You can filter specific types of events in the Windows Legacy Collector. For example, if your system collects a large number of events, and a large percentage of them come from Windows firewalls, you can filter those events out so that you can track other events that are occurring. This can be useful if your Log Decoders are under a heavy load and you want to process only those events that are meaningful.
To configure a Windows Legacy Collector events filter:
- In the Security Analytics menu, select Administration > Services.
- Under Services, select a Windows Log Collector service.
- In the Windows Log Collector service row, click the down arrow under Actions and select View > Config.
- Select the Event Sources tab. Windows Legacy is displayed at the top of the page on the left. In the Windows drop-down menu, select Filters.
Type a name and description for the new filter and click Add.
The new filter is displayed in the Filter panel (in this example, FirewallFilter).
Field Description Key The only valid value is Event ID (EventID). Operator
Valid values are:
Use Regex Optional Value Alphanumeric characters that describe the event IDs for the events to filter. Ignore case Optional Action
If there is a match you can choose from the following actions:
- Accept: events that match the IDs provided will be included in event logs, and will display in the Systems Analytics UI.
- Drop: events that match the IDs provided will not be included in event logs and will not display in the UI.
- Next condition: the filter will ignore events with IDs that match, and will move on to the next rule condition.
- Next rule: the filter will ignore events with IDs that match, and will move on to the next rule.
Click Update, and then click OK. Security Analytics updates the filter with the rule that you defined.