Sentinel 7.1 monitoring eDir and IDM with the audit connector.

Trying to make correlations for specific events (create/remove/modify)
on specific objectclasses in the IDVault.
I can get events if I create a filter that looks for
ei="objectclassname" - no problem at all. ei contains quite a bit of
information, in there are "Object Class: <whatever>" that matches fine
with search filters.

When I create a correlation rule
e.extendedinformaiton="SomeObjectClassHere" I get no matches... Probably
correct, not sure about the Lucene capabilities here since it is a lot
of information in that field.
I have tried to do it with regexp etc - haven't found a working solution
to it

Figuring that there should be a way to parse the event on the collector
to grab the objectclass and stuff it in customerVarXXX for easy
searching in correlations and/or filters... But how? My forhead is
getting quite flat and my desk isn't happy att all

Anyone got a pointer to some good reading?


abergvall's Profile: https://forums.netiq.com/member.php?userid=278
View this thread: https://forums.netiq.com/showthread.php?t=49360