Filters are an integral part of EventSentry and allow you create rules as to which event log record gets forwarded to which notification.
The simplest EventSentry configuration for example would consist of a single filter forwarding all errors and warning from the event logs to an email recipient. A configuration like this is unfortunately not feasible in most environments since many non-critical events (which are logged as errors and warnings to the event logs) would be forwarded.
list of filters in event log package "Compliance"
Unlike earlier versions of EventSentry, it is no longer necessary that exclude filters appear before include filters. Exclude filters are always processed before include filters. As such, it doesn't matter whether an exclude filter is located before or after an include filter, or located in a different package.
Include filters inside a package are still processed sequentially - from top to bottom. The sequence of include filters however is irrelevant in most scenarios, unless you use advanced features such as thresholds and "require acknowledgment".
The only exception are "Catch-All" packages and packages configured to ignore exclude filters from other packages, see Package Options for more information.
A filter can either be an include filter (and forward events to a notification) or be an exclude filter (and prevent events from being forwarded to a notification):
Exclude filters prevent certain events from being processed, and can either apply to all actions or only to a particular action. This gives you the ability to only exclude events for some actions (e.g. email), while logging everything to another action (event log consolidation). Exclude filters are always processed before include filters.
It does not matter into which event log package an exclude filter is placed, exclude filters are always evaluated before include filters are processed. The only exception are event log packages configured to ignore exclude filters from other packages.
Exclude filters are indicated in the filter list with a red "remove" button .
Include filters process event records that match their filter criteria and pass them on to the configured action or all actions. The more fields you restrict in a filter (e.g. Source, Category, ID ...) the fewer events will match that filter.
Include filters are indicated in the filter list with a blue arrow .
Recurring Event Filters
Recurring event filters appear like regular include filters, but do not actually forward events to a notification. Instead, recurring event filters write an error to the application event log when an event does not appear in the event log during a certain time period. For example, a recurring event filter can notify you when a backup job did not write a success event to the event log. See Recurring Event Filters for more information.
You can filter events based on every property of an event record, including:
•Event Log (including custom event logs)
•Day / Hour