This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Nicholas_Flood
Employee Alumnus
Employee Alumnus
‎2016-04-27 07:09 PM

global exclusions

Jump to solution

Customer upgraded from R77.30 to R80. Previously, when they add a Global Exclusion in SmartEvent > Policy > Event Policy > Global Exclusions they get asked if they want to run this exception on all previous events as well. Afterwards or from there after, no events matching that criteria show up in SmartEvent. After upgrade, no asking or notification is done. They confirmed that events show up in SmartEvent but mentioned that a custom script that is supposed to email alerts when traffic is detected instead of prevented, doesn't appear to get engaged by the excluded traffic. Likewise, we're confirming that when reports are generated, they don't include any traffic from the exclusions either.

So my question is, did global exclusion in R80 SmartEvent change? Do we still see exclusion traffic in SmartEvent but not past this? Do alerts/reports/etc not "see" the exclusion traffic?

Little extra, I noticed that when we filter for "todays" events, we see what looks like 24 hours worth of events. Does "today" filter by the date or 24 hours within that day and the wording "today" is a little inaccurate?

0 Kudos
1 Solution

Accepted Solutions
Shahaf_Alfasi
Employee Alumnus
Employee Alumnus
‎2016-05-05 08:40 AM

Jump to solution

Global exclusion still working in R80, but like in R77 global exclusion is only for Events that were crated by the correlation unit and defined in the SmartEvent policy.

R80 SmartEvent introduce new log and event engine and while R77.30 SmartEvent shows only events that were created by the correlation unit R80 SmartEvent shows logs and events.

While this change make SmartEvent more easy to use, powerful and gave new abilities to system administrator it also introduce some limitations like the limitation you describe that user can't define global exclusion on logs. We are familiar with these limitation and working hard to provide a solution for R80.10

Regarding 'Today' time frame today time frame should show you logs from 00:00:00 the same day if you see logs before 00:00:00 it is a bug and I suggest you'll contact Nir Barel from R&D to investigate it

Shahaf

View solution in original post

0 Kudos
1 Reply
Shahaf_Alfasi
Employee Alumnus
Employee Alumnus
‎2016-05-05 08:40 AM

Jump to solution

Global exclusion still working in R80, but like in R77 global exclusion is only for Events that were crated by the correlation unit and defined in the SmartEvent policy.

R80 SmartEvent introduce new log and event engine and while R77.30 SmartEvent shows only events that were created by the correlation unit R80 SmartEvent shows logs and events.

While this change make SmartEvent more easy to use, powerful and gave new abilities to system administrator it also introduce some limitations like the limitation you describe that user can't define global exclusion on logs. We are familiar with these limitation and working hard to provide a solution for R80.10

Regarding 'Today' time frame today time frame should show you logs from 00:00:00 the same day if you see logs before 00:00:00 it is a bug and I suggest you'll contact Nir Barel from R&D to investigate it

Shahaf

View solution in original post

0 Kudos