Use event distribution policy to control how events are routed through the LEM system. With the Event Distribution Policy window, you can choose at the event level which events go to the LEM console and the local LEM database. This section explains how to configure event distribution policy for managers.
Many data sources generate events that are difficult to control at a granular level, or they generate events of little or no value. You should remove these events from the system to reduce the volume and noise sent to your console and database. By configuring your event distribution policy, you can disable (or exclude) specific event types at the event level from being sent to any or all of these destinations. The data sources continue to generate these events, and you can enable them at any time. Until then, the selected system destinations will ignore them.
Additionally, you may have events that you want to monitor in the console but have no need for long-term storage and reporting. In this case, you can use your event distribution policy to disable database storage for certain events while enabling processing by the console.
Click next to your targeted manager in the Appliance grid and select Policy.
The Event Distribution Policy for [Manager] window appears.
If you open the Event Distribution Policy window while being used by a user, a Policy Locked message appears. You can choose to take over the window or view it in read-only mode. Any Full User can unlock any other user.
The following table describes the key features of the Event Distribution Policy window.
Lists event categories and event types. Click to maximize an event category.
Select a check box to indicate whether a particular event time or event category is sent to the console or local database.
When selected, the event type is router to that particular destination. Clear a check box to prevent the event type from being routed to that destination.
Exports a manager event policy to a spreadsheet file.
Click to select the Apply State to Branch command. This command pushes (or propagates) the selected event node check box settings down to the related, lower-level event types in the node tree hierarchy.
Provides a description of the event type or event category currently selected in the grid.
Use the Event Distribution Policy window to configure your event distribution policy. Locate the event types you need and then select the appropriate check boxes to determine whether these event types are routed to a particular destination.
Locate the event type you want to configure In the Event/Fields grid. You can:
Save or cancel your changes.
Click OK to save your event distribution policy changes, close the window, and return to the Console.
Click Apply to save your changes, but keep the window open so you can continue working.
Click Cancel to close the window without saving your changes and return to the Console.
After you save your changes, the Applying Changes status bar appears, and the manager is updated with the new event policy configuration.
This process may require 30 seconds to several minutes to complete.
Use the Apply State to Branch command to propagate (or push) event distribution policy settings from a high-level event type to each of its lower-level child event types in the event hierarchy.
For example, if you select the top Security Event row and select the corresponding Console and Warehouse check boxes. clicking Apply State to Branch assigns the same Console and Warehouse check box settings to every child item associated with Security Event. When you save your configuration, the policy causes all child event types of Security Event to send events to all user consoles and your data warehouse.
To push policy configure event distribution policy downward:
Click next to the targeted row and select Apply State to Branch.
The Console pushes (or propagates) the parent row check box settings down to each of its lower-level event types in the node tree hierarchy.
If you select one or more of the parent row check boxes, the console selects the same check box settings for each related lower-level event type in the node tree. When you save your configuration, the policy begins sending the child event types to the selected destinations.
If you clear any of the parent row check boxes, the console disables the same check box settings from each related lower-level event type in the node tree. When you save your configuration, the policy stops sending those event types to those destinations.
Click OK to save your changes.
The Console implements the new policy.
You can export a manager event policy to a spreadsheet file to:
To export a manager policy:
At the top of the window, click Export.
The Save As form appears.
In the File Name box, enter a name and file type for the exported file.
In the file name, include an XLS file type to save the file as a Microsoft Excel spreadsheet.
Click Save to save the file.
The Console saves the file to the folder and with the file name you specified.
You can now view the manager policy information in a spreadsheet file, such as Excel.
The Windows Filtering Platform (WFP) application in Windows 7/8 and Windows Server 2008/2012 logs firewall and IPsec-related events to the system security log.
The generated alerts represent background events using additional LEM resources. These events are not required for an optimized LEM deployment. Modifying your LEM manager event distribution policy to tune out the windows noise reduces the space these events occupy in the security event log, reduces network activity, and does not consume LEM resources (such as CPU, memory, and disk space).
To modify your LEM manager event distribution policy:
Windows Securityin the search box
Click Apply to save your changes and keep working.
Click Save to save your changes and exit the Alert Distribution Policy window,
The alerts described in the tables below can be filtered out (dropped) using your LEM Manager's Event Distribution Policy by unchecking their boxes in the Console, Database, Warehouse, and Rules columns. LEM still must process these events, and uses additional resources in the form of memory and CPU reservations.
|Alert name||Windows event ID|
|TCPTrafficAudit||5152, 5154, 5156, 5157, 5158, 5159|
|IPTrafficAudit||5152, 5154, 5156, 5157, 5158, 5159|
|UDPTrafficAudit||5152, 5154, 5156, 5157, 5158, 5159|
|IMCPTrafficAudit||5152, 5156, 5157, 5158, 5159|
The Provider SID value in these alerts match the format for the Windows Security Auditing Event ID where Event ID is one of the Windows Event IDs listed below.
|Event ID||Event description|
|5152||Windows Filtering Platform blocked a packet|
|5154||Windows Filtering Platform permitted an application or service to listen on a port for incoming connections|
|5156||Windows Filtering Platform allowed a connection|
|5157||Windows Filtering Platform blocked a connection|
|5158||Windows Filtering Platform permitted a bind to a local port|
|5159||Windows Filtering Platform blocked a bind to a local port|