
    •  Can you move these devices to a single connector?
    • Have you done asset catagorization? You could create a catagory for these servers and apply that in a filter.

 

Fleet Admiral
Fleet Admiral

Hello,

1) ArcSight SmartConnector User Guide:
https://community.microfocus.com/t5/ArcSight-Connectors/ct-p/ConnectorsDocs

On page 77 you have "Managing SmartConnector Filter Conditions". These are conditions that you use when running "runagentsetup" on SmartConnector, configure Destination settings and then under Destinations settings type in manually the condition under "Filter Out".

2) So you could:
a) move these specific host to separate SmartConnector and then you can apply filter out on just specific Event ID
b) if all those those Windows host that you want to Filter Out are in same subnet then you could maybe use "InSubnet" condition
c) if all those those Windows host that you want to Filter Out are in specified zone group then you could use "InGroup" condition

Regards,

Marijo

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.