Highlighted
Honored Contributor.
Honored Contributor.
1444 views

Filter events from Manager Internal Connector

Jump to solution

Dear All,

I would like to filter some of the events generated by the Manager Internal Connector,

as its configuration its locked, I can't do it from console.

After searching for a while, I am not sure if it is posible

https://protect724.hp.com/message/50473#50473

IDK if you can configure the filter out to some especific events(in my case - some AL events), or just audit events,

if it is posible, how can it be done?

In addition, I have read the server.defaults.properties, where appears some parameters and sections that could be usefull:

...

# ------------------------------------------------------------

# Misceallaneous confugiration.

# ------------------------------------------------------------

# Make this false to disable loading jsps at server startup

# This overrides jsp.preload.minimal

jsp.preload=true

# Make this true to only compile a minimal set of jsps

# (jsp.preload should be false in this case)

jsp.preload.minimal=false

name.resolver.threadcount=10

agents.initialize=false

# Comma Separated list of fields that are being summed up on connectors

# while aggregating events on connectors

# The list is empty by default

# Example value:

# connector.summation.fields=bytesIn,bytesOut

connector.summation.fields=

#-----------------------------

....

# Manager agent

#-----------------------------

# URI for the network to which the manager internal agent should belong to

# By default the manager belongs to the Local network

# Example: /All Networks/MyNetwork

manager-agent.network.uri=

# Whether we should update the network for the internal agent if it was created before.

# Default value: false (once the internal agent is created its zone won't be changed)

manager-agent.network.update=false

...

Does somebody ever configurate the Manager Internal Connector?

BTW, manager's version is 5.0.

Thanks in advance,

Kind regards,

Karl.

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Honored Contributor.
Honored Contributor.

Hi Dmitry,

Yes, you right, they mention how to disable the ALs audit events:

activelist.audit.insert=false

activelist.audit.update=false

However, I just want to filter out the audit events of a couple of lists, not all the ALs.

In the very first posts related they mention the ArcSight's filters:

https://protect724.hp.com/message/7117#7117

that filter is not to filter-out internal events, actually is this one:

/All Filters/ArcSight System/Event Types/Blocked ArcSight Internal Events

By default is setted to false(don't filter out a thing), I have setted to filter-out the events from an specific AL and it works!

(Filter applied to audit events before they are inserted. Modify add to this filter to disable internal events as needed.)

So it was easier than I though, I hope it would be useful for somebody,

Regards,

Karl.

View solution in original post

0 Likes
6 Replies
Highlighted
Absent Member.
Absent Member.

Hi,

have a look at this thread:
https://protect724.hp.com/message/29591#29591

Similar task (filter out some AL events).

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Hi Dmitry,

Yes, you right, they mention how to disable the ALs audit events:

activelist.audit.insert=false

activelist.audit.update=false

However, I just want to filter out the audit events of a couple of lists, not all the ALs.

In the very first posts related they mention the ArcSight's filters:

https://protect724.hp.com/message/7117#7117

that filter is not to filter-out internal events, actually is this one:

/All Filters/ArcSight System/Event Types/Blocked ArcSight Internal Events

By default is setted to false(don't filter out a thing), I have setted to filter-out the events from an specific AL and it works!

(Filter applied to audit events before they are inserted. Modify add to this filter to disable internal events as needed.)

So it was easier than I though, I hope it would be useful for somebody,

Regards,

Karl.

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.

Oh yeah, I've found it a long time ago in a galaxy far far away and completely forgot about it

Thanks for reminding, bookmarked.

P.S. Best threads when the inquirer answers the question by himself.

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Hi all.

I need to disable audit events Add to active list for specified Active List, but another type of audit (ActiveList entry expired) must continue auditing.

Is this possible?

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Hi Alex,

Yes, you can specify it in the filter, you just have to edit the conditions on the filter:

/All Filters/ArcSight System/Event Types/Blocked ArcSight Internal Events

I suggest you to do a test with a small list and simulating those events, add and expire entry, first without editing that filter and then adding the conditions (filepath is the path of the lists you want, and name or deviceEventClassId for the audit-event). You can examine the events though a live active chanel,

Regards,

Karl.

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Thank you, Karl. Add more complex condition to this filter is simple but not that obvious to me.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.