IBM Support

WinCollect Event Filtering



How does WinCollect filter events and where does event filtering occur in the network?


WinCollect agents provide two methods to filter events: Exclusion filters or XPath Queries. These two methods cannot be used together in a log source as they are mutually exclusive and both of these methods filter in different locations.

  1. Exclusion Filters

    This type of filtering is done at the WinCollect agent level and applies to both local and remote event collection. Exclusion filtering is done by the agent after receiving the events.

    For exclusion filters, WinCollect agents (both local or remote) collect events by using the Microsoft Event Collection API. Each time the value specified in the Polling Interval field expires, the agent requests all available events from the Event Collection API. When an exclusion filter is enabled for a log source, the agent sorts through all of the events retrieved from the Event Collection API and filters out events that match the exclusions defined by the administrator (either by Windows Event ID or by source). The agent then takes the remaining events and assembles the name=value pairs and forwards the events to either the Console or Event Collector appliance. The events are filtered before they enter the event pipeline at the Console or Event Collector appliance.

    Figure 1: Shows an example of where an exclusion filter is applied.

    Note: When WinCollect is retrieving local events, the API request is made against the local system and the events are retrieved. The exclusion filter is then applied and events are forwarded to the Console or Event Collector appliance.

    WinCollect log sources can apply exclusion filters against both Microsoft event IDs or by service name. Any white space that appear next to the commas are removed, however, white space between names are not removed. The maximum size of an exclusion filter value is 4096 characters. Services must be separated by semi-colons. Event ID codes can be separated either by commas or hyphens to note a range of values.

    1. Example 1: The first example shows an exclusion filter applied to Security events by Microsoft Event ID codes. The filter applied in the log source will exclude event IDs that match 4616, and events 4673, 4674, 4675, 4676, and 4677.

    2. Example 2: The second example lists an exclusion filter applied to Application events by service name and event ID. The filter CertEnroll(64-68) excludes events that match the source CertEnroll and events where the EventIDCode matches any of the following events 64, 65, 66, 67, and 68. When administrators filter by service, they can determine the name of the service either by reviewing the event from the Console or they can look at the application event log on the Windows system that generated the event.

      Figure 2: Shows an example of a Windows application event.

    3. Example 3 (not pictured in screen capture):A third example an administrator might want to apply would be to combine filters to allow the WinCollect agent to exclude multiple services and event ID codes. For example: SceCli(1202);Symantec AntiVirus(200-456, 49, 4904, 400-670);CertEnroll(65);1003,1066-1202

      Examples 1 and 2 pictured:

      Figure 3: Shows the log source user interface with two example filters applied.

  2. XPath Query

    This type of filtering is done on the Windows operating system and applies to both local and remote event collection. XPath queries are only supported on Windows operating systems that have Windows 2008 Server (or above) installed.

    For XPath queries, the Log Type and Event Type check boxes in the log source interface are ignored. The types of events that are retrieved are defined in the XPath Query field of the log source. Since Xpath queries are filtered on the operating system side, they are not transferred on the wire to the agent. An XPath query can be used for both local system log source or by log sources that remotely poll for events. The WinCollect agent requests the XPath query during each polling interval defined in the log source. The WinCollect agent is responsible for assembling the query results in to name=value pairs, then forwarding the Syslog events from the query to the Console or Event Collector appliance.

    Figure 4: Shows an example of where an XPath query filters events.

Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

Document information

More support for: IBM QRadar SIEM

Component: WinCollect

Software version: 7.1, 7.2

Operating system(s): Linux, Windows

Software edition: All Editions

Reference #: 1672656

Modified date: 10 May 2019