Environment
NetIQ AppManager 8.0.x
Situation
Resolution
To exclude a string using regular expression in the format file used by KSes (e.g., "General_EventLogRX" Knowledge Script), use the ?.? and ?*? symbols. Use these symbols before the string you wish to exclude when words come before the desired string to exclude. If you would like to exclude a particular string whenever it occurs in a log file, use the ?.? and ?*? before and after the string.
You can use this snippet as an example of an XML filter file:
<?xml version = "1.0" standalone = "yes"?>
<EventLogConfig Name = "Event Filter" Type = "EVENT_FILTER_CUSTOM" ID = "76">
<Exclude>
<Events>
<Log>Security</Log>
<Type></Type>
<Source></Source>
<Category></Category>
<EVENTID></EVENTID>
<User>.*TEAM2\test.*,.*test.*</User>
<Computer></Computer>
<Description></Description>
<CaseSensitive>n</CaseSensitive>
</Events>
</Exclude>
</EventLogConfig>
In this example, we are excluding the username ?test? from the security log. The reason why there are two entries for test is because sometimes a user will appear as ?Domain\user? or other times as just ?user? which is what happens when its in the description field. So if you want to gather all events (538,576,552,540,528) from the security log for all users except ?Test? you could use the values tab of the General_EventLogRX to enter in all the data desired to be returned by this knowledge script and use the XML filter file to exclude the data which they don?t want returned.