Hello, 
I have a wincollect and I need to exclude some event ID (eg 5154, 5156) and exclude all events where account name are machine account, is it possible to do this?

Regards.

Hello, 
I have a wincollect and I need to exclude some event ID (eg 5154, 5156) and exclude all events where account name are machine account, is it possible to do this?

Regards.

from qradar routing rules its possible

Hello, 
I have a wincollect and I need to exclude some event ID (eg 5154, 5156) and exclude all events where account name are machine account, is it possible to do this?

Regards.

Hello, 
I have a wincollect and I need to exclude some event ID (eg 5154, 5156) and exclude all events where account name are machine account, is it possible to do this?

Regards.

You can definitely do this in WinCollect, but you'd need to likely use an XPath query for the Windows hosts to only return that data you wanted as you can only do complex suppresses by XPath. There is a support article on WinCollect filtering here: https://www.ibm.com/support/pages/wincollect-event-filtering 

The key in the XPath is to call the events you want, then suppress the path for the events you do not want. This can be done in a few ways, but looking at non-interactive logins, then suppressing specific user accounts. WinCollect supports XPath queries and you can use a combination of check boxes in the user interface, plus an XPath query. For example, you want everything from Security logs, but only want something specific data out of System events, you can check the Security check box in your WinCollect log source, then add an XPath query to handle the specific filtering for the System events you want to exclude. 

I think what you want to do it try to suppress specific logon types, such as type 5, which is service when a specific EventID is matched OR get everything and suppress by user. I think trying to suppress all logon types might be mising out on specific data, but here is an example XPath that explains what I think you might want to do. 

<QueryList>     <Query Id="0" Path="Security">        <Select Path="Security">            *[System[(EventID=4624)]]            and *[EventData[Data[@Name='LogonType'] and (Data=1 or Data=8 or Data=9)]]        </Select>        <Suppress Path="Security">            *[EventData[Data[@Name='TargetUserName'] and (Data='SYSTEM')]]        </Suppress>    </Query></QueryList>

Hello, 
I have a wincollect and I need to exclude some event ID (eg 5154, 5156) and exclude all events where account name are machine account, is it possible to do this?

Regards.