andrea1993 Absent Member.
Absent Member.
519 views

How to define filter out for duplicate Windows event

HI,

I need to define a filter on SmartConnector to exclude duplicated logs, and for take only authentication events.

In my case i have multiple Active directories syncronized, so i receive duplicated logs.

Now I have defined this filter that exclude logs from some services users and take authentication events for other users:

--------------------------------------------------------

(destinationUserName Contains "xxxxxxxxx") OR (destinationUserName Contains "yyyyy") OR (destinationUserName Contains "zzzzzzz") OR (destinationUserName Contains "ccccccc") AND NOT ((deviceEventClassId Contains "Security:528") OR (deviceEventClassId Contains "Security:551") OR (deviceEventClassId Contains "Security:529") OR (deviceEventClassId Contains "Security:530") OR (deviceEventClassId Contains "Security:531") OR (deviceEventClassId Contains "Security:532") OR (deviceEventClassId Contains "Security:534") OR (deviceEventClassId Contains "Security:535") OR (deviceEventClassId Contains "Security:539") OR (deviceEventClassId Contains "Security:538") OR (deviceEventClassId Contains "Security:680") OR (deviceEventClassId Contains "Security:540") OR (deviceEventClassId Contains "Security:681") OR (deviceEventClassId Contains "Security:552") OR (deviceEventClassId Contains "Security:836") OR (deviceEventClassId Contains "Security:683") OR (deviceEventClassId Contains "Security:644") OR (deviceEventClassId Contains "Microsoft-Windows-Security-Auditing:4776") OR (deviceEventClassId Contains"Microsoft-Windows-Security-Auditing:4625"))

i need to define a filter on SmartConnector to exclude

--------------------------------------------------------

Can you help me to define a flter that can answer to my question.

Regards

Andrea

Labels (2)
0 Likes
1 Reply
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: How to define filter out for duplicate Windows event

Hi Andrea,

You can use IN operator instead of OR.

Cheers

Gayan

Mr
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.