Aux Filtered Data Viewer screen

The Auxiliary Filtered Data screen is accessed by clicking on the Messages > Catalogs tab and then select Aux. From that location, the operator can view a list of auxiliary files containing messages. Files are updated by rules configured in the Messages > Config > Filters screen. The Aux screen is depicted as follows:

The screen displays the auxiliary file names and data for each file. These files contain non-indexed data. The messages are not correlated, but they can be used in the various reporting tools of the system, making auxiliary files ideal for holding regular data from firewalls, VPN systems, or other systems that might send large amounts of data at regular interval. 

The actual filters, applied to all incoming messages, are specified at the Configure Filters screen. For more information, see Configure-Filters-screen. You can jump to this screen using the Go To Filter Config hyperlink at the top of the Filter Screen display. As discussed in that section, filters can be based upon severity, facility, message content, or time of day that the message is received.

Types of Auxiliary Files and Filters

There are various types of auxiliary files, configured using the Config > Filters screen, or using the Config > Parms screen, as described as follows:

• Main File—This file appears in the Aux tab if the user selects Main for any configured filter. This file is distinct in that it does not contain data, and it is not available to the Query facility. Messages directed to the Main file are discarded. The file is mainly useful for completely eliminating data that is of absolutely no interest to the end user.

• Aux-1 to Aux-16 Files—These files appear in the Aux tab if the user selects them for any configured filter. These files can be reported upon (by all the report functions, including the Query function). Additionally, these files can be archived before they are removed (as configured using the Config > Parms screen).

• Ddup File—This file appears if the user has configured the De-Duplicate Message Seconds value to be greater than zero on the Config > Parms screen. The file contains messages that have been removed from the system because of the de-duplication filter (that can be used to filter messages that are duplicate, and adjacent to each other in the message log).

 The Main and Ddup files are special purpose and distinct, as described previously.

Adding Aux Filter Titles

It is quite common to redirect data of a particular type (or from a particular device) to an auxiliary file. The data is retained on the system, can be searched, queried, and reported on, but is not passed through the correlation rules. This speeds up the program prevents the correlation rules from being cluttered with a lot of uninteresting data and help organize the message data.

To assist with organizing the data, the operator can click the Advanced option at the top of the display. This accesses the Aux File Titles screen. The screen permits the user to annotate the display with arbitrary text and notes, such as to describe the type of data that the Aux file contains.

The text appears on the top-level Messages > Aux screen to help identify the purpose and intent of the filter and auxiliary file data.

Aux Filtering detailed notes

To view the data of an auxiliary file, users click on the filename (ranging from Main, Aux-1, through Aux-16, and optionally the De-dup file). Users can search the filtered data using the Search field at the top of the display. This performs an unindexed search of the data.

You can also search the Aux-1 through Aux-16 files using the Query function, that permits the user to search these files using potentially complex match expressions.

As an alternative to searching the data, certain Report functions permit reporting on filtered messages.

This capability is discussed in later topics of this section and is useful for auditing the type of data being filtered.

By default, filtered messages are discarded at midnight. However, you can select to archive these messages along with other data using the Messages > Config > Parms screen. In this case, filtered messages are stored in the archive like any other data. In this case, the main purpose of the filters is not to discard data, but to take unimportant data out of the main message and correlation stream, that can increase the performance and usability of BMC Defender Server.

If data is archived (as described previously, it can be data re-import to the BMC Defender Server system using the BMC Defender Server Import facility. This provides a way of returning filtered messages to the main message stream.

Finally, note that this screen is intended to support destination filtering, that is, data filtered by BMC Defender Server. It is often the case that messages can be filtered at their source. Syslog capable devices can usually limit the data being sent so that uninteresting messages do not appear on the network.

Source filtering can be used to augment the filtering strategy. Source filtering is a built-in function of the BMC Defender Agent for Windows, as well as the BMC Defender Server UNIX Agents. The capability also exists (with varying degrees of control) within standard UNIX, Cisco, and firewall devices. The principle advantage of source filtering as opposed to destination filtering is that source filtering provides a way of preventing unimportant messages from appearing as network traffic.