Windows event log filtering

You can configure the WinCollect agent to ignore or to include specific events collected from the Windows event log. You can limit the total EPS (events per second) that are sent to the QRadar® Console by using the filter types.

The WinCollect agents can be configured to ignore events globally by ID code or log source. Global exclusions use the EventIDCode field from the event payload. To determine the values that are excluded, source and ID exclusions use the Source=field and the EventIDCode=field of the Windows payload. Separate multiple sources by using a semi-colon. Events filters such as exclusion, inclusion, and NSA are available for the following log source types:
  • Security
  • System
  • Application
  • DNS Server
  • File Replication Service
  • Directory Service
  • Forwarded Events

The WinCollect agent requests all available events from the Event Collection API each time the value specified in the Polling Interval field expires.

For the exclusion filter, the agent examines all of the events retrieved from the Event Collection API and ignores events that match the exclusions defined by the administrator (either by Windows Event ID or by source). The agent then takes the remaining events and assembles the name=value pairs and forwards the events to either the QRadar Console or the Event Collector appliance. However, for the inclusion filter, the agents pulls events that matches the Event IDs specified by the administrator and forward those events to QRadar Console or Event Collector.

The NSA filter is a unique type of filter that includes a corresponding list of pre-defined security Event IDs, which the agent pulls from the Security, System, Application and DNS logs. These pre-defined security Event IDs are included in the events that the agent forwards to the Console or Event Collector.
Tip: The Forwarded Events filter requires you to identify the source or channel, with the eventIDs that you wish to filter in parentheses. Use semicolons as delimiters. For example:
Application(200-256,4097,34);Security(1);Symantec(1,13)
In this example, event IDs from 200 to 256, 4097 and 34 are filtered for the channel Application, event ID 1 is filtered for Security, and event IDs 1 and 13 are filtered for the source called Symantec.