Log Exporter advanced filtering

DS9ish · ‎2021-10-22

I'd like to understand the XML filtering mechanism a little better. The basic examples provided in SK122313 and in the community don't get too deep into its capabilities and limitations.

Log Exporter seems designed to identify logs to be forwarded to a remote server; filterGroups are defined in SK122323 as "a group of fields that determine what to export."

Is it possible to invert that approach? For example, to forward everything by default and then granularly define multiple independent set of criteria to not forward?

A very simple use case like just applying a "neq" comparison to a single value seems pretty straightforward, but how do you go about defining multiple independent exclusionary criteria? For example:

exclude by rule_uid
exclude HTTPS traffic to a set of destinations IPs
exclude echo_requests to a different set of destination IPs

A few questions about how the filtering mechanism works:

What is the intended way to define multiple independent sets of filtering criteria? Defining multiple <filterGroup> or <filters> sections does not seem to work, and defining separate <dynamicFilter> sections in the targetConfiguration.xml (pointing to different XML files) does not seem to work.

Can multiple set of criteria be defined at all, and if so how do they interact in cases of a conflict, like where one set of criteria would define a log to be forwarded and another set would define the same log to not be forwarded?

Is there significance in many examples of the XML filtering having field definitions with no value comparisons, like so:

<field name="action" operator="and">
</field>

DS9ish · ‎2021-11-10

Bumping to try a different approach:

Can you apply multiple <filterGroup> definitions in the same filtering configuration?

I have some explicit rules where I don't want to forward their logs to my SIEM; I can filter them with neq comparisons on the rule_uid and it works okay:

        <filterGroup operator="and">
                <field name="rule_uid" operator="and">
                       <value operation="neq">403761be-1afa-4c25-892d-3c755925560c</value>
                       <value operation="neq">000b9f56-a67a-4851-8c84-09668838849c</value>
                </field>
        </filterGroup>

I also have clients with Identity Agent that generate a large number of network connections to the gateway running as our identity PDP. This traffic is permitted by implied rules, so I cannot filter it by rule_uid or really configure its logging too much (at least not without affecting other things). I don't want to send all these logs to my SIEM, so I can build a <filterGroup> to filter them based on dst and service and it seems to work:

        <filterGroup operator="or">
                <field name="dst" operator="and">
                       <value operation="neq">1.2.3.4</value>
                       <value operation="neq">1.2.3.5</value>
                       <value operation="neq">1.2.3.6</value>
                </field>
                <field name="service" operator="or">
                       <value operation="neq">443</value>
                </field>
        </filterGroup>

When I try to include separate <filterGroup> sections to include them both, one or the other works but not both.

PhoneBoy · ‎2021-11-10

Unfortunately, we don't support complex filtering logic like this currently.

Are you a member of CheckMates?

Log Exporter advanced filtering