Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adding NSA filtering to an existing source

You want to add NSA filtering to an existing source. You can change this attribute by using the update_updtTemplate.xml update script.

  1. Locate the update_updtTemplate.xml template in the \IBM\WinCollect\samples directory.
  2. Save a copy of the template and name it update_addedNSAFilterToSecurity.xml.
  3. Modify the file:
    1. Open the agent config definition file (AgentConfigDefinition.xml) and find the parameter that you want to modify.
      Note:

      Do not modify the AgentConfigDefinition.xml file.
    2. The Filter and FilterEnabled flags are in the TypeDef object, which means that every object can call upon the default value. This means that the Source object for security has these parameters, and the default values are as shown here. To refer to a child object, use a forward slash (/). The default value of the FilterEnabled parameter is true, so you need to change only the filter itself.

      Snippet of XML code for a software configuration file defining parameters with attributes such as name, type, default values, and validation rules.

      XML configuration file for WinCollect system, detailing agent core settings, destinations to QRadar at www.test.com, local sources like Microsoft Event Viewer channels, and security credentials for remote collection.
    3. Change the object path to LocalSources(Name="Local")/Source(Channel=Security).
    4. Change the value of the FilterEnabled parameter to true, and the value of the Filter parameter to <NSA_FILTER_SECURITY>.
    5. Change the description for the update to Adding NSA filter to security channel on local sources.
      The final script looks like this:
  4. Save the update_addedNSAFilterToSecurity.xml file and move it to the \IBM\WinCollect\patch directory.
    After a few seconds, the file disappears and the agent restarts. The old agentconfig.xml file is moved to the backup directory (patch_checkpoint_xxxx).
System Events NSA Filter
Application Events NSA Filter