Filter Events for a group of servers
I am trying to filter out windows event id 8003 for a list of servers. The list is more than 100. Is there easy way to filter out the events.I don't want to have filter which says Device hostname = server1 Device hostname = server2 Device hostname = server3
You will have to get a little creative with this.
- Look for common strings in the hostnames to create a filter
- Are they in the same network or networks that only they reside in?
- Can you move these devices to a single connector?
- Have you done asset catagorization? You could create a catagory for these servers and apply that in a filter.
1) ArcSight SmartConnector User Guide:
On page 77 you have "Managing SmartConnector Filter Conditions". These are conditions that you use when running "runagentsetup" on SmartConnector, configure Destination settings and then under Destinations settings type in manually the condition under "Filter Out".
2) So you could:
a) move these specific host to separate SmartConnector and then you can apply filter out on just specific Event ID
b) if all those those Windows host that you want to Filter Out are in same subnet then you could maybe use "InSubnet" condition
c) if all those those Windows host that you want to Filter Out are in specified zone group then you could use "InGroup" condition