The issue I've always had with SIEM systems is that they aggregate all of my logs and leave me with a sea of data that is far too expansive to swallow. I'm trialing LEM now in hopes of finding a product that might defy the odds.
As such, is there a way in LEM to auto-remove or filter out (not create a filter to see) certain superfluous events?
In my case, I've set my VMware ESXi 5 hosts to syslog to my LEM appliance, and I'm getting inundated with events about "Power policy is unset", which seems to just be noise in the vpxa/hostd logs about VM details (which don't even warrant a log entry in the vSphere Client events list). In 8 minutes, I get 1000 of these events from just 1 host. As you might understand, I'd like to omit these if possible.
If that isn't how LEM is supposed to be configured, can someone explain the proper way to handle extra data like this? I'm hoping to use LEM to harvest "CatchAll" log files from my Kiwi Syslog Server, so I expect I'll start finding plenty of data I don't wish to retain.
Thanks,
Chris