cancel
Showing results for 
Search instead for 
Did you mean: 
chandimalk
Level 7

Drop the unwanted logs or events from the ESM.

Jump to solution

Drop the unwanted logs or events from the ESM.


i want to drop unwanted logs from the ESM. Basically i want to drop selected log types on my firewall and from other devices without recording on the ESM.How can i do this in my ESM. My software version is 9.1.3.

1 Solution

Accepted Solutions
uzanatta
Level 10

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

1) Open the Policy Editor for the DataSource that you have to modify;

2) Go to the Filter menu and "New" -> "Filter Rule";

3) Give it a Name, Serverity ecc;

4) Add one o more content strings in order to intercept the right event (eventually by PCRE);

5) For the events you want discarding, enable "Send log to ELM" or "Stop processing Filter Rules" or both;

6) Repeat the step 5 for all the events you need;

7) Create a catch all Filter rule with name ag: z_All (it must be the last);

8) Select "Match All" and "Send Log to Parser" so all the other events go to the ESM;

9) Be sure that Filter rule are enabled for the DataSource, look at the Policy Editor;

Rgds,

8 Replies
uzanatta
Level 10

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

you should create a new filter rule from "Policy Editor" and don't forget to insert a catch all filter.

Rgds,

0 Kudos
chandimalk
Level 7

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi Zanatta,

Thank you very much for your reply. If you can send me the step to doingthis, it’s great. I really appreciate your feedback.

BR,

CK

0 Kudos
uzanatta
Level 10

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

1) Open the Policy Editor for the DataSource that you have to modify;

2) Go to the Filter menu and "New" -> "Filter Rule";

3) Give it a Name, Serverity ecc;

4) Add one o more content strings in order to intercept the right event (eventually by PCRE);

5) For the events you want discarding, enable "Send log to ELM" or "Stop processing Filter Rules" or both;

6) Repeat the step 5 for all the events you need;

7) Create a catch all Filter rule with name ag: z_All (it must be the last);

8) Select "Match All" and "Send Log to Parser" so all the other events go to the ESM;

9) Be sure that Filter rule are enabled for the DataSource, look at the Policy Editor;

Rgds,

mcoy
Level 7

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

Faster way for unwanted events:

1) event summary for datasource - > show rule for event type

2) disable rule in policy for selected device

Regards,

Tomek

0 Kudos
chandimalk
Level 7

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi Umberto,

Thank you for your reply, its working fine.

I have one clarification with regards to event filtering. Howcan I filter only on specific source ip address events?

Sample I have five Cisco ASA firewall, From this I want toblock only one ASA firewall event type.  (ex:192.168.1.200) . Based your earlier reply I can filter based on the event bodystrings, so where I can input event source ip address in this filters.

I really appreciate your feedback.

Thanks,

Ck

0 Kudos
uzanatta
Level 10

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hi,

in my opinion you can filter the events by regex box. Take your log and look at the header, it should contain the ip address of the device so you should make a regex in order to match it.

Rgds,

0 Kudos
rajannaik
Level 7

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Hello,

Can we add multiple strings in a single filter rule ?? will it trigger when there is even a single match from bunch of strings added ?? What action to specify to trigger this filter rule and drop the events with those particular strings ?

Thanks in advance

Rgds,

Rajan

0 Kudos
rth67
Level 12

Re: Drop the unwanted logs or events from the ESM.

Jump to solution

Another way you could go about this would be to prune unwanted events from the source, if from a Cisco device, have the Administrator use the following syntax on the device: "no logging message message-number"

So if you do not want to receive the Buildup & Teardown Events from an ASA Firewall, provide the Admin the correct message numbers and have them configure the system to not send them to you.

0 Kudos