Windows event log synchronization (agent side filtering)

Started by Watchman, May 06, 2021, 05:10:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Watchman

May 06, 2021, 05:10:06 AM
In general I like this Feature.  8)

Since every source can theoretically generate events with ID 0-65535, it should be possible to include/exclude a combination of source, level and ID (similar to Logwatch).
For example: A search for ID 1 on www.eventid.net shows a list of many different sources with different level.

I tried some keywords, but with version 3.8.266 level or severity is not supported?

My first and most important step would be to exclude level 4 (information).
That would greatly relieve the database.

I'm looking forward to new filter options.  ;)

Thanks in advance.

Victor Kirhenshtein

#1
May 18, 2021, 08:35:37 PM
Hi,

just added severity filter option to wineventsync subagent. Now for every reader you can specify SeverityFilter parameter, which is either bit mask  or severity level names separated by commas. Below are level names and their values:

Critical = 0x100
Error = 0x001
Warning = 0x002
Information = 0x004
AuditSuccess = 0x008
AuditFailure = 0x010

To accept only warning and error events:
Code Select

SeverityFilter = 0x012

or
Code Select

SeverityFilter = Warning,Error


This change will be included into next patch release.

Best regards,
Victor
Print
Go Up Pages1
User actions