Trusted Contributor.. mdearing971 Trusted Contributor..
Trusted Contributor..
201 views

Segregating data within Logger

I was told that this was possible with logger version 6.5 and up as we have two entities pushing events in to a single logger pool and we don't want each entity to see eachothers data, what's the best way to accomplish this?

MD
Tags (3)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: Segregating data within Logger

It depends on the topology.

- You can create seperate storage groups and forward logs accordingly.

- You can create search group filters and assign them to users.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Trusted Contributor.. mdearing971 Trusted Contributor..
Trusted Contributor..

Re: Segregating data within Logger

I believe search group filters is the route I am looking for, I want users to be able to only query data from their devices and not the other customer that has events being ingested in to the same logger. Each customer comes over their own connector. 

MD
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Segregating data within Logger

Then search group filters is indeed what you are looking for. When adding these type of filters to users or groups then these users are limited to whatever logs that the query can fit.

As long as there is no events that suddenly down the line starts hitting this query then there should not be an issue.

In an MSSP environment for example I would commonly create filters based on the customers name, as that should never hit any other customers data.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
stvhull_forces Trusted Contributor.
Trusted Contributor.

Re: Segregating data within Logger

i follow Marius2 on the proposition. creating Storage Group as well as Search Group (Search Group Filters and  Saved Searches) is in fact a good practice, not only for segregating your security events but for performance has well.

if you want to go even further, make device group and bind them to Storage Group. you could also pre-define search, filters and field set in order to prevent your "users" from performing/creating search that could affect performance. 

there is also matching your logger Search Indexable fields with the events that you store on it (make them Indexed fields). basically validate what are the most important events that you will need (and use) the most (that are normalized of course) and Index them.

by following this mind set, you will see a real MAJOR performance increase.

but remember, if you have a logger pool (and possibly a logger search head)... you will need to have the same setup on all of them if you want to standardize your setup. 

with this setup i have seen search performance increase by more then 10 times faster.

hope this help.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.