Configure Event Filters for a Collector

This topics tells you how to create and maintain Event filters across all collection protocols.

Note: Prior to 11.3, you could not configure Syslog Collection for Local Log Collectors. You can configure Syslog for local Log Collectors that are on version 11.3 or later.

Configure an Event Filter

To configure an event filter for an event source:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Log Collection service.
  3. Under Actions, select netwitness_ic-actns.png View > Config to display the Log Collection configuration parameter tabs.

  4. Click the Event Sources tab.

  5. In the Event Sources tab, select any collection method / Filter from the drop-down menus.

    The following screen shows Syslog selected.

    12.1_ESFilterMenu_1122.png

    Note: Syslog configuration is only available on Remote Collectors prior to 11.3: if you are working with a Local Collector service, Syslog is not available from the drop-down menu for Log Collectors on version 11.0, 11.1, or 11.2.

    The Filters view displays the filters that are configured for the selected collection method, if any.

  6. In the Filters panel toolbar, click netwitness_add.png.

    The Add Filter dialog displays.

    netwitness_filteradd.png

  7. Enter a name and description for the new filter and click Add.

    The new filter displays in the Filter panel.

    netwitness_filterrulenew.png

  8. Select the new filter in the Filters panel and click netwitness_add.png in the Filter Rules panel toolbar.

    The Add Filter Rule dialog is displayed.

  9. Click netwitness_add.png under Rule Conditions.

  10. Add the parameters for this rule and click Update > OK.

    netwitness_filterruleadd.png

NetWitness updates the filter with the rule that you defined.

Note: Rules are processed in order from top down until an Action type aborts the processing, or the final rule is checked. Default behavior is to accept the rule if no matches are found.

The following tables describe the parameters for adding a filter rule.

Event Filter Rule "Key" Parameter

The values for the Key field depend on the Collection method to which the filter applies.

Collection Method

Values for the Key Field

Checkpoint, File, Netflow, Plugin,
SDEE SNMP and VMware
  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Raw Event

ODBC
  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Message ID
  • Message Level

Syslog
  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Syslog level
  • Raw Event

Windows
  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Event ID
  • Provider
  • Channel
  • Computer
  • UserName
  • DomainName

Windows Legacy
  • All Data Fields
  • Event Source Type
  • Event Source Name
  • Source IP
  • Event ID

Other Event Filter Rule Parameters

The following table describes all the other available fields for creating an event filter rule.

Field Description

Operator

Valid values are:

  • Contains
  • Equal

Use Regex

Optional. You can select this if you want to use Regex.

Value

Value depends on the key value you selected.

For example if you choose Syslog level for Key, the value will be a number that denotes the syslog level.

Ignore case

Optional. Select this to ignore the case sensitivity.

Action

Choose actions for message data that matches a condition, or that does not match a condition. See below for more details.

Actions

You can choose a ‘match’ and ‘no-match’ action for each rule condition. This screenshot shows a condition that uses the Accept action on matches, and Drop action on events that do not match the condition.

netwitness_filterrule_match.png

The available actions are as follows:

  • Accept: the filtered event is included in event logs, and no further rule processing is done for the event: the event will display in the NetWitness user interface during Investigation.

  • Drop: the filtered event will not be included in event logs, and no further rule processing is done for the event: the event will not display during Investigation.

  • Next condition: the filtered event moves on to the next rule condition in the rule. If there are no more rule conditions in the current rule, it moves on to the next rule.

  • Next rule: the filtered event moves on to the next rule. If there are no more rules in the filter, the filter event is included in event logs, and no further rule processing is done for the event (same as Accept).

For example, consider the following condition:

netwitness_filterrule_example.png

In this condition, if the event log contains the string "internal," the event is not included in the event meta, nor is it displayed during Investigation. If the string is not found, the event is included and is displayed during Investigation.

Modify Filter Rules

To modify existing filter rules:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Log Collection service.
  3. Under Actions, select View > Config to display the Log Collection configuration parameter tabs.

  4. Click the Event Sources tab.

  5. In the Event Sources tab, select any collection method / Filter from the drop-down menus.

    The following screen shows Check Point selected.

    netwitness_esfiltermenu.png

    The Filters view displays the filters that are configured for the selected collection method, if any.

  6. In the Filter Rules list, select a rule and click netwitness_edit_icon.png.

    The Edit Filter Rule dialog is displayed.

    netwitness_editfilter.png

  7. Select the rule condition that you want to modify.

    netwitness_filterruleedit.png

  8. Modify the condition parameters that require changes and click Update > OK.

NetWitness applies the condition parameter changes to the selected filter rule.