Smart Connector “Filter Out” issue

ArcSightArcSight Smart Connectors has a very useful feature: it is possible to set up a filter to filter out unwanted events and don’t send them to a destination (ESM ArcSight, Logger, etc). It works very well at the ESM ArcSight – you just need to open connector’s properties, select the “Filter” tab and create a filter that will match unwanted events. See an example below. A Smart Connector re-reads configuration on regular basis and will apply a new filter within next 5 minutes.

Connector filter ESM

Things are completely different when you have Connector Appliance or there are Smart Connectors are managed via a Connector Appliance. HP/ArcSight defines some special syntax to create filter sentences. For example:

deviceVendor EQ “Unix” and deviceEventId EQ “1001”

But there is a problem, it does not work. The Smart Connector updates configuration and … nothing happens. Events are still coming out to a destination like there is no any defined filter. What happens? It appears that the ESM ArcSight updates connector’s configuration properly but the Connector Appliances does the same thing incorrectly.

Leave a comment