airpwn / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

Saved searches macro does not expand before peer search #197

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. create a saved search on web node such as srcip > 10.0.1.0 srcip < 
10.0.1.255 name SUBNET1
2. preform query using macro such as  class=BRO_HTTP www.google.com $SUBNET1
3. if you enter class=BRO_HTTP www.google.com and then choose ELSA --> Saved 
Searches --> Actions --> add to current search it will work as expected

What is the expected output?
That each peer would be given the expanded query from the saved search marco
What do you see instead?
each peer is sent the query such as 
query_string%22%20%3A%20%22%20www.google.com%20class%3DBRO_HTTP%20%2B%24SUBNET1%
22%0A%7D%0A&peer_label=peer1

What version of the product are you using? On what operating system?
r1171 RHEL6.5

Original issue reported on code.google.com by usr.s...@gmail.com on 18 Feb 2014 at 9:58

GoogleCodeExporter commented 9 years ago
Interesting issue. So you want the macro to be expanded before being sent to 
other nodes. The current behavior is to allow individual nodes to interpret the 
macro for themselves. I will check with others to see if that is the preferred 
behavior by the majority of ELSA users. In meantime, you'll need to add SUBNET1 
as a macro to child peers.

Original comment by mchol...@gmail.com on 19 Feb 2014 at 5:43

GoogleCodeExporter commented 9 years ago

Original comment by mchol...@gmail.com on 19 Feb 2014 at 5:44

GoogleCodeExporter commented 9 years ago
The macro I use saves me a lot of time. I am glad that I got it. It makes doing 
work a lot faster and more efficient.

Alena | http://www.pascometalrecycling.com 

Original comment by alenama...@gmail.com on 6 May 2014 at 4:47