2 Replies Latest reply on Sep 12, 2013 7:17 AM by garrethcoleman

    In-line filter of Windows events from LEM agent

    garrethcoleman

      Hi All,

       

      I am new to LEM and currently getting up to speed with it's capabilities. As part of getting to grips with this product, I installed the Windows Agent to my Windows 7 workstation as a means of filtering events generated.

       

      When the connector is enabled for Vista Security, the agent reports 2 events per second. Below is a sanitised output from my LEM nDepth search query of the events in question:

       

      Event NameEventInfoInsertionIPManagerDetectionIPInsertionTimeDetectionTimeSeverityToolAliasInferenceRuleProviderSIDExtraneousInfoUniqueIDEventMessageImageFileParentPIDProcessIDSourceAccountSourceDomainSourceLogonIDStopCondition
      ProcessStopProgram exited "C:\Windows\System32\SearchProtocolHost.exe" PID 0x1e68 user "DOMAIN\machinename$"machinename.domain.spacepros-lem-01machinename.domain.spaceWed Aug 28 15:46:19 GMT+0100 2013Wed Aug 28 14:18:00 GMT+0100 20134Vista SecurityMicrosoft-Windows-Security-Auditing 4689C:\Windows\System32\SearchProtocolHost.exe3.13035E+19Program "C:\Windows\System32\SearchProtocolHost.exe" exited0x1e68machinename$DOMAIN0x3e7Normal
      ProcessStartExec "SearchProtocolHost.exe" by "DOMAIN\machinename$"machinename.domain.spacepros-lem-01machinename.domain.spaceWed Aug 28 15:46:19 GMT+0100 2013Wed Aug 28 14:18:00 GMT+0100 20134Vista SecurityMicrosoft-Windows-Security-Auditing 4688C:\Windows\System32\SearchProtocolHost.exe3.13035E+19C:\Windows\System32\SearchProtocolHost.exe0xd340x2574machinename$DOMAIN0x3e7

       

       

      These events occur in pairs and repeat per second.

       

       

      I am interested to know how to omit these events from being reported to LEM. As a workaround, I can stop the Vista Security Connector, but this omits other security events reported by the Operating System. If logging of process start and stop has to be disabled at the Operating System, this may be the solution, else I would like to know if the agent can be configured with in-line filtering to omit sending Process Start and Stop events to LEM.

       

      Thanks in Advance,

       

      Garreth

        • Re: In-line filter of Windows events from LEM agent
          nicole pauls

          This looks like Audit Process Tracking - Success is enabled on your system. You can turn that off in the Windows Audit policy and they won't get generated at all (in the event log or coming to LEM).

           

          Within LEM, you can filter that alert from ever appearing across all systems, or you can filter it out but still collect/store/correlate it. (Or, track down what's up with SearchProtocolHost.exe opening and closing so frequently) Right now, there's no filter you can apply to the connector to disable certain patterns from collecting, but that's an interesting idea.

            • Re: In-line filter of Windows events from LEM agent
              garrethcoleman

              Nicole,

               

              Thanks for responding. I am new to LEM and getting to grips with its features. I am curious if it is possible to filter out these events through the appliance policy, like the kb article instructs for Windows noise events in this link? http://knowledgebase.solarwinds.com/kb/questions/2834/__fav This policy wouldbe applied to the appliance, vs the individual node though, so if my suggestion is possible, it is limited in the scope of filtering these events from one specific node.

               

              In my example, the workstation did have a problem with the windows search indexing service, hence the repeated process start/stop events, which did identify the workstation had an issue previously unseen, so there is merit in receiving all events. Also the Group Policy is set to enforce process audit events to the security log, so the logging of these events cannot be turned off at Operating System level for this individual workstation.

               

              -Garreth