Configure Windows Legacy Collector Events Filters

Document created by RSA Information Design and Development on Nov 22, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 10Show Document
  • View in full screen mode
  

You can filter specific types of events in the Windows Legacy Collector. For example, if your system collects a large number of events, and a large percentage of them come from Windows firewalls, you can filter those events out so that you can track other events that are occurring. This can be useful if your Log Decoders are under a heavy load and you want to process only those events that are meaningful.

Procedure

To configure a Windows Legacy Collector events filter:

  1. In the Security Analytics menu, select Administration > Services.
  2. Under Services, select a Windows Log Collector service.
  3. In the Windows Log Collector service row, click the down arrow under Actions and select View > Config.
  4. Select the Event Sources tab. Windows Legacy is displayed at the top of the page on the left. In the Windows drop-down menu, select Filters.
  5. In the Filters panel, click .
    The Add Filter dialog is displayed.

  6. Type a name and description for the new filter and click Add.
    The new filter is displayed in the Filter panel (in this example, FirewallFilter).

  1. Select the new filter in the Filters panel, and in the Filter Rules panel toolbar, click . The Add Filter Rule dialog is displayed.

  2. Under Rule Conditions, click and add the parameters for this rule. The following table describes the parameter options.

                                       
    FieldDescription
    KeyThe only valid value is Event ID (EventID).
    Operator

    Valid values are:

    • Contains
    • Equals
    Use Regex Optional
    Value Alphanumeric characters that describe the event IDs for the events to filter.
    Ignore caseOptional
    Action

    If there is a match you can choose from the following actions:

    • Accept: events that match the IDs provided will be included in event logs, and will display in the Systems Analytics UI.
    • Drop: events that match the IDs provided will not be included in event logs and will not display in the UI.
    • Next condition: the filter will ignore events with IDs that match, and will move on to the next rule condition.
    • Next rule: the filter will ignore events with IDs that match, and will move on to the next rule.

    The following image shows an example of a rule condition for the FirewallFilter:

  3. Click Update, and then click OK. Security Analytics updates the filter with the rule that you defined.

You are here
Table of Contents > Windows Legacy and NetApp Collection Configuration Guide > Procedures > Step 2. Configure Windows Legacy and NetApp Event Sources in Security Analytics > Configure Windows Legacy Collector Events Filter

Attachments

    Outcomes