How to Forward Specific Security Logs to a... Expand / Collapse
Author
Message
Posted 11/10/2019 1:39:46 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/14/2019 4:30:28 AM
Posts: 1, Visits: 0
Hello all,
i have a collector for our SEIM solution, and i want to collect only 4624 events ( which is the Login events) from the endpoints.
So i created a subscription in the event viewer to collect these events.
Now i successfully managed to do it, however i noticed am getting a lot of noise ( most of these events are from SYSTEM login and NT Authority ...ect) can i exclude some of those from the subscription such as i limit the logs i receive to only those logs with login type 2,7 and 11 ?


Thanks very much.
Post #8602
Posted 11/13/2019 4:39:06 AM
Junior Member

Junior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior Member

Group: Administrators
Last Login: 4/13/2009 5:07:47 PM
Posts: 15, Visits: 0
Hi,

Yes you can do this. You can do it with event viewer but it's easier with Supercharger for Windows Event Collection. You can find more info here: https://www.logbinder.com/Products/Supercharger/

You can download and install it. After installation go to Settings then Managed Filters. You will find a filter named "Builtin - Security: with Noise Suppression". You can click on View and see the xpath that is used for the filtering.

You can also add a new filter. There are two options; Raw and Security. Use Security and build the filter. You can get very granular with the options available there. You can then use the filter in Supercharger or you can click on the Summary tab and just copy out the xpath and use it in your subscriptions in Event Viewer.
Post #8605
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 5:46pm