7 Replies Latest reply on Mar 8, 2016 3:38 PM by wolram

    User Defined Group by IP Range?

    byrona

      Is it possible to create a user defined group for an IP range?  Does it accept full RegEx?

       

      I am trying to create a UDG that represents each of my clients and it seemed the best way to do that would be to add their IP range(es) but I wasn't sure if that was possible?

        • Re: User Defined Group by IP Range?
          nicole pauls

          Not really - I think there was a FR for IP ranges/subnets in UDGs. And, just wildcards are valid, not full regex (yet anyway).

           

          So, you'd have to wildcard it out - 172.16.*, 10.0.0.* - or use a CSV to make a big list (which might cause slowness when searching if it's huge).

          1 of 1 people found this helpful
            • Re: User Defined Group by IP Range?
              byrona

              What I am trying to accomplish between this question and the one you responded to HERE is to use a UDG to represent all of the systems for each client that we manage.  The problems I am running into are as follows:

               

              1. No definitive way to know you are capturing all of the proper systems as some report by name while others report by IP
              2. No way to filter by an IP range even if the first issue wasn't true

               

              With that all being said, if you were in my situation, how would you solve this problem?

            • Re: User Defined Group by IP Range?
              nicole pauls

              Hopefully the emoji comes through: ☕️or    first...

               

              When they are all agents, you can use connector profiles, which are like a UDG that contains both the name and IPs for those agent nodes. BUT, for syslog sources, the UDG method is your best bet, and that's what I've used in the past as well. I used to have UDGs for my internal/external networks and known good/bad IPs (like my ISP, scanner, networks local to my colo vs. different sites).

                • Re: User Defined Group by IP Range?
                  byrona

                  So, if you are using a manually configured UDG, how do you confirm you are capturing all of the correct nodes since we already established we can't for sure rely on name or IP?

                    • Re: User Defined Group by IP Range?
                      nicole pauls

                      It's definitely not ideally scalable. For non-agent nodes, I popped in the hostname* for all my devices that might report by hostname, and the IP ranges. For agents, the connector profiles regularly handle updates to the IPs/hostnames automatically.

                       

                      One thing I did was create a rule/filter for "something I don't know about" for a while to see what I was missing - I'd create a rule/filter for detectionIPs that didn't match my UDG/profiles and clean stuff up. Then when I built rules downstream that relied on them I would also build an exception so I could catch something that didn't match ANY of my groups (if that makes sense).

                      2 of 2 people found this helpful
                        • Re: User Defined Group by IP Range?
                          byrona

                          So if it's an agent node will the DetectionIP always be the system name as reported by the agent?

                           

                          That bit about the rule to catch things that you don't know about is awesome, I am totally going to use that.

                            • Re: User Defined Group by IP Range?
                              wolram

                              It should always be the system name as reported by the agent, but we are also reading from log files as well.  Windows event log will stay consistent, but if you get outside reading other log files just sitting on the system then it may have what is in the log file.  You can do an ndepth search (or filter) on an agent to see what it is reporting back to help confirm.  You should see that it really is the same name as reported by the agent.