You can filter specific types of events in the Windows Legacy Collector. For example, if your system collects a large number of events, and a large percentage of them come from Windows firewalls, you can filter those events out so that you can track other events that are occurring. This can be useful if your Log Decoders are under a heavy load and you want to process only those events that are meaningful.
Procedure
To configure a Windows Legacy Collector events filter:
- In the Security Analytics menu, select Administration > Services.
- Under Services, select a Windows Log Collector service.
- In the Windows Log Collector service row, click the down arrow under Actions and select View > Config.
- Select the Event Sources tab. Windows Legacy is displayed at the top of the page on the left. In the Windows drop-down menu, select Filters.
-
In the Filters panel, click
.
The Add Filter dialog is displayed. -
Type a name and description for the new filter and click Add.
The new filter is displayed in the Filter panel (in this example, FirewallFilter).
-
Select the new filter in the Filters panel, and in the Filter Rules panel toolbar, click
. The Add Filter Rule dialog is displayed.
-
Under Rule Conditions, click
and add the parameters for this rule. The following table describes the parameter options.
Field Description Key The only valid value is Event ID (EventID). Operator Valid values are:
- Contains
- Equals
Use Regex Optional Value Alphanumeric characters that describe the event IDs for the events to filter. Ignore case Optional Action If there is a match you can choose from the following actions:
- Accept: events that match the IDs provided will be included in event logs, and will display in the Systems Analytics UI.
- Drop: events that match the IDs provided will not be included in event logs and will not display in the UI.
- Next condition: the filter will ignore events with IDs that match, and will move on to the next rule condition.
- Next rule: the filter will ignore events with IDs that match, and will move on to the next rule.
The following image shows an example of a rule condition for the FirewallFilter:
-
Click Update, and then click OK. Security Analytics updates the filter with the rule that you defined.