5 Replies Latest reply on Mar 28, 2013 5:47 AM by dcobes

    Clarification on Custom Filter Rules, Common Windows Filters and KB74834


      I'm looking to get some clarification on creating custom filter rules and using KB74834 to discard Windows Events from being sent to ESM but forwarding to ELM.


      Since I haven't worked with filters, I assume the workflow works as such so that everything runs through the custom filters first and then on to getting parsed which requires a match all so anything not discarded still goes thru the normal parsing process. Is that correct?


      If I'm understanding that right, I obviously need to figure out what will be filtered. While I see some very obvious ones and know it's a business choice / preference, is there any common filter rules you guys create for particular Windows logs that don't offer a lot of Information Security value? I definitely see uses for filtering out the $ accounts from logs per the example.


      Thanks a lot!