Yes, if you have both an XPath Query and a Predefined Filter in the log source, they are both applied. As XPath is a query in itself, the data is retrieved based off of the XML and returned to WinCollect as described here: https://www.ibm.com/support/pages/wincollect-event-filtering.

XPath is more powerful then using a Predefined filter as you can create special conditions like suppress EventID 4663, but only when the service is {servicename}. The XPath is smart enough to filter based on these conditions. Where as the predefined filter will look for exact matches from the retrieve data, such as 4663 and not forward over the matches event for EventID=4663 to QRadar. XPath is more flexible when it comes to special conditions where as the predefined filter is more of a “if matches, then drop” filter.

Both XPath and Predefined filters can be used in coordination together, but you want to ensure that your XPath special conditions and your predefined filters do not overlap. If both exist in a log source, this is the order of operations:

1 – XPath queries the remote endpoint to retrieve the data. Only the data in the XPath query is returned, meaning that you can use the XPath to add special conditions to your filtering or selectively filter at the endpoint.
2 – WinCollect processes the event and applies the Predefined filter from the log source configuration based on the EventID number or service name.

What should I use?

– XPath Queries – More flexible and can be conditional, but limited to 10 event logs. You can add special filtering like processname, LoginID, eventID, computername, path, and more to target specific data or use cases. The data is filtered based on the query before it is returned to WinCollect.
– Predefined filter – Gets all data from the endpoint, then filters are applied by the WinCollect agent to exclude event IDs or a service name. These can be used in coordination with XPath, but are not conditional and any matches are not forwarded as events to QRadar.