IBM Support

How to Use XPath Queries with WinCollect to Suppress Specific Events

Question & Answer


Question

Can WinCollect agents be configured to reduce noisy events?

Answer

There are several ways to specify XPath to pull of the events for a specific log type, then suppress some of the data returned to the WinCollect agents. Here are a few examples that would require modification, but shows the basics of how to suppress either by SID, a specific user, or by SYSTEM, which are common values.

Retrieve all security events, but suppress by SID value.

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[EventData[Data[@Name="TargetUserSid"] = "SID-value, such as S-1-5-2"]]</Suppress>
</Query>
</QueryList>

Note: A common list of SIDs can be found here: http://support.microsoft.com/kb/243330

Retrieve all security events, but suppress event 4624 when the user is SYSTEM.

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='TargetUserName'] and (Data ='SYSTEM')]]</Suppress>
</Query>
</QueryList>


Note: WinCollect supports up to 10 selected event logs in a XPath query. Event IDs or usernames
that are suppressed do not contribute towards the limit.





 

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000CbY7AAK","label":"QRadar->Events->Wincollect"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
01 April 2020

UID

swg21683374