Hi All,
I am new to LEM and currently getting up to speed with it's capabilities. As part of getting to grips with this product, I installed the Windows Agent to my Windows 7 workstation as a means of filtering events generated.
When the connector is enabled for Vista Security, the agent reports 2 events per second. Below is a sanitised output from my LEM nDepth search query of the events in question:
| Event Name | EventInfo | InsertionIP | Manager | DetectionIP | InsertionTime | DetectionTime | Severity | ToolAlias | InferenceRule | ProviderSID | ExtraneousInfo | UniqueID | EventMessage | ImageFile | ParentPID | ProcessID | SourceAccount | SourceDomain | SourceLogonID | StopCondition |
| ProcessStop | Program exited "C:\Windows\System32\SearchProtocolHost.exe" PID 0x1e68 user "DOMAIN\machinename$" | machinename.domain.space | pros-lem-01 | machinename.domain.space | Wed Aug 28 15:46:19 GMT+0100 2013 | Wed Aug 28 14:18:00 GMT+0100 2013 | 4 | Vista Security | Microsoft-Windows-Security-Auditing 4689 | C:\Windows\System32\SearchProtocolHost.exe | 3.13035E+19 | Program "C:\Windows\System32\SearchProtocolHost.exe" exited | 0x1e68 | machinename$ | DOMAIN | 0x3e7 | Normal | |||
| ProcessStart | Exec "SearchProtocolHost.exe" by "DOMAIN\machinename$" | machinename.domain.space | pros-lem-01 | machinename.domain.space | Wed Aug 28 15:46:19 GMT+0100 2013 | Wed Aug 28 14:18:00 GMT+0100 2013 | 4 | Vista Security | Microsoft-Windows-Security-Auditing 4688 | C:\Windows\System32\SearchProtocolHost.exe | 3.13035E+19 | C:\Windows\System32\SearchProtocolHost.exe | 0xd34 | 0x2574 | machinename$ | DOMAIN | 0x3e7 |
These events occur in pairs and repeat per second.
I am interested to know how to omit these events from being reported to LEM. As a workaround, I can stop the Vista Security Connector, but this omits other security events reported by the Operating System. If logging of process start and stop has to be disabled at the Operating System, this may be the solution, else I would like to know if the agent can be configured with in-line filtering to omit sending Process Start and Stop events to LEM.
Thanks in Advance,
Garreth