Hey All,
I am comparing two routes to blacklist/filter events.
1) Filter events out at our WEC's using the event filter
2) Blacklist the events on the Universal Forwarders
We currently have different events filtered/blacklisted in both areas but I want to consolidate for mgmt purposes and for ease of use.
If there any benefits to either or?
Filtering on the WEC means its not collecting the events period saving storage space and resource usage. I cant find anywhere though that documents or defines any performance hits by doing that on the WEC subscriptions.
I do love that I can use a regex to filter out specific things like process names on 4688's on the UF.
I was thinking filter out all full events I don't want on the WEC then using the blacklist on the UF to filter out specific events from certain event types like the 4688.
Any thoughts or guidance?
Thanks!
Andrew
The benefit of filtering at the UF is the ability to easily change the blacklisting. If you are filtering out things at the WEC, then the data isn't there at all. So, in short, if you think you might need it at some point, then I would say to collect it and blacklist.