Question & Answer
Question
Can WinCollect agents be configured to reduce noisy events?
Answer
There are several ways to specify XPath to pull of the events for a specific log type, then suppress some of the data returned to the WinCollect agents. Here are a few examples that would require modification, but shows the basics of how to suppress either by SID, a specific user, or by SYSTEM, which are common values.
Retrieve all security events, but suppress by SID value.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[EventData[Data[@Name="TargetUserSid"] = "SID-value, such as S-1-5-2"]]</Suppress>
</Query>
</QueryList>
Note: A common list of SIDs can be found here: http://support.microsoft.com/kb/243330
Retrieve all security events, but suppress event 4624 when the user is SYSTEM.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='TargetUserName'] and (Data ='SYSTEM')]]</Suppress>
</Query>
</QueryList>
Note: WinCollect supports up to 10 selected event logs in a XPath query. Event IDs or usernames
that are suppressed do not contribute towards the limit.
Retrieve all security events, but suppress by SID value.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[EventData[Data[@Name="TargetUserSid"] = "SID-value, such as S-1-5-2"]]</Suppress>
</Query>
</QueryList>
Note: A common list of SIDs can be found here: http://support.microsoft.com/kb/243330
Retrieve all security events, but suppress event 4624 when the user is SYSTEM.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='TargetUserName'] and (Data ='SYSTEM')]]</Suppress>
</Query>
</QueryList>
Note: WinCollect supports up to 10 selected event logs in a XPath query. Event IDs or usernames
that are suppressed do not contribute towards the limit.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000CbY7AAK","label":"QRadar->Events->Wincollect"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
01 April 2020
UID
swg21683374