Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Log Collection: Configure Event Filters for Log Collector

Document created by RSA Information Design and Development Employee on Sep 11, 2017Last modified by RSA Information Design and Development Employee on Apr 23, 2020
Version 18Show Document
  • View in full screen mode
 

This topics tells you how to create and maintain Event filters across all collection protocols.

Note: Prior to 11.3, you could not configure Syslog Collection for Local Log Collectors. You can configure Syslog for local Log Collectors that are on version 11.3 or later.

Configure an Event Filter

To configure an event filter for an event source:

  1. Go to Admin > Services.
  2. Select a Log Collection service.
  3. Under Actions, select  actions menu View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

  5. In the Event Sources tab, select any collection method / Filter from the drop-down menus.

    The following screen shows Syslog selected.

    Event Sources tab shows Filters drop-down menu.

    Note: Syslog configuration is only available on Remote Collectors prior to 11.3: if you are working with a Local Collector service, Syslog is not available from the drop-down menu for Log Collectors on version 11.0, 11.1, or 11.2.

    The Filters view displays the filters that are configured for the selected collection method, if any.

  6. In the Filters panel toolbar, click add icon.

    The Add Filter dialog displays.

    Add Filter dialog is displayed.

  7. Enter a name and description for the new filter and click Add.

    The new filter displays in the Filter panel.

    Event Sources tab is displayed.

  8. Select the new filter in the Filters panel and click add icon in the Filter Rules panel toolbar.

    The Add Filter Rule dialog is displayed.

  9. Click add icon under Rule Conditions.
  10. Add the parameters for this rule and click Update > OK.

    Add Filter Rule dialog is displayed.

NetWitness Platform updates the filter with the rule that you defined.

Note: Rules are processed in order from top down until an Action type aborts the processing, or the final rule is checked. Default behavior is to accept the rule if no matches are found.

The following tables describe the parameters for adding a filter rule.

Event Filter Rule "Key" Parameter

The values for the Key field depend on the Collection method to which the filter applies.

                               
Collection Method

Values for the Key Field

Checkpoint, File, Netflow, Plugin,
SDEE SNMP and VMware

  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Raw Event

ODBC

  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Message ID
  • Message Level

Syslog

  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Syslog level
  • Raw Event

Windows

  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Event ID
  • Provider
  • Channel
  • Computer
  • UserName
  • DomainName

Windows Legacy

  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Event ID

Other Event Filter Rule Parameters

The following table describes all the other available fields for creating an event filter rule.

                               
FieldDescription

Operator

Valid values are:

  • Contains
  • Equal

Use Regex

Optional. You can select this if you want to use Regex.

Value

Value depends on the key value you selected.

For example if you choose Syslog level for Key, the value will be a number that denotes the syslog level.

Ignore case

Optional. Select this to ignore the case sensitivity.

Action

Choose actions for message data that matches a condition, or that does not match a condition. See below for more details.

Actions

You can choose a ‘match’ and ‘no-match’ action for each rule condition. This screenshot shows a condition that uses the Accept action on matches, and Drop action on events that do not match the condition.

The available actions are as follows:

  • Accept: the filtered event is included in event logs, and no further rule processing is done for the event: the event will display in the NetWitness Platform user interface during Investigation.

  • Drop: the filtered event will not be included in event logs, and no further rule processing is done for the event: the event will not display during Investigation.

  • Next condition: the filtered event moves on to the next rule condition in the rule. If there are no more rule conditions in the current rule, it moves on to the next rule.

  • Next rule: the filtered event moves on to the next rule. If there are no more rules in the filter, the filter event is included in event logs, and no further rule processing is done for the event (same as Accept).

For example, consider the following condition:

In this condition, if the event log contains the string "internal," the event is not included in the event meta, nor is it displayed during Investigation. If the string is not found, the event is included and is displayed during Investigation.

Modify Filter Rules

To modify existing filter rules:

  1. Go to Admin > Services.
  2. Select a Log Collection service.
  3. Under Actions, select View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

  5. In the Event Sources tab, select any collection method / Filter from the drop-down menus.

    The following screen shows Check Point selected.

    Filters view is displayed.

    The Filters view displays the filters that are configured for the selected collection method, if any.

  6. In the Filter Rules list, select a rule and click edit icon.

    The Edit Filter Rule dialog is displayed.

    Edit Filter Rule dialog is displayed.

  7. Select the rule condition that you want to modify.

    Select Rule Conditions is displayed.

  8. Modify the condition parameters that require changes and click Update >  OK.

NetWitness Platform applies the condition parameter changes to the selected filter rule.

You are here
Table of Contents > Log Collection Basics > Configure Event Filters for Log Collector

Attachments

    Outcomes