Add NSA filtering to existing local Windows Event sources
You want to add NSA filtering to the existing Application, System, and Security event channels that the local agent is monitoring. By using the default Local source group, you can add the following update script.
The object path is then LocalSources(Name="Local")/Source(Channel=Security). The parameters you need to change are FilterEnabled and Filter. The value of FilterEnabled is true, and the value of Filter is (NSA_FILTER_SECURITY). The description for the update is "Adding NSA filter to security channel on local sources."
The final script should look like this:
<?xml version="1.0" encoding="UTF-8"?>
<WinCollectScript version="10.0.2" >
<Update objPath="LocalSources(Name=Local)/Source(Name=Application)" >
<Parameter name="Filter">
1,2,865,866,867,868,882,1000,1001,1002,1022,1033,1511,1518
</Parameter>
<Parameter name="FilterEnabled" value="true" />
</Update>
<Update objPath="LocalSources(Name=Local)/Source(Name=System)" >
<Parameter name="Filter">
1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045
</Parameter>
<Parameter name="FilterEnabled" value="true" />
</Update>
<Update objPath="LocalSources(Name=Local)/Source(Name=Security)" >
<Parameter name="Filter">
1100,1102,4624,4625,4634,4648,4657,4672,4688,4689,4704,4706,4713,4714,4716,4719,4720,4722,4725,4726,4728,4731,4732,4733,4735,4740,4756,4765,4766,4767,4769,4776,4778,4779,4781,4782,4793,4870,4873,4874,4880,4881,4882,4885,4886,4887,4888,4890,4891,4892,4896,4897,4898,4899,4900,5038,5136,5137,5138,5139,5140,5141,5142,5144,5145,5376,5377,5632,6272,6273,6274,6275,6276,6277,6278,6279,6280,6281
</Parameter>
<Parameter name="FilterEnabled" value="true" />
</Update>
</WinCollectScript>