Sometimes there are events showing up in the Monitors page that have little immediate value and they tend to "clutter" the display. It might seem the way to overcome this is to fine-tune the policy responsible for generating the events. But at the same time, these might also be events that need to be retained for future forensic or compliance purposes. So now it seems we only want to "hide" these events so only more important events are displayed. Bulk-logging is what we need to achieve this. By configuring the event rules for the agent, we can pick out certain type of events and suppress their transmission to the management server. The problem is this; how do we know with any certainty our logging rule will capture the intended event(s)?
The solution? Test the rule by creating an alert (Monitors -> Alerts).
For testing purposes, skip naming (because we're probably NOT saving the alert) and jump right to the "Filters" tab. After creating the rule(s), you can check which events will be affected by selecting the "Preview Events" button.
If the rule needs further fine-tuning, select the "Edit Filters" button. When the rule returns the events you are targeting, you're finished! Now simply recreated that rule in the "Log Rules" tab in the prevention or detection parameters found on the Configs page.
NOTE: When testing, the rule is compared to the number of events returned to the Homepage (see yellow high-lighting). Configure this setting under Preferences -> General. If this setting is configured to, for example, 1 hour, your rule will only be tested against that subset of events. For the purposes of rule testing, it might be better to (temporarily) set the Console Preferences to a larger event count rather than a time interval.