Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
ageorge Absent Member.
Absent Member.
699 views

ArcSight Logger

I am looking to do a quick search of subnets off source or destination IP. Any suggestions on how to perform this would be great. (End goal is to identify events by subnets)

Labels (1)
0 Likes
Reply
9 Replies
coleste Absent Member.
Absent Member.

Re: ArcSight Logger

Our group would like to know the answer to this as well. You can search on this within the console but am not sure why this feature would not be included in the logger.

0 Likes
Reply
cblack1 Absent Member.
Absent Member.

Re: ArcSight Logger

You could easily restrict your searches to subnets by using the STARTS WITH operator.

For example, to limit to the 172.16.100.0 subnet, simply write sourceAddress STARTS WITH "172.16.100"

It doesn't help you with true subnetting, I'll admit, but it should suffice for most applications.

0 Likes
Reply
michael.d.farru1 Absent Member.
Absent Member.

Re: ArcSight Logger

You can use the “CONTAINS” as in the following example. Note
that you will have to type the CONTAINS since this is not prompted by logger.
The following will search for source traffic within subnet 10.10.10.0\24. You
will not be able to do CIDR however.

sourceAddress CONTAINS 10.10.10.

0 Likes
Reply
Highlighted
dzuperku1 Absent Member.
Absent Member.

Re: ArcSight Logger

How about if I need to negate the subnet?

like sourceAddress not in Subnet 10.10.10 

What's would that look like?

0 Likes
Reply
Honored Contributor.. SIEM-TECH Honored Contributor..
Honored Contributor..

Re: ArcSight Logger

dzuperku,

Try:

NOT(sourceAddress CONTAINS 10.10.10)

OR

NOT(sourceAddress STARTSWITH 10.10.10)

That should negate including any source address with 10.10.10 in the results.

0 Likes
Reply
jgkhoury Absent Member.
Absent Member.

Re: ArcSight Logger

Another way to way to do for the UI search  src !="10.10.10.*"

Which can be  translated  in Logger report mysql query as  events.arc_sourceAddress NOT LIKE '10.10.10.%'

0 Likes
Reply
Super Contributor.. dbarry1 Super Contributor..
Super Contributor..

Re: ArcSight Logger

Am I the only person appalled that in the year 2014, a NETWORKING product still treats IP addresses as strings and does not understand CIDR and subnet concepts consistently.   (Yes, I know  it does work in some places, but does not do so everywhere it would be logical to do so.)

Micro Focus Expert
Micro Focus Expert

Re: ArcSight Logger

It is planned for an upcoming release.

Finally.

0 Likes
Reply
stygianagenda
New Member.

Re: ArcSight Logger

Try the 'InSubnet' event parameter.  This *should* get you the results you're looking for.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.