Looking at what methods there might be to alert on logs from a list of a subset of assets.
Ex. wanting to get logs from 20 servers specifically… Ideally some sort of list we can manage.
We can tag and sort in IVM… but I cant see any way in IDR apart from some large filters for OS, agent online/offline, etc.
Unfortunately we don’t have a concept of variables in InsightIDR yet. However I do remember hearing the idea kicked around a while back.
What you could do in the meantime as an alternative would be to create that long list that you’re referring to and make a custom alert for it but disable the investigation and just apply a label to those logs that contain e.g. “host_name IN [comp1, comp2, comp3]” or something. Then from there when you’re in log search you would just select that label when it appears in the entry view to scope the results down to logs that have those values.
Variables should be coming out very very soon.
I have my manual query with the host names for now working.
What would be most ideal is using the same tags applied with R7 IVM CUSTOMATTRIBUTES=“abc” on the same endpoints in IDR.
Looking forward to at least using a variable!
@rboiteau variables are out now in log search, go to settings, log search, and then variables. Input all the values you want to and then simply use that variable in your log search.
This doesnt allow me to include all of the hostnames as there is a character limit.
Although I don’t know how many values you might have, you could possibly create multiple variables and your query could reference multiple variables in a list.