Filters

<< Click to Display Table of Contents >>

Navigation:  Monitoring with EventSentry > Event Log Monitoring >

Filters

Filters are an integral part of EventSentry and allow you create rules as to which event log record gets forwarded to which notification.

 

The simplest EventSentry configuration for example would consist of a single filter forwarding all errors and warning from the event logs to an email recipient. A configuration like this is unfortunately not feasible in most environments since many non-critical events (which are logged as errors and warnings to the event logs) would be forwarded.

 

clip0123

list of  filters in event log package "Compliance"

 

Filter Processing

Unlike earlier versions of EventSentry, it is no longer necessary that exclude filters appear before include filters. Exclude filters are always processed before include filters. As such, it doesn't matter whether an exclude filter is located before or after an include filter, or located in a different package.

 

Include filters inside a package are still processed sequentially - from top to bottom. The sequence of include filters however is irrelevant in most scenarios, unless you use advanced features such as thresholds and "require acknowledgment".

 

The only exception are "Catch-All" packages and packages configured to ignore exclude filters from other packages, see Package Options for more information.

 

Filter Types

A filter can either be an include filter (and forward events to a notification) or be an exclude filter (and prevent events from being forwarded to a notification):

 

Exclude Filters

Exclude filters prevent certain events from being processed, and can either apply to all actions or only to a particular action. This gives you the ability to only exclude events for some actions (e.g. email), while logging everything to another action (event log consolidation). Exclude filters are always processed before include filters.

 

It does not matter into which event log package an exclude filter is placed, exclude filters are always evaluated before include filters are processed. The only exception are event log packages configured to ignore exclude filters from other packages.

 

Exclude filters are indicated in the filter list with a red "remove" button remove_button_16.

 

Include Filters

Include filters process event records that match their filter criteria and pass them on to the configured action or all actions. The more fields you restrict in a filter (e.g. Source, Category, ID ...) the fewer events will match that filter.

 

You can also apply threshold settings to include filters, or configure include filters as summary notification filters.

 

Include filters are indicated in the filter list with a blue arrow button_blue_arrow_right_16.

 

Recurring Event Filters

Recurring event filters appear like regular include filters, but do not actually forward events to a notification. Instead, recurring event filters write an error to the application event log when an event does not appear in the event log during a certain time period. For example, a recurring event filter can notify you when a backup job did not write a success event to the event log. See Recurring Event Filters for more information.

 

Filter Properties

You can filter events based on every property of an event record, including:

 

Event Log (including custom event logs)

Event Severity

Event Source

Event Category

Event ID

Event User

Event Computer

Event Description

Day / Hour

 

See Filter Properties for more information. You can also paste event properties from an email sent by EventSentry or an event copied by the Windows event viewer into the general filter dialog.