Log Collection Config: Configure Event Filters for Log Collector

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Oct 12, 2017
Version 7Show Document
  • View in full screen mode
  

This topics tells you how to create and maintain Event filters across all collection protocols.

Note: You cannot configure Syslog Collection for Local Log Collectors. You only need to configure Syslog Collection for Remote Collectors. See Configure Local and Remote Collectors for additional configuration information.

Configure an Event Filter

To configure an event source:

  1. Go to ADMIN > Services.
  2. Select a Log Collection service.
  3. Under Actions, select View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

  5. In the Event Sources tab, select any collection method / Filter from the drop-down menus.

    The following screen shows Syslog selected.

    Event Sources tab shows Filters drop-down menu.

    Note: Syslog configuration is only available on Remote Collectors: if you are working with a Local Collector service, Syslog is not available from the drop-down menu.

    The Filters view displays the filters that are configured for the selected collection method, if any.

  6. In the Filters panel toolbar, click .

    The Add Filter dialog displays.

    Add Filter dialog is displayed.

  7. Enter a name and description for the new filter and click Add.

    The new filter displays in the Filter panel.

    Event Sources tab is displayed.

  8. Select the new filter in the Filters panel and click in the Filter Rules panel toolbar.

    The Add Filter Rule dialog is displayed.

  9. Click under Rule Conditions.
  10. Add the parameters for this rule and click Update > OK.

    Add Filter Rule dialog is displayed.

NetWitness Suite updates the filter with the rule that you defined.

Note: Rules are processed in order from top down until an Action type aborts the processing, or the final rule is checked. Default behavior is to accept the rule if no matches are found.

The following tables describe the parameters for adding a filter rule.

Event Filter Rule "Key" Parameter

The values for the Key field depend on the Collection method to which the filter applies.

                               
Collection Method

Values for the Key Field

Checkpoint, File, Netflow, Plugin,
SDEE SNMP and VMware

  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Raw Event

ODBC

  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Message ID
  • Message Level

Syslog

  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Syslog level
  • Raw Event

Windows

  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Event ID
  • Provider
  • Channel
  • Computer
  • UserName
  • DomainName

Windows Legacy

  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Event ID

Other Event Filter Rule Parameters

The following table describes all the other available fields for creating an event filter rule.

                               
FieldDescription
Operator

Valid values are:

  • Contains
  • Equal
Use Regex

Optional. You can select this if you want to use regex.

Value

Value depends on the key value you selected.

For example if you choose Syslog level for Key, the value will be a number that denotes the syslog level.

Ignore case

Optional. Select this to ignore the case sensitivity.

Action

If there is a match you can choose an action to accept, drop, next condition or next rule:

  • Accept: events that match the IDs provided will be included in event logs, and will display in the Systems Analytics UI.
  • Drop: events that match the IDs provided will not be included in event logs and will not display in the UI.
  • Next condition: the filter will ignore events with IDs that match, and will move on to the next rule condition.
  • Next rule: the filter will ignore events with IDs that match, and will move on to the next rule.

If there is no match, you can choose an action to accept, drop, next condition or next rule.

Modify Filter Rules

To modify an event source:

  1. Go to ADMIN > Services .
  2. Select a Log Collection service.
  3. Under Actions, select View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

  5. In the Event Sources tab, select any collection method / Filter from the drop-down menus.

    The following screen shows Check Point selected.

    Filters view is displayed.

    The Filters view displays the filters that are configured for the selected collection method, if any.

  6. In the Filter Rules list, select a rule and click .

    The Edit Filter Rule dialog is displayed.

    Edit Filter Rule dialog is displayed.

  7. Select the rule condition that you want to modify.

    Select Rule Conditions is displayed.

  8. Modify the condition parameters that require changes and click Update >  OK.

NetWitness Suite applies the condition parameter changes to the selected filter rule.

Previous Topic:Basic Procedure
You are here
Table of Contents > Log Collection Basics > Configure Event Filters for Log Collector

Attachments

    Outcomes