Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
arlappal Valued Contributor.
Valued Contributor.
252 views

Logger to ESM forwarder query for certain timeline

Hi,

I'm struggling with the forwarder query for a certain timeline. The main point is to make a query for logons on the out of business time.

How people have solved this kind of query? On the timestamp or start/end time, I found the problem on the time parameter cause it always us yyyy/mm/dd before event time. 

Labels (2)
Tags (3)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: Logger to ESM forwarder query for certain timeline

Hi

Do you want to forward events that occur out of hours (i.e. to a third party tool or ESM) or do you want to create an alert for activity out of business hours?

0 Likes
arlappal Valued Contributor.
Valued Contributor.

Re: Logger to ESM forwarder query for certain timeline

Hi.

Point is to forward out of business hour successful logins to ESM.  

Also that activity out of business hours is an interesting case. 

0 Likes
Knowledge Partner
Knowledge Partner

Re: Logger to ESM forwarder query for certain timeline

Thanks
Is there a reason why you send events to Logger first and then forward to ESM?
ideally you could send a filtered / aggregated stream of the events to the ESM direct from the SmartConnector to the ESM as well as the Logger - and then use the ESM to alert on out of hours activity?

I dont believe there is a way, using the Logger Forwarder, to only forward events out of working hours within the Logger. So you are left with an option to forward all Succesful logins as a realtime stream and then use ESM to track / alert on out of hours.


Alternative options (not necessarily all good or practical ones)

Configure Saved Search alert on the Logger that searches for Logins and is scheduled to run during "out of hours"  time periods and that alert goes via a Syslog connector to the ESM

You could forward the Logon events received by the Logger to a Syslg SmartConnector destination and use the settings on that Connector to filter out events that occur between 08:00 and 18:00 and forward the events outside of those hours to the ESM

 

It is worth checking if your understanding of out of hours work matches reality of your business - with the use of VPN, Flexible working, O365 and any regional offices or partners etc we tend to find that most environments dont have traditional working hours any more - so we need to be more subtle and look for anomalies. i.e. logons to specific / sensitive servers or DB's, unusual Geo Location etc.Unusual user activity patterns. it may be worth looking at some of the functionality of Interset or other UEBA tools as you look to improve this sort of use case.

 

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Logger to ESM forwarder query for certain timeline

I agree here with Kevin, in the past we were told to send the logs to logger and then to ESM, but this does not really help to create good use-cases and if you try to send more then 1.5k eps via a forwarder you will get in caching/dropping states.

So sending from connector to ESM and Logger in parrallel is seen as best practice "today".

In ESM i would generate a usecase that does what you are looking for, or do a trend and a report.

If you would really like to filter, i would send all login events to ESM, and work with an alternate filter on the connector tab in esm, that filters stuff between certain hours, instead of getting it the other way round.

However you might get issues with delayed events...

So i would use no filter but well desigend use-cases/ trends/ reports.

 

Cheers

A

Knowledge Partner
Knowledge Partner

Re: Logger to ESM forwarder query for certain timeline

Here is a workaround:

1- Register your connector to ESM
2- Filter out all events in ESM destination settings.
3- Configure an "Alternate" destination settings for ESM and define out of business hours. Filter out events not related to logons. 

I've never tried this but it should work. 

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.