Highlighted
mat053241 Super Contributor.
Super Contributor.
621 views

Logger search group filter help

I'm trying to create a search group with a regex filter rather than basing it on the device group itself.  I want to enable those within the group to be able to search on only windows events (deviceVendor=Microsoft deviceProduct=Microsoft Windows).  I know that it requires a regex in order to have this setup, but I can't get it working.  Has anyone else created something similar to this? 

------
Labels (2)
0 Likes
Reply
5 Replies
max.wong
Visitor.

Re: Logger search group filter help

Hi mat05324 ,

I am also looking for this search group query , did have the query finally ??

If yes , can you provide it here?

great thanks

max

0 Likes
Reply
SIEM-TECH Honored Contributor.
Honored Contributor.

Re: Logger search group filter help

Max,

Have you tried simply creating a "Search Group" type and specifying a query that generates only data the user will need to see?  Then associate it with a user group/search group filter.

-Mike

0 Likes
Reply
yakky63
Visitor.

Re: Logger search group filter help

.*Vendor=Microsoft

0 Likes
Reply
yakky63
Visitor.

Re: Logger search group filter help

Use this for the regex minus the quotes ->  '.*Product=Microsoft Windows'

0 Likes
Reply
mat053241 Super Contributor.
Super Contributor.

Re: Logger search group filter help

Sorry about the delayed response.  On top of the other answers, here's what I came up with.

Windows events - CEF:0\|Microsoft\|Microsoft Windows\|.*

Unix events - CEF:0\|Unix\|Unix\|.*

If you need to be more granular you can add another line item to the filter and either add or negate whatever you need.  For example, lets say I don't want users in the unix group to view tlsproxy events...


CEF:0\|Unix\|Unix\|.* :AND: :NOT: tlsproxy

In order to negate the search item, make sure you click the checkbox on the left.  Hope this helps.

------
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.