4 Replies Latest reply on Oct 23, 2015 12:25 PM by dowshirley

    Filter question

    dowshirley

      I'm just getting my feet wet with LEM.  As I was reviewing the filters in the different categories (Security, IT Operations, Change Management, etc), I noticed I can drag and drop filters into different categories.  For example, moving the "Group Changes" filter from the Change Management category into the IT Operations category.  It's also possible to delete filters.  I think I may have inadvertently deleted some of the out-of-the-box filters.

       

      My question is this: Is there a way to restore (or undelete) a deleted filter?  Or perhaps even reset the default filters so that they are back where they came from?

       

      Thanks in advance!

        • Re: Filter question
          HolyGuacamole

          If you create a brand new user, and login as that user, you should get the defaults back. You can then export them (one group at a time), and import them back to the other user

            • Re: Filter question
              dowshirley

              Thank you Guac

               

              I was logging into the LEM as a DS User in the Administrator role.  This is where I started working in LEM.  This is the user where I started to question my filters after working with them for a couple weeks.

               

              Following your advice, I built a LEM User and gave it the Administrator role.  I logged in as that user and took screen shots of the filter list.  (Interest note here, I was able to see filters that I had created with my DS User.  I wasn't expecting to see that.  I assumed that filters would not be available to other users.)  I then logged in with my DS User and started comparing the filter list.  They matched up, all the filters the LEM User has, the DS User has as well. So this would appear that I haven't screwed up the DS User filter too badly :-)

               

              However, now I'm curious about the aforementioned new filters I created with my DS User.  Would all users in the Administrator role have the same filters?  As an experiment, as the DS User, I moved the filters I created from one group (IT Operations) to another group (My Filters).  I then logged out of the DS User and logged in as the LEM user.  I saw the changes I made as the DS User.  In other words, the LEM user sees the moves the DS User made.

               

              Is this normal or expected behavior?

               

              Edit:

              I found a blog post at: Detecting Malicious Insiders with Log & Event Manager and compared what the poster was calling out-of-the-box filters and discovered I don't have the following (either as my original DS User or my newly created LEM User)

              Change Management > UserDisable

              IT Operations > Web Errors

                                  > Process Auditing

               

              Would it be possible to post the filter conditions/notifications/etc.?