- Site Collector Overview
- Get Started with Site Collectors
- Install Site Collector
- Set Up Collectors
- Manage Site Collectors
- Site Collector Monitoring
- Troubleshoot the Site Collector
- Pre-checks failed during Site Collector installation and upgrade
- Site Collector UI shows the status INSTALLATION_ERROR
- Download Support Packages for Troubleshooting
- How to reboot the Virtual Machine (VM) successfully to apply security updates?
- What information must be added while creating a support ticket to resolve an issue?
- Site Collector UI is not displaying the heartbeats
- Splunk Collector can't be set up
- Splunk Collector is set up however, logs are not reaching DL/AA
- Only a few of the installed Splunk Collectors are processing logs or EPS has dropped by 50% as compared to last hour
- The Windows Active Directory Collector (formerly known as LDAP Collector) is set up, however, the context data is not reaching DL/AA
- The Windows Active Directory Collector (formerly known as LDAP Collector) is stuck in the ‘Update’ mode after deployment
- Installation is initiated; however, the collector shows the status as ‘Setting Up’ for some time
- Data Lake and Advanced Analytics Does Not Show Context Data
- Context Data from Windows Active Directory Collector is Segmented
- Minifi Permission Denied - Logback.xml File Missing and Config File Update - Failed Error Occurred while Installing the Windows Event Log Collector
- Where should I upload proxy certificates if I am running proxy with TLS interception?
- How to upgrade Linux collector instance?
Add Filters to Set Egress Log Filtering Conditions
Egress Filtering facilitates quick, easy, and cost-effective log onboarding process by providing log filtering conditions to filter and manage logs to be sent to the Exabeam Security Operations Platform. You can add filters to drop log sources before excessive logs reach the Exabeam Security Operations Platform. After installing a Site Collector instance, based on the Egress Log Filtering Conditions that you define, the logs are ingested into the Exabeam Security Operations Platform.
Adding filters enables you to:
Define conditions to control logs that need to be ingested into the Exabeam Security Operations Platform.
Validate conditions based on log samples before applying the conditions to the Site Collector.
Monitor number of filtered and ingested log events.
After installing a Site Collector instance, to add filters:
Log in to the Exabeam Security Operations Platform with your registered credentials.
Navigate to Collectors > Site Collectors.
Ensure that the Site Collector instance for which you want to add filters is installed and in running state.
On the Site Collector page, click Site Collector Instances.
In the Site Collector instances list, navigate to the Site Collector instance for which you want to add filters.
In the Logs After Filters column for the Site collector instance, move the mouse pointer over the number and click Add Filters.
In the Conditions section, set the conditions to include and exempt logs.
Note
While adding the allowed and deny filter conditions, ensure that you use regex syntax.
In the Allowed Conditions section, add conditions to include logs to be sent to the Exabeam Security Operations Platform.
For example, for EventCode that matches 100X, use the Allowed Condition
EventCode=100[0-9].Raw log:
LogName=Application EventCode=1001 EventType=4 ComputerName=windows-splunk-forwarder-vp-23 SourceName=Windows Error Reporting Type=Information RecordNumber=168946846 Keywords=Classic TaskCategory=None OpCode=Info Message=Fault bucket , type 0 Event Name: APPCRASH Response: Not available Cab Id: 0
In the Deny Conditions section, add conditions for the logs that you don't want to send to the Exabeam Security Operations Platform.
For example, if you don't want to include eventType between 1 and 5, use the Deny Condition
EventType=[1-5].Raw log:
LogName=Application EventCode=1001 EventType=4 ComputerName=windows-splunk-forwarder-vp-23 SourceName=Windows Error Reporting Type=Information RecordNumber=168946846 Keywords=Classic TaskCategory=None OpCode=Info Message=Fault bucket , type 0 Event Name: APPCRASH Response: Not available Cab Id: 0
Caution
Enter a valid regex syntax. Do not enter
.*or.+at the start or at the end of the regex syntax.Use
.*or.+only if required, in the middle of the regex syntax after adding?next to each of these characters. For example,.*?.Do not use these prefixes
^.*, ^.+, ^.*?, ^.+?and suffixes.*$, .+$, .*?$, .+?$.
Click Apply.
A confirmation message 'Site Collector Updated' indicates that the filters are applied to the Site Collector instance.
Click Check Filters to verify if the filters are providing the correct results. Then, add log files or paste raw logs in the right pane to verify if the filters that you set are working appropriately.
Click Import.
If you apply the Allowed and Deny conditions specified in step 7, click Check Filters and paste the raw log, and click Import, Site Collector displays the following result which entails that the logs passed the Allowed Condition and did not pass the Deny Condition.
Note
Using egress filters affects the performance of the collector and decreases overall EPS. The more you set complex filters, the bigger impact you will observe on the collector performance. For example with three filters, overall EPS can decrease approximately by 15% to 20% based on the filter complexity.
Proceed with setting up the collectors.