How can I create an include or exclude filter straight from the event log viewer?

Article ID: 485
Category: Event Log Monitoring
Updated: 2023-02-23

An include or exclude event log filter can be created from any event log using the built-in Event Log Viewer in the EventSentry management console. This is a quick and easy way to generate event log filters that match an event, and they can then be tweaked as needed.

Getting Started

First, find the event you wish to make a filter for. If the event is being generated on the EventSentry server, use "Event Log Viewer (local)"...

If the event is not being generated on the EventSentry server, right-click "Event Log Viewer (local)" and browse your EventSentry groups to select the server where the event is being generated.

A new set of event logs will appear, such as "Event Log Viewer (SERVER1)" so that you can select and browse the event logs from the selected server.

To demonstrate how to setup an include filter, we will use an event that occurs when a notepad.exe proccess has been created (detailed process tracking has to be enabled in the security policy of Windows for these types of events to be logged), but this example will work with any type of event.

Creating an include filter

Say you want to be notified when this event occurs. We will have to setup an include filter to match this event and subsequently forward it to an email action.

You could manually create a filter by right-clicking a filter package, selecting "Add Filter" and then specifying the filter conditions. However, when looking to include specific events, such as when notepad is launched, EventSentry provides two quick alternatives to manually entering the event details.

After having located the event in the EventSentry event log viewer, right-click the event and select "Add Include Filter"

Or when viewing the event details, simply click the Include icon circled in the screenshot below:

Assigning the filter to a package

Enter a filter name and select a filter package to assign this filter to. We will assign it to a package called "Test".

Adjusting the filter

Now that we have the filter configured and assigned, our filter should notify us via email whenever notepad.exe is launched, right? Almost.

When we clicked "Add Include Filter" in the event log, EventSentry automatically created a filter with the correct source, category, and event id. It is important to point out that several different events can write to the event logs with the same source, category, and event id. In this case, we would receive an email for every event that matched these elements, which would be each and every process created.

To avoid flooding your email action it is necessary to restrict this filter to only the events you want to receive. We know that the event we are looking for contains the word "notepad" in the event details, so we will add the word to the content filter surrounded by two wildcards. Then we will specify the process creator's account in the Username field.

This will notify the email target ONLY when an event matches all specified event properties (event log, event severity, event source, event category, event id, and event user) and contains the word notepad in the event details.

Now that the filter has been created in the desired package, we will need to add an action. Since we want to receive an email when notepad.exe is launched, we will add the "Default Email" action to the list of "Actions". Of course you can configure this filter to send to any action, for example you may want to consolidate this event to a database and therefore add a database action to the list of "Actions". With the filter fully configured and the actions set, you now have a complete event filter!