2 Replies Latest reply on May 3, 2017 1:07 PM by sotherls

    Modify existing LEM filter to exclude keywords

    sotherls

      Using LEM 6.3.1

       

      I am trying to learn this product and have stumbled upon what I thought would be an easy task - I want to take a an existing filter, clone it and then edit it to do what it is doing but to exclude certain keywords so I can reduce the sensitivity of the filter.

       

      For example. I cloned the Incidents filter and now want to exclude events that have something *freebsd* or *pam* in the ToolAlias field.

      This is what my traffic looks like coming in:

       

      FilterEvents.PNG

      And this is how my filter looks:

      Filter.PNG

      But yet these events keep coming in.

       

      What am I doing wrong?

        • Re: Modify existing LEM filter to exclude keywords
          curtisi

          First, the reason it's not working is because you have an "OR" in the logic.  The orange line on the right with the round bump in your screen shot means "OR."

           

          Second, you may be solving the wrong problem.  Based on what you're trying to exclude, I'm guessing you ran a "Node Discovery" and then didn't uncheck the boxes for things you don't own.  I bet if you go to Manage --> Appliances, click the gear next to your LEM, go into "Connectors" and look at the log readers you have configured, you have a bunch with the term "Connector Discovery" for products that aren't actually sending logs, like PAM, F5 and BSD.  Instead of modifying the filter, just remove the bogus connectors (click gear, STOP, click gear, DELETE).  That will solve the larger problem and improve LEM performance.