Filtering events at the SmartConnector Level
I am in the process of getting a SmartConnector (namely the MS AD Unified Event Log) connector chatting to our ESM in another hosting site. I have got the channel up and running and am able to send all events to the ESM with no issue, the catch here is that I need to filter out all the low events from this connector (too chatty for our WAN link).
I have read the Connector Documentation and the ESM User Guide and see that I can add a filter per SmartConnector destination, the only problem is I am not too sure what the filter would be to allow only warning and higher events through.
I have tired the following.
- eventSeverity LT 2
- eventSeverity LT 5
- Severity LT 2
- Severity LT 5
What am I doing wrong??
Thanks in advance
Re: Filtering events at the SmartConnector Level
Not giving us much time to answer .
I'm a bit rusty but I'll do my best...
Here's what you can do.
If you are trying to filter out events that are incoming to an ESM, I'd suggest editing the filter from the ESM console and not the smartconnector settings as this will give you much more freedom later.
-Although I DO NOT suggest filtering all the low severity events as there are important events in there.
If you do decide to use the smartconnector filtering, I'd do the following:
Please note that all fields start with a small letter and not a capital one so, there is no eventSeverity named field in the schema:
severity LT 5 (Less than 5)
severity LE 5 (Less or equal to 5)
Another field you can use is deviceSeverity, although this field is a string type and you will not be able to use the LT,LE operators also this field can have any value (High,Low,2,4,999,102222 etc'...) so you will have to know what you are looking for, severity might be a string type aswell, but I'll have to check this one up.
Best of luck