Anonymous_User Absent Member.
Absent Member.
223 views

Newbie: Attempting to filter events using Dynamic lists


I am attempting to generate a report showing unauthorized file create,
modify, delete events is a specific folder and sub folders.
I have created a dynamic list with the authorized users in it.

In correlation I created the following:
filter(((e.InitiatorUserName inlist Privileged_Accounting_Users)) AND
((e.TargetDataContainer = "datavol/shares/accounting/*"))). I expect
that this filter would show all activity performed by the users in the
list.

No results are being returned by the filter.
I know there are events because searching using
filter(((e.TargetDataContainer = "datavol/shares/accounting/*"))) shows
many file create, modify and delete events.
Searching using (rv36:(("DATAVOL/shares/accounting"))) shows many file
create, modify and delete events.

I have confirmed that InitiatorUserName is the correct field.

filter(((not e.InitiatorUserName inlist Privileged_Accounting_Users))
AND ((e.TargetDataContainer = "datavol/shares/accounting/*")))

What am I doing wrong?

If I enter each user into the filter it works.
filter(((e.TargetDataContainer = "datavol/shares/accounting/*")) AND
(((e.InitiatorUserName = "User1")) OR ((e.InitiatorUserName = "User2"))
OR ((e.InitiatorUserName = "User3")) OR ((e.InitiatorUserName =
"User4"))))

After I get this working, I want to exclude all files that have a .tmp
extension.... First things first... 🙂

Thanks for your help and insight 🙂

BTW I am using Sentinel 7.0.3


--
chuchseos
------------------------------------------------------------------------
chuchseos's Profile: https://forums.netiq.com/member.php?userid=4685
View this thread: https://forums.netiq.com/showthread.php?t=47410

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Newbie: Attempting to filter events using Dynamic lists

Well, I guess I'm not sure since your test with individual users
explicitly listed in the filter does work. My only guess, then, is that
something is amiss with the list. Are you sure that the list is correctly
typed and that entries in the list are case-sensitive matches of the
usernames within the events? Are you similarly sure that the events
generated for each test are the same, or close enough to work in both
cases? Often a connector dump can be useful for these cases to ensure, as
much as possible, that the events exactly match during all tests.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.