cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Drop the unwanted logs or events from the ESM.

Jump to solution

Drop the unwanted logs or events from the ESM.


i want to drop unwanted logs from the ESM. Basically i want to drop selected log types on my firewall and from other devices without recording on the ESM.How can i do this in my ESM. My software version is 9.1.3.

1 Solution

Accepted Solutions
Highlighted

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

1) Open the Policy Editor for the DataSource that you have to modify;

2) Go to the Filter menu and "New" -> "Filter Rule";

3) Give it a Name, Serverity ecc;

4) Add one o more content strings in order to intercept the right event (eventually by PCRE);

5) For the events you want discarding, enable "Send log to ELM" or "Stop processing Filter Rules" or both;

6) Repeat the step 5 for all the events you need;

7) Create a catch all Filter rule with name ag: z_All (it must be the last);

😎 Select "Match All" and "Send Log to Parser" so all the other events go to the ESM;

9) Be sure that Filter rule are enabled for the DataSource, look at the Policy Editor;

Rgds,

View solution in original post

8 Replies
Highlighted

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

you should create a new filter rule from "Policy Editor" and don't forget to insert a catch all filter.

Rgds,

Highlighted

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi Zanatta,

Thank you very much for your reply. If you can send me the step to doingthis, it’s great. I really appreciate your feedback.

BR,

CK

Highlighted

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

1) Open the Policy Editor for the DataSource that you have to modify;

2) Go to the Filter menu and "New" -> "Filter Rule";

3) Give it a Name, Serverity ecc;

4) Add one o more content strings in order to intercept the right event (eventually by PCRE);

5) For the events you want discarding, enable "Send log to ELM" or "Stop processing Filter Rules" or both;

6) Repeat the step 5 for all the events you need;

7) Create a catch all Filter rule with name ag: z_All (it must be the last);

😎 Select "Match All" and "Send Log to Parser" so all the other events go to the ESM;

9) Be sure that Filter rule are enabled for the DataSource, look at the Policy Editor;

Rgds,

View solution in original post

Highlighted
Level 7
Report Inappropriate Content
Message 5 of 9

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

Faster way for unwanted events:

1) event summary for datasource - > show rule for event type

2) disable rule in policy for selected device

Regards,

Tomek

Highlighted

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi Umberto,

Thank you for your reply, its working fine.

I have one clarification with regards to event filtering. Howcan I filter only on specific source ip address events?

Sample I have five Cisco ASA firewall, From this I want toblock only one ASA firewall event type.  (ex:192.168.1.200) . Based your earlier reply I can filter based on the event bodystrings, so where I can input event source ip address in this filters.

I really appreciate your feedback.

Thanks,

Ck

Highlighted

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

in my opinion you can filter the events by regex box. Take your log and look at the header, it should contain the ip address of the device so you should make a regex in order to match it.

Rgds,

Highlighted

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hello,

Can we add multiple strings in a single filter rule ?? will it trigger when there is even a single match from bunch of strings added ?? What action to specify to trigger this filter rule and drop the events with those particular strings ?

Thanks in advance

Rgds,

Rajan

Highlighted
Level 12
Report Inappropriate Content
Message 9 of 9

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Another way you could go about this would be to prune unwanted events from the source, if from a Cisco device, have the Administrator use the following syntax on the device: "no logging message message-number"

So if you do not want to receive the Buildup & Teardown Events from an ASA Firewall, provide the Admin the correct message numbers and have them configure the system to not send them to you.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community