Event filtering
You can configure the WinCollect 10 agent to include or exclude specific events that are collected from the Windows event log. Using event filtering, you can gather events that are of value to you while limiting the total events per second (EPS) that are sent to QRadar®.
The WinCollect agent requests all available events from the Event Collection API each time the value that is specified in the Polling Interval field expires. The agent then examines all of the events that are retrieved from the Event Collection API and ignores or includes events that match the filter. The agent then assembles the name=value pairs of the remaining events and forwards the events to either the QRadar Console or the Event Collector appliance.
Event filters such as exclusion, inclusion, and NSA are available for the following source types:
- Security
- System
- Application
- DNS Server
- Directory Service
- Forwarded Events
WinCollect 10 no longer uses a separate field for inclusion or exclusion filters. The syntax that you use in the filter specifies whether you want to include or exclude events.
- Include/exclude filter based implicitly on the EventIDCode field
- Explicit field specification with comparison and logical operators
- Forwarded Events filter
Include/exclude filter based implicitly on the EventIDCode field
- Inclusion filter
- An inclusion filter is a filter that you want the agent to send those events to QRadar. The syntax for that is to
specify the IDs. Multiple IDs can be separated by commas, or a range of IDs can be specified. The
following example includes Event IDs 7000, any in the 7022-7026 range, 7031-7034 range, and 7045:
7000,7022-7026,7031-7034,7045
- Exclusion filter
- An exclusion filter is a filter that you want the agent to exclude from sending those events to
QRadar. The syntax is similar
to the inclusion filter; The difference is that you wrap everything in parentheses and add a hyphen
to the beginning of the filter. The following example excludes Event IDs 7000, any in the 7022-7026
range, 7031-7034 range, and 7045:
-(7000,7022-7026,7031-7034,7045)
Type | Example | Function |
---|---|---|
Number | 100 | Includes that Event ID (for example 100) |
Range | 200-300 | Includes all Event IDs within that range, inclusive (for example 200, 201, 250, 299, 300) |
Range (no max) | 50- | Includes all Event IDs greater than or equal to that Event ID (for example 50, 51, 1000, 2000) |
Range (no min) | -50 | Includes all Event IDs less than or equal to that Event ID (for example 1, 2, 25, 49, 50) |
-10, 12-16, 17, 20-
5, 10, 15-20, 25, -30
Explicit field specification with comparison and logical operators
Explicit field specification is the most versatile method of filtering events. You can filter events by the values of the various fields in the payload.
Operator | Description | Example | Explanation |
---|---|---|---|
== |
Equals | Source == Outlook |
Include events where the Source field in the payload equals
"Outlook ". |
!= |
Not equals | Source != Outlook |
Include events where the Source field in the payload does not equal
"Outlook ". |
=~ |
Matches | Message =~ "calc.exe" |
Include events where "calc.exe " is part of the
Message field. |
!~ |
Does not match | Message !~ calc.exe |
Include events where "calc.exe" is not part of the Message field. |
> |
Greater than | EventID > 100 |
Include events where EventID is greater than 100. |
>= |
Greater than (or equal to) | EventID >= 100 |
Include events where EventID is greater than or equal to 100. |
< |
Less than | EventID < 100 |
Include events where EventID is less than 100. |
<= |
Less than (or equal to) | EventID <= 100 |
Include events where EventID is less than or equal to 100. |
Operator | Example | Explanation |
---|---|---|
AND |
Source == Outlook AND EventID != 9000 |
Include an event where both the Source field is
"Outlook " AND the EventID is not 9000. |
OR |
Source == Outlook OR EventID != 9000 |
Include an event where either the Source field equals
"Outlook " OR the EventID is not 9000. |
Additional syntax features and special characters
- Commas
- Filters can now specify multiple values for a field by separating them with a comma. Example:
In this example, the comma is treated as an OR operator, which means that this filter allows events that have a Source field of either "Source == Outlook, MsiInstaller
Outlook
" or "MsiInstaller
". The same filter can be configured in a longer format and achieve the same results. Example:Source == Outlook OR Source == MsiInstaller
Tip: A space is not required after the comma. - Quotation marks
- Filters can contain both single and double quotation marks. Examples:
Message == "this is a test" Message == 'this is a test'
- Wildcard characters
- Expressions that use the
matches
ordoes not match
operators also support the use of several special symbols:
For example, the following expression is true for events where the Message field is equal to "Character Description ?
Matches any single character *
Matches any number of characters #n
Matches a single number, n
#n-m
Matches any number in the range from n
tom
##
Matches the literal character, #
Error 3: An error has occurred. Shutting down.
" but not "Error 10: An error has occurred. Shutting down.
" or "Error 5: An error has occurred. No action taken.
":Message =~ Error #2-6: * Shutting down.
Forwarded Events filter
A forwarded events channel or source receives events from various Windows logs. The Forwarded Events filter requires you to identify the source or channel, with the EventIDs that you want to filter in parentheses. Use semicolons as delimiters.
Application(200-256,4097,34);Security(1);Symantec(1,13)
In this example, event IDs 200 - 256, 4097, and 34 are filtered for the channel
"Application
". EventID 1 is filtered for Security, and
EventIDs 1 and 13 are filtered for the source called
"Symantec
".
Security()
NSA filtering
The NSA filter is available as a predefined filter. You can select NSA Filtering in the predefined filters menu only if you selected Security, System, Application, or DNS Server as the channel.