How to filter out SEP events that have a Status ID of Pending or Unknown.

book

Article ID: 177686

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction



Resolution

The March, 2009 LiveUpdate patch updated the SEP collector and after applying the update you will need to create a filter in the Sensor Configuration of the SEP Collector.
    1. Login to SSIM via the Client UI
    2. Select System Tab from the Left Menu
    3. Select Product Configurations Tab from the Menu at the Top
    4. Select Symantec Endpoint Protection Event Collector from the list of installed collectors
    5. Select respective collector configuration under this collector
    6. At the right side of your screen, select the Filter tab
    7. To create the filter select the + sign. Specification 0 should show up at the bottom of the window
    8. Double Click Specification 0 and rename your filter to what you would like it to be. Example: “Filter for Details Pending Events
    9. On the right-side of that page please select +. You should see a row being added.
    10. Double-click the blank row field under Name. You should get a pop-up
    11. Once in that pop-up, under Custom Field Name please type in flagfilter
    12. Select OK
    13. Under Value in that same row, double click the blank field and please type in yes
    14. Select Save
    15. Right-Click your Sensor on the left of the page and select Distribute
If you would like to enable your newly created filter you will have to check the box next to the filter name and Save and Distribute.



References
For all fixes included in March, 2009 LiveUpdate for the SEP Collector see LiveUpdate-Collect.txt file in the collector folder or the attached file


LiveUpdate-Collector.txt





Attachments

LiveUpdate-Collector.txt get_app