Windows event log filtering
You can configure the WinCollect agent to ignore or to include specific events collected from the Windows event log. You can limit the total EPS (events per second) that are sent to the QRadar® Console by using the filter types.
- Security
- System
- Application
- DNS Server
- File Replication Service
- Directory Service
- Forwarded Events
The WinCollect agent requests all available events from the Event Collection API each time the value specified in the Polling Interval field expires.
For the exclusion filter, the agent examines all of the events retrieved from the Event Collection API and ignores events that match the exclusions defined by the administrator (either by Windows Event ID or by source). The agent then takes the remaining events and assembles the name=value pairs and forwards the events to either the QRadar Console or the Event Collector appliance. However, for the inclusion filter, the agents pulls events that matches the Event IDs specified by the administrator and forward those events to QRadar Console or Event Collector.
Application(200-256,4097,34);Security(1);Symantec(1,13)
In this
example, event IDs from 200 to 256, 4097 and 34 are filtered for the channel Application, event ID 1
is filtered for Security, and event IDs 1 and 13 are filtered for the source called
Symantec.