5 Replies Latest reply on Nov 2, 2015 9:52 AM by nicole pauls

    Filtering Certain Windows Security Events Before the LEM Agent Sends to the Manager

    chadd.schlotter@dycominc.com

      Hi all,

       

      We currently have monitoring processes that logon to our servers continuously to monitor the overall health of the server.  This turns into thousands of unnecessary events flowing into LEM.  Is there a way to filter these alerts at the Agent level to where they do not forward to the Manager?  Here is additional criteria:

       

      - We have to ensure that these events hit the Security Log locally on the server (can't filter them there)

      - We are open to receiving the events on the Manager side and then trashing them (no display in the console, alerting, or storage) based on the Source Machine and Source Account used to Logon. 

       

      Any help is appreciated.

        • Re: Filtering Certain Windows Security Events Before the LEM Agent Sends to the Manager
          nicole pauls

          Hmm... we do have the concept of Event Policies that do the second thing you described (filter on the manager side from console/storage/rules), but they are mostly global based on event type (e.g. all logons) OR hardcoded (e.g. all interactive logons or windows filtering platform events) to big buckets.

           

          On the agent side, the only thing that does filtering right now are the connectors themselves, but since there's not really an exposed way for you to edit or create a "rule" in a connector, I think you're stuck there, too.

           

          So we're really close, but I'm not sure there's a really good way. Most people in this situation are able to filter them from hitting the security log, so we can kind of cheat.

            • Re: Filtering Certain Windows Security Events Before the LEM Agent Sends to the Manager
              mark88

              Hi Nicole,

               

              Is there a list of which events are filtered by the following LEM Connectors:

               

              Windows Application Log

              Windows System Log

              Windows 7/2008/Vista Security Log

               

              I can setup a filter in LEM based on the Tool Alias to find out which events are being passed through from the Agents but it would be far easier to have the full list to hand to see at a glance which events are filtered on the Agent side by the above Connectors and which are normalised and passed through to LEM.  (e.g. Citrix XenApp 6.5 logs many events to both Windows Application Log and Windows System Log and it would be useful to see at a glance which event IDs are being picked up and normalised by the Agent Connectors and which events are being filtered/discarded and not passed to LEM.)

               

              Thanks!

                • Re: Filtering Certain Windows Security Events Before the LEM Agent Sends to the Manager
                  nicole pauls

                  There hasn't been a list published, though the team may be looking at it. The only way you can sort of "reverse engineer" this list is in the connectors themselves. Each connector has patterns that match by event ID and source. It might be a little tough to extract that data, since some patterns are grouped together. There is a master list of which eventIDs are passed through the connector at the top of the connector (it's an element that looks like "eventIDs=" and may honestly just say eventIDs="all" - which means any eventID COULD pass into the connector, but there could ALSO be later filtering that drops it, which makes it complicated).

              • Re: Filtering Certain Windows Security Events Before the LEM Agent Sends to the Manager
                twuk

                Hi Chadd

                 

                I have raised this too with the guys from SolarWinds on the stand at InfoSec in London and with the LEM support department manager in the US

                 

                it would be a huge benefit to us too

                • Re: Filtering Certain Windows Security Events Before the LEM Agent Sends to the Manager
                  hcclife

                  We have a similar issue looking for privileged logins when we have applications that login to the servers every time the user interacts with the application.  In some cases the application manages the user login and an the application uses a master login to connect to the backend or database server, so we get thousands of login events for user accounts that we aren't interested in.