you should create a new filter rule from "Policy Editor" and don't forget to insert a catch all filter.
Thank you very much for your reply. If you can send me the step to doingthis, it’s great. I really appreciate your feedback.
1) Open the Policy Editor for the DataSource that you have to modify;
2) Go to the Filter menu and "New" -> "Filter Rule";
3) Give it a Name, Serverity ecc;
4) Add one o more content strings in order to intercept the right event (eventually by PCRE);
5) For the events you want discarding, enable "Send log to ELM" or "Stop processing Filter Rules" or both;
6) Repeat the step 5 for all the events you need;
7) Create a catch all Filter rule with name ag: z_All (it must be the last);
8) Select "Match All" and "Send Log to Parser" so all the other events go to the ESM;
9) Be sure that Filter rule are enabled for the DataSource, look at the Policy Editor;
1 of 1 people found this helpful
Faster way for unwanted events:
1) event summary for datasource - > show rule for event type
2) disable rule in policy for selected device
Thank you for your reply, its working fine.
I have one clarification with regards to event filtering. Howcan I filter only on specific source ip address events?
Sample I have five Cisco ASA firewall, From this I want toblock only one ASA firewall event type. (ex:192.168.1.200) . Based your earlier reply I can filter based on the event bodystrings, so where I can input event source ip address in this filters.
I really appreciate your feedback.
in my opinion you can filter the events by regex box. Take your log and look at the header, it should contain the ip address of the device so you should make a regex in order to match it.
Another way you could go about this would be to prune unwanted events from the source, if from a Cisco device, have the Administrator use the following syntax on the device: "no logging message message-number"
So if you do not want to receive the Buildup & Teardown Events from an ASA Firewall, provide the Admin the correct message numbers and have them configure the system to not send them to you.
Can we add multiple strings in a single filter rule ?? will it trigger when there is even a single match from bunch of strings added ?? What action to specify to trigger this filter rule and drop the events with those particular strings ?
Thanks in advance