<Parameter name="Filter.Directory Service.Enabled" value="false"/>
<Parameter name="CustomQuery.Base64" value=""/>
<Parameter name="Filter.Security.Param" value=""/>
<Parameter name="EventRateTuningProfile" value="High Event Rate Server"/>
<Parameter name="Local.System" value="true"/>
<Parameter name="EventTypeFilterError" value="true"/>
<Parameter name="EventTypeFilterWarn" value="true"/>
<Parameter name="EventTypeFilterInfo" value="true"/>
<Parameter name="Filter.File Replication Service.Param" value=""/>
<Parameter name="Filter.File Replication Service.Type" value="No Filtering"/>
<Parameter name="EventTypeFilterSuccessAudit" value="true"/>
<Parameter name="Filter.Directory Service.Type" value="No Filtering"/>
<Parameter name="Filter.Security.Type" value="No Filtering"/>
<Parameter name="Application" value="None"/>
<Parameter name="Log.System" value="true"/>
<Parameter name="Log.ForwardedEvents" value="false"/>
<Parameter name="Filter.Security.Enabled" value="false"/>
<Parameter name="Filter.System.Enabled" value="false"/>
<Parameter name="Log.DNS Server" value="false"/>
<Parameter name="ADLookup.DNSDomainName" value=""/>
<Parameter name="RemoteMachinePollInterval" value="3000"/>
<Parameter name="MinLogsToProcessPerPass" value="1250"/>
<Parameter name="MaxLogsToProcessPerPass" value="1825"/>
<Parameter name="Login.Handle" value="0"/>
</Environment>
</Instance>
</InstanceData>
</Service>
5. Modify the following lines with the bolded sample code:
<Parameter name="Filter.System.Type" value="NSAlist"/>
<Parameter name="Filter.System.Param" value=
"1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045"/>
<Parameter name="Filter.System.Enabled" value="true"/>
6. Save the service_DeviceWindowsLog.xml le and move it to the \IBM\WinCollect\patch
directory.
After a few seconds, the le disappears and the agent restarts. The old agentconfig.xml le is
moved to the backup directory (patch_checkpoint_xxxx). Updated log source example:
<Service version="7.2.8" classification="Service" type="DeviceType"
module="DeviceWindowsLog" name="DeviceWindowsLog">
<Environment>
<Parameter name="DeviceThreadPoolType" value="AdaptiveThreadPool"/>
<Parameter name="AdaptiveThreadPool.ReaderThreadsMax" value="500"/>
<Parameter name="AdaptiveThreadPool.ReaderThreadsMin" value="5"/>
<Parameter name="AdaptiveThreadPool.ReaderBacklogSamplePeriodMillis" value="200"/>
<Parameter name="MinEventMonitorThreads" value="5"/>
<Parameter name="MaxEventMonitorThreads" value="250"/>
<Parameter name="EventLogMonitor.RetryTimeoutMillis" value="60000"/>
<Parameter name="DefaultThrottleTimeout" value="1500"/>
<Parameter name="DefaultEventLogPollProtocol" value="MSEVEN6"/>
</Environment>
<InstanceData>
<Instance enabled="true" name="EventLogLocal">
<Environment>
<Parameter name="DeviceAddress" value="DESKTOP"/>
<Parameter name="RemoteMachine" value="DESKTOP"/>
<Parameter name="Filter.DNS Server.Enabled" value="false"/>
<Parameter name="EventTypeFilterFailureAudit" value="true"/>
<Parameter name="EventLogPollProtocol" value="MSEVEN6"/>
<Parameter name="Log.Security" value="true"/>
<Parameter name="Filter.Application.Enabled" value="false"/>
<Parameter name="ADLookup.Enabled" value="false"/>
<Parameter name="ThrottleTimeout" value="1000"/>
<Parameter name="Filter.DNS Server.Param" value=""/>
<Parameter name="Filter.File Replication Service.Enabled" value="false"/>
<Parameter name="Filter.Application.Type" value="No Filtering"/>
<Parameter name="Filter.Directory Service.Param" value=""/>
<Parameter name="Log.Application" value="true"/>
<Parameter name="Filter.DNS Server.Type" value="No Filtering"/>
<Parameter name="Filter.Application.Param" value=""/>
<Parameter name="Filter.System.Type" value="NSAlist"/>
<Parameter name="Filter.System.Param"
value="1,6,12,13,19,104,219,1001,1125,1126,1129,7000,7022,7023,7024,7026,7031,7032,7034,7045"
/>
<Parameter name="Filter.System.Enabled" value="true"/>
48
IBM QRadar WinCollect: WinCollect User Guide V7.3.1