Use Case 4: Add NSA filtering to an existing log source
You want to add NSA filtering to an existing log source. You can change this attribute by using the tmplt_DeviceWindowsLog.xml template.
Procedure
- Locate the tmplt_DeviceWindowsLog.xml template.
- Make a copy of the template and name it service_DeviceWindowsLog.xml.
- Open AgentConfig.xml and locate the
log sourcecontained in the moduleDeviceWindowsLog. - Copy the model and instance information and replace the contents in
service_DeviceWindowsLog.xml with it. Existing log source example:
<Service version="7.2.8" classification="Service" type="DeviceType" module="DeviceWindowsLog" name="DeviceWindowsLog"> <Environment> <Parameter name="DeviceThreadPoolType" value="AdaptiveThreadPool"/> <Parameter name="AdaptiveThreadPool.ReaderThreadsMax" value="500"/> <Parameter name="AdaptiveThreadPool.ReaderThreadsMin" value="5"/> <Parameter name="AdaptiveThreadPool.ReaderBacklogSamplePeriodMillis" value="200"/> <Parameter name="MinEventMonitorThreads" value="5"/> <Parameter name="MaxEventMonitorThreads" value="250"/> <Parameter name="EventLogMonitor.RetryTimeoutMillis" value="60000"/> <Parameter name="DefaultThrottleTimeout" value="1500"/> <Parameter name="DefaultEventLogPollProtocol" value="MSEVEN6"/> </Environment> <InstanceData> <Instance enabled="true" name="EventLogLocal"> <Environment> <Parameter name="DeviceAddress" value="DESKTOP"/> <Parameter name="RemoteMachine" value="DESKTOP"/> <Parameter name="Filter.DNS Server.Enabled" value="false"/> <Parameter name="EventTypeFilterFailureAudit" value="true"/> <Parameter name="EventLogPollProtocol" value="MSEVEN6"/> <Parameter name="Log.Security" value="true"/> <Parameter name="Filter.Application.Enabled" value="false"/> <Parameter name="ADLookup.Enabled" value="false"/> <Parameter name="ThrottleTimeout" value="1000"/> <Parameter name="Filter.DNS Server.Param" value=""/> <Parameter name="Filter.File Replication Service.Enabled" value="false"/> <Parameter name="Filter.Application.Type" value="No Filtering"/> <Parameter name="Filter.Directory Service.Param" value=""/> <Parameter name="Log.Application" value="true"/> <Parameter name="Filter.System.Type" value="No Filtering"/> <Parameter name="Filter.DNS Server.Type" value="No Filtering"/> <Parameter name="Filter.Application.Param" value=""/> <Parameter name="Filter.System.Param" value=""/> <Parameter name="Log.Directory Service" value="false"/> <Parameter name="ADLookup.DomainControllerName" value=""/> <Parameter name="Log.File Replication Service" value="false"/> <Parameter name="Filter.Directory Service.Enabled" value="false"/> <Parameter name="CustomQuery.Base64" value=""/> <Parameter name="Filter.Security.Param" value=""/> <Parameter name="EventRateTuningProfile" value="High Event Rate Server"/> <Parameter name="Local.System" value="true"/> <Parameter name="EventTypeFilterError" value="true"/> <Parameter name="EventTypeFilterWarn" value="true"/> <Parameter name="EventTypeFilterInfo" value="true"/> <Parameter name="Filter.File Replication Service.Param" value=""/> <Parameter name="Filter.File Replication Service.Type" value="No Filtering"/> <Parameter name="EventTypeFilterSuccessAudit" value="true"/> <Parameter name="Filter.Directory Service.Type" value="No Filtering"/> <Parameter name="Filter.Security.Type" value="No Filtering"/> <Parameter name="Application" value="None"/> <Parameter name="Log.System" value="true"/> <Parameter name="Log.ForwardedEvents" value="false"/> <Parameter name="Filter.Security.Enabled" value="false"/> <Parameter name="Filter.System.Enabled" value="false"/> <Parameter name="Log.DNS Server" value="false"/> <Parameter name="ADLookup.DNSDomainName" value=""/> <Parameter name="RemoteMachinePollInterval" value="3000"/> <Parameter name="MinLogsToProcessPerPass" value="1250"/> <Parameter name="MaxLogsToProcessPerPass" value="1825"/> <Parameter name="Login.Handle" value="0"/> </Environment> </Instance> </InstanceData> </Service> - Modify the following lines with the bolded sample code:
<Parameter name="Filter.System.Type" value="NSAlist"/> <Parameter name="Filter.System.Param" value="1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045"/> <Parameter name="Filter.System.Enabled" value="true"/> - Save the service_DeviceWindowsLog.xml file and move it to the
\IBM\WinCollect\patch directory. After a few seconds, the file disappears and the agent restarts. The old agentconfig.xml file is moved to the backup directory (patch_checkpoint_xxxx). Updated log source example:
<Service version="7.2.8" classification="Service" type="DeviceType" module="DeviceWindowsLog" name="DeviceWindowsLog"> <Environment> <Parameter name="DeviceThreadPoolType" value="AdaptiveThreadPool"/> <Parameter name="AdaptiveThreadPool.ReaderThreadsMax" value="500"/> <Parameter name="AdaptiveThreadPool.ReaderThreadsMin" value="5"/> <Parameter name="AdaptiveThreadPool.ReaderBacklogSamplePeriodMillis" value="200"/> <Parameter name="MinEventMonitorThreads" value="5"/> <Parameter name="MaxEventMonitorThreads" value="250"/> <Parameter name="EventLogMonitor.RetryTimeoutMillis" value="60000"/> <Parameter name="DefaultThrottleTimeout" value="1500"/> <Parameter name="DefaultEventLogPollProtocol" value="MSEVEN6"/> </Environment> <InstanceData> <Instance enabled="true" name="EventLogLocal"> <Environment> <Parameter name="DeviceAddress" value="DESKTOP"/> <Parameter name="RemoteMachine" value="DESKTOP"/> <Parameter name="Filter.DNS Server.Enabled" value="false"/> <Parameter name="EventTypeFilterFailureAudit" value="true"/> <Parameter name="EventLogPollProtocol" value="MSEVEN6"/> <Parameter name="Log.Security" value="true"/> <Parameter name="Filter.Application.Enabled" value="false"/> <Parameter name="ADLookup.Enabled" value="false"/> <Parameter name="ThrottleTimeout" value="1000"/> <Parameter name="Filter.DNS Server.Param" value=""/> <Parameter name="Filter.File Replication Service.Enabled" value="false"/> <Parameter name="Filter.Application.Type" value="No Filtering"/> <Parameter name="Filter.Directory Service.Param" value=""/> <Parameter name="Log.Application" value="true"/> <Parameter name="Filter.DNS Server.Type" value="No Filtering"/> <Parameter name="Filter.Application.Param" value=""/> <Parameter name="Filter.System.Type" value="NSAlist"/> <Parameter name="Filter.System.Param" value="1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045"/> <Parameter name="Filter.System.Enabled" value="true"/> <Parameter name="Log.Directory Service" value="false"/> <Parameter name="ADLookup.DomainControllerName" value=""/> <Parameter name="Log.File Replication Service" value="false"/> <Parameter name="Filter.Directory Service.Enabled" value="false"/> <Parameter name="CustomQuery.Base64" value=""/> <Parameter name="Filter.Security.Param" value=""/> <Parameter name="EventRateTuningProfile" value="High Event Rate Server"/> <Parameter name="Local.System" value="true"/> <Parameter name="EventTypeFilterError" value="true"/> <Parameter name="EventTypeFilterWarn" value="true"/> <Parameter name="EventTypeFilterInfo" value="true"/> <Parameter name="Filter.File Replication Service.Param" value=""/> <Parameter name="Filter.File Replication Service.Type" value="No Filtering"/> <Parameter name="EventTypeFilterSuccessAudit" value="true"/> <Parameter name="Filter.Directory Service.Type" value="No Filtering"/> <Parameter name="Filter.Security.Type" value="No Filtering"/> <Parameter name="Application" value="None"/> <Parameter name="Log.System" value="true"/> <Parameter name="Log.ForwardedEvents" value="false"/> <Parameter name="Filter.Security.Enabled" value="false"/> <Parameter name="Log.DNS Server" value="false"/> <Parameter name="ADLookup.DNSDomainName" value=""/> <Parameter name="RemoteMachinePollInterval" value="3000"/> <Parameter name="MinLogsToProcessPerPass" value="1250"/> <Parameter name="MaxLogsToProcessPerPass" value="1825"/> <Parameter name="Login.Handle" value="0"/> </Environment> </Instance> </InstanceData> </Service>