Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Event filtering

You can configure the WinCollect 10 agent to include or exclude specific events that are collected from the Windows event log. Using event filtering, you can gather events that are of value to you while limiting the total events per second (EPS) that are sent to JSA.

You can configure WinCollect agents to ignore events globally by ID code or source. Global exclusions use the EventIDCode field from the event payload. To determine the values that are excluded, source and ID exclusions use the Source= field and the EventIDCode= field of the Windows payload. You can separate multiple sources by using a semicolon. Event filters such as exclusion, inclusion, and NSA are available for the following source types:

  • Security
  • System
  • Application
  • DNS Server
  • Directory Service
  • Forwarded Events

The WinCollect agent requests all available events from the Event Collection API each time the value that is specified in the Polling Interval field expires. The agent then examines all of the events that are retrieved from the Event Collection API and ignores or includes events that match the filter. The agent then assembles the name=value pairs of the remaining events and forwards the events to either the JSA Console or the Event Collector appliance.

Event filtering configuration

WinCollect 10 no longer uses a separate field for inclusion or exclusion filters. The syntax that you use in the filter specifies whether you want to include or exclude events.
Exclusion filter The following example excludes event IDs 7000, any in the 7022-7026 range, 7031-7034 range, and 7045:
Inclusion filter The following example includes event IDs 7000, any in the 7022-7026 range, 7031-7034 range, and 7045:
NSA filtering The NSA filter is available as a predefined filter. You can select NSA Filtering in the predefined filters menu only if you selected Security, System, Application, or DNS Server as the channel.

The Forwarded Events filter requires you to identify the source or channel, with the eventIDs that you want to filter in parentheses. Use semicolons as delimiters.

In this example, event IDs 200 - 256, 4097, and 34 are filtered for the channel Application. Event ID 1 is filtered for Security, and event IDs 1 and 13 are filtered for the source called Symantec: