ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Lieutenant
Lieutenant
1653 views

Smart Connector Filter Out Issue

 

I wanted to send events on destination only from some hosts, used the syntax below in filter out field but not working

((deviceEventCategory NE "Security") And ((deviceHostName NE "vvKCHDCSS1.xxx.ccc.vv") Or (deviceHostName NE "vvKCHDCSS2.xxx.ccc.vv")))

0 Likes
9 Replies
Fleet Admiral
Fleet Admiral

Hello,

if you are not sure about syntax I suggest following if you have ESM.

Configure Filter on SmartConnector from ESM Console, by doing this you can use simple filter editor in ESM Console and once you apply on SmartConnector, the correct Syntax will be sent to SmartConnector.

You can check this by "runagentsetup" after you configure Filter Out from ESM Console and you will see that Syntax is there.

By doing like this you avoid possible Syntax errors and you can copy the Filter Out conditions to other Destination, for example Logger because this is Destination specific setting and you cannot configure other Destination from ESM Console, only for the ESM.

Regards,

Marijo

0 Likes
Lieutenant
Lieutenant

unfortunately we dont have ESM console to check the syntax, kindly help.

Thanks.

0 Likes
Fleet Admiral
Fleet Admiral

Hello,

I did following in ESM Console:

filter.PNG

 

 

 

 

This translates to following in SmartConnector under Filter Out (so you can test it out):

deviceEventCategory NE "Security" And ( deviceHostName NE "vvKCHDCSS1.xxx.ccc.vv" Or deviceHostName NE "vvKCHDCSS2.xxx.ccc.vv" )

Regards,

Marijo

0 Likes
Lieutenant
Lieutenant

should there be space? (<space>deviceHostName ....."<space)

deviceEventCategory NE "Security" And ( deviceHostName NE "vvKCHDCSS1.xxx.ccc.vv" Or deviceHostName NE "vvKCHDCSS2.xxx.ccc.vv" )

 

Thanks a lot for the kind help!

0 Likes
Fleet Admiral
Fleet Admiral

Hello,

I copy/pasted from SmartConnector setup. Please test in your environment.

Regards,

Marijo

0 Likes
Lieutenant
Lieutenant

i see, will try this one.

thanks for the help!

0 Likes
Ensign
Ensign

No that actually didnt worked .

I tried to filter only specific eventIds from Windows Security logs ( Actually I need deviceHostName & deviceEventCateogry filter Out- as i test in my laptop i just test filter out conditions using eventIds)

Filtet Out: 

deviceEventCategory NE "Security" And ( externalId NE "5156" Or externalId NE "4656" )

But, I see some Events with some other EventIds also in my destination end.

Is there a guide on how to use proper Filter Out conditions for Smart Connectors  ?( there is no ESM in our env. - FYI)

 

0 Likes
Captain
Captain

I don't understand the filter logic.

If you have applied filter out and the first term is "deviceEventCategory NE "Security"" I think the second term have not meaning, those external Ids (5156 and 4656) are windows security log events, never will match ....

Perphaps, you see some EventIds that don't belong window security log (System, ....)

 

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

Remember that this is a "filter out" condition. Anything that matches your filter will be filtered out. So basically your filter is saying that you only want to pass events where the following conditions are met: 1) deviceEventCategory = "Security" 2) I think the logic for your externalId is incorrect and would match anything So basically you are likely only getting "Security" events with any externalId. Can you describe what you are trying to filter out (human-language not SmartConnector syntax)?
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.