You can filter specific types of events in the Windows Legacy Collector. For example, if your system collects a large number of events, and a large percentage of them come from Windows firewalls, you can filter those events out so that you can track other events that are occurring. This can be useful if your Log Decoders are under a heavy load and you want to process only those events that are meaningful.
To configure a Windows Legacy Collector events filter:
- In the Security Analytics menu, select Administration > Services.
- Under Services, select a Windows Log Collector service.
- In the Windows Log Collector service row, click the down arrow under Actions and select View > Config.
- Select the Event Sources tab. Windows Legacy is displayed at the top of the page on the left. In the Windows drop-down menu, select Filters.
Type a name and description for the new filter and click Add.
The new filter is displayed in the Filter panel (in this example, FirewallFilter).
Click Update, and then click OK. Security Analytics updates the filter with the rule that you defined.