Event filtering
You can configure the WinCollect 10 agent to include or exclude specific events that are collected from the Windows event log. Using event filtering, you can gather events that are of value to you while limiting the total events per second (EPS) that are sent to JSA.
You can configure WinCollect agents to ignore events globally by ID code or source. Global exclusions use the EventIDCode field from the event payload. To determine the values that are excluded, source and ID exclusions use the Source= field and the EventIDCode= field of the Windows payload. You can separate multiple sources by using a semicolon. Event filters such as exclusion, inclusion, and NSA are available for the following source types:
- Security
- System
- Application
- DNS Server
- Directory Service
- Forwarded Events
The WinCollect agent requests all available events from the Event Collection API each time the value that is specified in the Polling Interval field expires. The agent then examines all of the events that are retrieved from the Event Collection API and ignores or includes events that match the filter. The agent then assembles the name=value pairs of the remaining events and forwards the events to either the JSA Console or the Event Collector appliance.
Event filtering configuration
Exclusion filter | The following example excludes event IDs 7000, any in the 7022-7026 range, 7031-7034 range, and
7045:-(7000,7022-7026,7031-7034,7045) |
Inclusion filter | The following example includes event IDs 7000, any in the 7022-7026 range, 7031-7034 range, and
7045: 7000,7022-7026,7031-7034,7045 |
NSA filtering | The NSA filter is available as a predefined filter. You can select NSA Filtering in the predefined filters menu only if you selected Security, System, Application, or DNS Server as the channel. |
The Forwarded Events filter requires you to identify the source or channel, with the eventIDs that you want to filter in parentheses. Use semicolons as delimiters.
Application(200-256,4097,34);Security(1);Symantec(1,13)