Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DS9ish
Participant

Log Exporter advanced filtering

I'd like to understand the XML filtering mechanism a little better.  The basic examples provided in SK122313 and in the community don't get too deep into its capabilities and limitations.

Log Exporter seems designed to identify logs to be forwarded to a remote server; filterGroups are defined in SK122323 as "a group of fields that determine what to export."

Is it possible to invert that approach?  For example, to forward everything by default and then granularly define multiple independent set of criteria to not forward?

A very simple use case like just applying a "neq" comparison to a single value seems pretty straightforward, but how do you go about defining multiple independent exclusionary criteria?  For example:

  1. exclude by rule_uid
  2. exclude HTTPS traffic to a set of destinations IPs
  3. exclude echo_requests to a different set of destination IPs

A few questions about how the filtering mechanism works:

What is the intended way to define multiple independent sets of filtering criteria?  Defining multiple <filterGroup> or <filters> sections does not seem to work, and defining separate <dynamicFilter> sections in the targetConfiguration.xml (pointing to different XML files) does not seem to work.

Can multiple set of criteria be defined at all, and if so how do they interact in cases of a conflict, like where one set of criteria would define a log to be forwarded and another set would define the same log to not be forwarded?

Is there significance in many examples of the XML filtering having field definitions with no value comparisons, like so:

<field name="action" operator="and">
</field>

 

0 Kudos
2 Replies
DS9ish
Participant

Bumping to try a different approach:

 

Can you apply multiple <filterGroup> definitions in the same filtering configuration?

I have some explicit rules where I don't want to forward their logs to my SIEM; I can filter them with neq comparisons on the rule_uid and it works okay:

 

 

        <filterGroup operator="and">
                <field name="rule_uid" operator="and">
                       <value operation="neq">403761be-1afa-4c25-892d-3c755925560c</value>
                       <value operation="neq">000b9f56-a67a-4851-8c84-09668838849c</value>
                </field>
        </filterGroup>

 

 

I also have clients with Identity Agent that generate a large number of network connections to the gateway running as our identity PDP.  This traffic is permitted by implied rules, so I cannot filter it by rule_uid or really configure its logging too much (at least not without affecting other things).  I don't want to send all these logs to my SIEM, so I can build a <filterGroup> to filter them based on dst and service and it seems to work:

 

        <filterGroup operator="or">
                <field name="dst" operator="and">
                       <value operation="neq">1.2.3.4</value>
                       <value operation="neq">1.2.3.5</value>
                       <value operation="neq">1.2.3.6</value>
                </field>
                <field name="service" operator="or">
                       <value operation="neq">443</value>
                </field>
        </filterGroup>

 

 

When I try to include separate <filterGroup> sections to include them both, one or the other works but not both.

0 Kudos
PhoneBoy
Admin
Admin

Unfortunately, we don't support complex filtering logic like this currently.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events