Log Collection Config: Configure Event Filters for Log Collector

Document created by RSA Information Design and Development on Nov 22, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 11Show Document
  • View in full screen mode
  

This topics tells you how to create and maintain Event filters across all collection protocols.

After completing this how-to, you will have:

  • Configured an Event Filter
  • Modified Event Filter Rules.

Note: You cannot configure Syslog Collection for Local Log Collectors. You only need to configure Syslog Collection for Remote Collectors. See Access Local Collectors and Remote Collectors for additional configuration information.

Return to Procedures

Configure an Event Filter

To configure an event source:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Event Sources tab, select any collection method / Filters from the drop-down menus.

    The following screen shows Check Point selected.

    The Filters view displays the filters that are configured for the selected collection method, if any.

  5. In the Filters panel toolbar, click Icon-Add.png.

    The Add Filter dialog displays.

    SyslogFilter1.PNG

  6. Enter a name and description for the new filter and click Add.

    The new filter displays in the Filter panel.

  7. Select the new filter in the Filters panel and click Icon-Add.png in the Filter Rules panel toolbar.

    The Add Filter Rule dialog is displayed.

  8. Click Icon-Add.png under Rule Conditions.
  9. Add the parameters for this rule and click Update > OK.

Security Analytics updates the filter with the rule that you defined.

                                 
FieldDescription
Key

Valid values are:

  • For Syslog:

    • Syslog level
    • Source IP
    • Raw Event
  • For other collection methods: Event ID (EventID)

Operator

Valid values are:

  • Contains
  • Equal
Use Regex

Optional. You can select this if you want to use regex.

Value

Value depends on the key value you selected.

For example if you choose Syslog level for Key, the value will be a number that denotes the syslog level.

Ignore case

Optional. Select this to ignore the case sensitivity.

Action

If there is a match you can choose an action to accept, drop, next condition or next rule.

If there is no match, you can choose an action to accept, drop, next condition or next rule.

Modify Filter Rules

To modify an event source:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Event Sources tab, select any collection method / Filters from the drop-down menus.

    The Filters view displays the filters that are configured for the selected collection method, if any.

  5. In the Filter Rules list, select a rule and click icon-edit.png.

    The Edit Filter Rule dialog is displayed.

  6. Select the rule condition that you want to modify.

  7. Modify the condition parameters that require changes and click Update >  OK.

Security Analytics applies the condition parameter changes to the selected filter rule.

You are here
Table of Contents > Log Collection Configuration Guide > Procedures > Step 3. Configure Event Sources in Security Analytics > Configure Event Filters for a Collector

Attachments

    Outcomes