cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
chandimalk
Level 7
Report Inappropriate Content
Message 1 of 9
‎09-03-2013 02:50 AM

Drop the unwanted logs or events from the ESM.

Jump to solution

Drop the unwanted logs or events from the ESM.


i want to drop unwanted logs from the ESM. Basically i want to drop selected log types on my firewall and from other devices without recording on the ESM.How can i do this in my ESM. My software version is 9.1.3.

Reply
1 Solution

Accepted Solutions
uzanatta
Level 10
Report Inappropriate Content
Message 4 of 9
‎09-06-2013 05:20 AM

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

1) Open the Policy Editor for the DataSource that you have to modify;

2) Go to the Filter menu and "New" -> "Filter Rule";

3) Give it a Name, Serverity ecc;

4) Add one o more content strings in order to intercept the right event (eventually by PCRE);

5) For the events you want discarding, enable "Send log to ELM" or "Stop processing Filter Rules" or both;

6) Repeat the step 5 for all the events you need;

7) Create a catch all Filter rule with name ag: z_All (it must be the last);

😎 Select "Match All" and "Send Log to Parser" so all the other events go to the ESM;

9) Be sure that Filter rule are enabled for the DataSource, look at the Policy Editor;

Rgds,

View solution in original post

Reply
8 Replies
uzanatta
Level 10
Report Inappropriate Content
Message 2 of 9
‎09-04-2013 08:27 AM

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

you should create a new filter rule from "Policy Editor" and don't forget to insert a catch all filter.

Rgds,

0 Kudos
Reply
chandimalk
Level 7
Report Inappropriate Content
Message 3 of 9
‎09-04-2013 07:45 PM

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi Zanatta,

Thank you very much for your reply. If you can send me the step to doingthis, it’s great. I really appreciate your feedback.

BR,

CK

0 Kudos
Reply
uzanatta
Level 10
Report Inappropriate Content
Message 4 of 9
‎09-06-2013 05:20 AM

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

1) Open the Policy Editor for the DataSource that you have to modify;

2) Go to the Filter menu and "New" -> "Filter Rule";

3) Give it a Name, Serverity ecc;

4) Add one o more content strings in order to intercept the right event (eventually by PCRE);

5) For the events you want discarding, enable "Send log to ELM" or "Stop processing Filter Rules" or both;

6) Repeat the step 5 for all the events you need;

7) Create a catch all Filter rule with name ag: z_All (it must be the last);

😎 Select "Match All" and "Send Log to Parser" so all the other events go to the ESM;

9) Be sure that Filter rule are enabled for the DataSource, look at the Policy Editor;

Rgds,

View solution in original post

Reply
mcoy
Level 7
Report Inappropriate Content
Message 5 of 9
‎09-06-2013 05:48 AM

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

Faster way for unwanted events:

1) event summary for datasource - > show rule for event type

2) disable rule in policy for selected device

Regards,

Tomek

0 Kudos
Reply
chandimalk
Level 7
Report Inappropriate Content
Message 6 of 9
‎09-08-2013 09:56 PM

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi Umberto,

Thank you for your reply, its working fine.

I have one clarification with regards to event filtering. Howcan I filter only on specific source ip address events?

Sample I have five Cisco ASA firewall, From this I want toblock only one ASA firewall event type.  (ex:192.168.1.200) . Based your earlier reply I can filter based on the event bodystrings, so where I can input event source ip address in this filters.

I really appreciate your feedback.

Thanks,

Ck

0 Kudos
Reply
uzanatta
Level 10
Report Inappropriate Content
Message 7 of 9
‎09-09-2013 01:20 AM

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

in my opinion you can filter the events by regex box. Take your log and look at the header, it should contain the ip address of the device so you should make a regex in order to match it.

Rgds,

0 Kudos
Reply
rajannaik
Level 7
Report Inappropriate Content
Message 8 of 9
‎12-12-2016 10:40 PM

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hello,

Can we add multiple strings in a single filter rule ?? will it trigger when there is even a single match from bunch of strings added ?? What action to specify to trigger this filter rule and drop the events with those particular strings ?

Thanks in advance

Rgds,

Rajan

0 Kudos
Reply
rth67
Level 12
Report Inappropriate Content
Message 9 of 9
‎09-23-2013 08:13 AM

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Another way you could go about this would be to prune unwanted events from the source, if from a Cisco device, have the Administrator use the following syntax on the device: "no logging message message-number"

So if you do not want to receive the Buildup & Teardown Events from an ASA Firewall, provide the Admin the correct message numbers and have them configure the system to not send them to you.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC