cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 21

User Defined Group by IP Range?

Jump to solution

Is it possible to create a user defined group for an IP range?  Does it accept full RegEx?

I am trying to create a UDG that represents each of my clients and it seemed the best way to do that would be to add their IP range(es) but I wasn't sure if that was possible?

0 Kudos
1 Solution
Product Manager
Product Manager

Not really - I think there was a FR for IP ranges/subnets in UDGs. And, just wildcards are valid, not full regex (yet anyway).

So, you'd have to wildcard it out - 172.16.*, 10.0.0.* - or use a CSV to make a big list (which might cause slowness when searching if it's huge).

View solution in original post

7 Replies
Product Manager
Product Manager

Hopefully the emoji comes through: ️or    first...

When they are all agents, you can use connector profiles, which are like a UDG that contains both the name and IPs for those agent nodes. BUT, for syslog sources, the UDG method is your best bet, and that's what I've used in the past as well. I used to have UDGs for my internal/external networks and known good/bad IPs (like my ISP, scanner, networks local to my colo vs. different sites).

0 Kudos

So, if you are using a manually configured UDG, how do you confirm you are capturing all of the correct nodes since we already established we can't for sure rely on name or IP?

0 Kudos
Product Manager
Product Manager

It's definitely not ideally scalable. For non-agent nodes, I popped in the hostname* for all my devices that might report by hostname, and the IP ranges. For agents, the connector profiles regularly handle updates to the IPs/hostnames automatically.

One thing I did was create a rule/filter for "something I don't know about" for a while to see what I was missing - I'd create a rule/filter for detectionIPs that didn't match my UDG/profiles and clean stuff up. Then when I built rules downstream that relied on them I would also build an exception so I could catch something that didn't match ANY of my groups (if that makes sense).

So if it's an agent node will the DetectionIP always be the system name as reported by the agent?

That bit about the rule to catch things that you don't know about is awesome, I am totally going to use that.

0 Kudos

It should always be the system name as reported by the agent, but we are also reading from log files as well.  Windows event log will stay consistent, but if you get outside reading other log files just sitting on the system then it may have what is in the log file.  You can do an ndepth search (or filter) on an agent to see what it is reporting back to help confirm.  You should see that it really is the same name as reported by the agent.

0 Kudos
Product Manager
Product Manager

Not really - I think there was a FR for IP ranges/subnets in UDGs. And, just wildcards are valid, not full regex (yet anyway).

So, you'd have to wildcard it out - 172.16.*, 10.0.0.* - or use a CSV to make a big list (which might cause slowness when searching if it's huge).

View solution in original post

What I am trying to accomplish between this question and the one you responded to HERE is to use a UDG to represent all of the systems for each client that we manage.  The problems I am running into are as follows:

  1. No definitive way to know you are capturing all of the proper systems as some report by name while others report by IP
  2. No way to filter by an IP range even if the first issue wasn't true

With that all being said, if you were in my situation, how would you solve this problem?

0 Kudos