-
Notifications
You must be signed in to change notification settings - Fork 55
/
drop.conf
65 lines (65 loc) · 1.58 KB
/
drop.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Author: Justin Henderson
# Email: [email protected]
# Last Update: 11/18/2015
#
# This configuration file is designed to look for and drop logs that are unwanted
filter {
# This section is for dropping logs related to Windows events
if [type] == "windows" {
# This drops logs that are related to the use of the Backup privilege. This is high volume for little gain.
# However, the backup privilege is used to read any file so you may want this. Just beware of the volume.
if [PrivilegeList] =~ "SeBackupPrivilege" {
drop {}
}
if [EventID] == 5447 {
drop {}
}
if [EventID] == 5158 {
if [Application] =~ "System" {
drop {}
}
if [Application] =~ "svchost.exe" {
drop {}
}
if [Application] =~ "iexplore.exe" {
drop {}
}
if [Application] =~ "lsass.exe" {
drop {}
}
if [Application] =~ "spoolsv.exe" {
drop {}
}
if [Application] =~ "wmiprvse.exe" {
drop {}
}
if [Application] =~ "taskhost.exe" {
drop {}
}
if [Application] =~ "frameworkservice.exe" {
drop {}
}
if [Application] =~ "nxlog.exe" {
drop {}
}
if [Application] =~ "mcafee" {
drop {}
}
if [Application] =~ "kace" {
drop {}
}
if [Application] =~ "mdnsresponder.exe" {
drop {}
}
if [Application] =~ "communicator.exe" {
drop {}
}
if [Application] =~ "ptclient.exe" {
drop {}
}
}
if [EventID] == 861 {
drop {}
}
}
}