Event filtering

You can configure the WinCollect 10 agent to include or exclude specific events that are collected from the Windows event log. Using event filtering, you can gather events that are of value to you while limiting the total events per second (EPS) that are sent to QRadar®.

The WinCollect agent requests all available events from the Event Collection API each time the value that is specified in the Polling Interval field expires. The agent then examines all of the events that are retrieved from the Event Collection API and ignores or includes events that match the filter. The agent then assembles the name=value pairs of the remaining events and forwards the events to either the QRadar Console or the Event Collector appliance.

Event filters such as exclusion, inclusion, and NSA are available for the following source types:

  • Security
  • System
  • Application
  • DNS Server
  • Directory Service
  • Forwarded Events

WinCollect 10 no longer uses a separate field for inclusion or exclusion filters. The syntax that you use in the filter specifies whether you want to include or exclude events.

Syntactically, WinCollect uses three types of filters:
  • Include/exclude filter based implicitly on the EventIDCode field
  • Explicit field specification with comparison and logical operators
  • Forwarded Events filter

Include/exclude filter based implicitly on the EventIDCode field

Inclusion filter
An inclusion filter is a filter that you want the agent to send those events to QRadar. The syntax for that is to specify the IDs. Multiple IDs can be separated by commas, or a range of IDs can be specified. The following example includes Event IDs 7000, any in the 7022-7026 range, 7031-7034 range, and 7045:
7000,7022-7026,7031-7034,7045
Exclusion filter
An exclusion filter is a filter that you want the agent to exclude from sending those events to QRadar. The syntax is similar to the inclusion filter; The difference is that you wrap everything in parentheses and add a hyphen to the beginning of the filter. The following example excludes Event IDs 7000, any in the 7022-7026 range, 7031-7034 range, and 7045:
-(7000,7022-7026,7031-7034,7045)
The implicit filter must be a comma-separated list of Event IDs to be included. Each value can be either a single number or a range. Events that do not have an Event ID matching the filter are excluded by default.
Table 1. Types of Event ID values
Type Example Function
Number 100 Includes that Event ID (for example 100)
Range 200-300 Includes all Event IDs within that range, inclusive (for example 200, 201, 250, 299, 300)
Range (no max) 50- Includes all Event IDs greater than or equal to that Event ID (for example 50, 51, 1000, 2000)
Range (no min) -50 Includes all Event IDs less than or equal to that Event ID (for example 1, 2, 25, 49, 50)
For example, the following filter includes Event IDs from 0 to 10, Event IDs from 12 to 16, the Event ID 17, and any Event IDs that are 20 or greater:
-10, 12-16, 17, 20-
Note: A range of Event IDs are included, regardless of its position in the list. For example, the following filter includes all Event IDs from 0 to 30:
5, 10, 15-20, 25, -30

Explicit field specification with comparison and logical operators

Explicit field specification is the most versatile method of filtering events. You can filter events by the values of the various fields in the payload.

The field and values are evaluated based on the comparison operators:
Operator Description Example Explanation
== Equals Source == Outlook Include events where the Source field in the payload equals "Outlook".
!= Not equals Source != Outlook Include events where the Source field in the payload does not equal "Outlook".
=~ Matches Message =~ "calc.exe" Include events where "calc.exe" is part of the Message field.
!~ Does not match Message !~ calc.exe Include events where "calc.exe" is not part of the Message field.
> Greater than EventID > 100 Include events where EventID is greater than 100.
>= Greater than (or equal to) EventID >= 100 Include events where EventID is greater than or equal to 100.
< Less than EventID < 100 Include events where EventID is less than 100.
<= Less than (or equal to) EventID <= 100 Include events where EventID is less than or equal to 100.
Logical operators can be used to string together multiple conditions.
Operator Example Explanation
AND Source == Outlook AND EventID != 9000 Include an event where both the Source field is "Outlook" AND the EventID is not 9000.
OR Source == Outlook OR EventID != 9000 Include an event where either the Source field equals "Outlook" OR the EventID is not 9000.

Additional syntax features and special characters

Commas
Filters can now specify multiple values for a field by separating them with a comma. Example:
Source == Outlook, MsiInstaller
In this example, the comma is treated as an OR operator, which means that this filter allows events that have a Source field of either "Outlook" or "MsiInstaller". The same filter can be configured in a longer format and achieve the same results. Example:
Source == Outlook OR Source == MsiInstaller
Tip: A space is not required after the comma.
Quotation marks
Filters can contain both single and double quotation marks. Examples:
Message == "this is a test"

Message == 'this is a test'
Wildcard characters
Expressions that use the matches or does not match operators also support the use of several special symbols:
Character Description
? Matches any single character
* Matches any number of characters
#n Matches a single number, n
#n-m Matches any number in the range from n to m
## Matches the literal character, #
For example, the following expression is true for events where the Message field is equal to "Error 3: An error has occurred. Shutting down." but not "Error 10: An error has occurred. Shutting down." or "Error 5: An error has occurred. No action taken.":
Message =~ Error #2-6: * Shutting down.

Forwarded Events filter

A forwarded events channel or source receives events from various Windows logs. The Forwarded Events filter requires you to identify the source or channel, with the EventIDs that you want to filter in parentheses. Use semicolons as delimiters.

Example:
Application(200-256,4097,34);Security(1);Symantec(1,13)

In this example, event IDs 200 - 256, 4097, and 34 are filtered for the channel "Application". EventID 1 is filtered for Security, and EventIDs 1 and 13 are filtered for the source called "Symantec".

An empty list does not include any EventIDs. For example, this filter does not include any events:
Security()

NSA filtering

The NSA filter is available as a predefined filter. You can select NSA Filtering in the predefined filters menu only if you selected Security, System, Application, or DNS Server as the channel.