This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Windows Log Collection Filter

CarmenMollica
New Contributor
New Contributor

‎2021-07-01 08:30 AM

Hi to all,

I am collecting windows log through NWE agent and I would like to configure a fiter to drop some specific collectio which are impacting a lot on my licence usage.

If i understand well, after have configured the windows log policy to forward the log to the VLC i will be able to configure an event source filter. If so, which type of collection should I configure? Syslog?

Thank you

Carmen

Labels:
0 Likes
2 REPLIES 2

MaximMarchenko
Occasional Contributor
Occasional Contributor

‎2021-07-03 01:47 AM

Hello.

If I uderstood right, you need:

Admin - Services - Log Collector - Config - Event Sources -

drop down menu - Windows; from nearby drop down menu select Filter.

But not sure that it works for NWE.

 

0 Likes

CarmenMollica
New Contributor
New Contributor
In response to MaximMarchenko

‎2021-07-07 03:04 AM - edited ‎2021-07-07 03:07 AM

Hello @MaximMarchenko,

yes, you got the point but, as you was suspecting, the filter configurable from Admin - Services - Log Collector - Config - Event Sources only work for WinRM collections.

For NWE it is possible to filter something through the Windows Log Policy but the low granularity of this filter does permit to filter a particular event id while my aim is to filter a particular event id for a specific TargetUser.

As the NWE method of transport is actually Syslog i was hopping to get the solution in the syslog collection filter but it didn't work

Thank you for the answer

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.