Personal blog of Alex Muratov

Smart Connector “Filter Out” issue

Posted on July 8, 2014 | in ArcSight, SIEM | by

ArcSightArcSight Smart Connectors has a very useful feature: it is possible to set up a filter to filter out unwanted events and don’t send them to a destination (ESM ArcSight, Logger, etc). It works very well at the ESM ArcSight – you just need to open connector’s properties, select the “Filter” tab and create a filter that will match unwanted events. See an example below. A Smart Connector re-reads configuration on regular basis and will apply a new filter within next 5 minutes.

Connector filter ESM

Things are completely different when you have Connector Appliance or there are Smart Connectors are managed via a Connector Appliance. HP/ArcSight defines some special syntax to create filter sentences. For example:

deviceVendor EQ "Unix" and deviceEventId EQ "1001"

But there is a problem, it does not work. The Smart Connector updates configuration and … nothing happens. Events are still coming out to a destination like there is no any defined filter. What happens? It appears that the ESM ArcSight updates connector’s configuration properly but the Connector Appliances does the same thing incorrectly.

TAGS: , , ,

Leave a Reply

BOINC

BOINC

Ads

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Calendar

July 2014
M T W T F S S
« Nov   Oct »
 123456
78910111213
14151617181920
21222324252627
28293031  
%d bloggers like this: