How to configure log collection filters in EventLog Analyzer/Log360

How to configure log collection filters in EventLog Analyzer/Log360

Objective

EventLog Analyzer offers log filtering capabilities, so that you can filter/remove/exclude unwanted events being collected or collect only the logs you actually need, by avoiding noisy events being collected. Filters let you include or exclude logs based on things like event ID, keywords, or user accounts which help you to minimize the data being collected or collect only required data when the log flow is higher which indeed affects the storage/disk consumed by EventLog Analyzer. This helps reduce noise and makes it easier to focus on the important logs.

Prerequisite

  • Administrator access or custom role to Create and Manage Log Collection Filters in EventLog Analyzer or Log360.
  • Knowledge about the events based on log source type to create the filter.

Steps to follow

  1. Log in to EventLog Analyzer with your admin account.
  2. Go to Settings > Admin Settings > Log Collection Filter.
  3. To view/edit created filter's criteria, click on the edit option (pencil icon) of the respective policy to view/edit the filter.


  4. To create a custom filter, choose the + Add filter option in the Log Collection Filter page.
  5. Enter a Filter Name,  Select the Log Format,  Select Device(s) and Configure the criteria.
    NOTE: You can add a single device or multiple devices for which the filter has to be applied. The criteria will be applicable if the log criteria matches the Filter criteria. It is recommended to test the match cases using Search tab before applying the filter.
  6. Choose whether you want to Include or Exclude logs:
    • Include: Collect only the logs you specify.
    • Exclude: Skip the logs you specify.

  1. Save your filter.
NOTE: This filter will be applied to all upcoming events. In agent-based log collection, if the agent ports are allowed bi-directionally, the filter will be synchronized and updated to the agent during the next sync process.
Tips
  • Setting up inappropriate Log collection filter can stop the log collection or ppartial might lead to loss of data during collection. Use Include when you only want to collect only certain events. Use Exclude to remove unwanted or noisy logs during log collection.
  • Supported Sources for Log Collection Filter
    • Windows logs
    • IBM/400 logs
    • Syslog format sources: Unix, Cisco, SonicWall, Juniper, PaloAlto, Fortinet, CheckPoint Device, NetScreen, WatchGuard, Sophos, Barracuda, Huawei, Meraki, HP, Syslog, PfSense, FirePower, F5, Stormshield, Dell, ForcePoint, Topsec, Sangfor
    • Application log format sources: Sysmon, IIS Server (event viewer logs only), Oracle, Terminal, Printer, MSSQL Server Logs (event viewer logs only), Syslog Application
    • Cloud sources: AWS, Salesforce, M365
      Refer Log Collection Filter to know more
  • Check your filters from time to time and adjust them if required so they always collect the right logs for your needs.
  • To confirm if the Log Collection Filter is enabled, go to Search tab, type the criteria that you have created in Log Collection Filter and check if the events are collected for the respective device post enabling the filter.

Related topics and articles

FAQ

1.  I have enabled couple of Log Collection Filter, however no data is being collected from that device.
Answer: Event collection in EventLog Analyzer/Log360 is governed by the configured log collection filter policy. If you have defined exclusions for most events or specified only certain events to be collected, the application will gather logs strictly based on the rules set in that policy. If no events appear to be collected, it may be because the permitted events are not yet being generated or captured by EventLog Analyzer/Log360.
2. When should I create Log Collection Filter?
Answer: You can create Log collection Filter policies for the following reasons:
  1. If you want to collect only selective events from the log source.
  2. If you would like to exclude noisy events or minimize the events being collected.
  3. If log flow if higher and if you consider filtering some unwanted logs can save your disk space.
3. If I have created two filters in which one says to allow the events and another says to block the events, which will be applied?
Answer: Based on the filters applied, one filter stated to collect and another states to exclude and if both the criteria is same, EventLog Analyzer will not collect the event.
4. What are the best practice recommended by ManageEngine to create Log Collection Filter?
Answer: Best practice while creating log filter recommended by MangeEngine is as follows:
i. Understand the requirement of collecting events.
ii. Perform an internal research by defining the list of events that you do not consider to collect from the respective log source based on your compliance and security needs.
iii. Post performing internal validation, try building the criteria using Search tab to validate if the created criteria matches the exact events that you look forward to exclude/collect.
iv. Create the Log collection Filter policy in Log Collection Filter settings.
5. Can I enable all the default policies offered by ManageEngine?
Answer: Predefined policies are provided as samples to help you understand the functionality of the Log Collection Filter feature. However, it is strongly recommended to create custom log filtering policies tailored to your organization’s requirements until the default policies fully meet your needs.
  


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products