How to alert on a specific event id and exclude/filter the same event if it contains a specified string

+1 vote
asked Dec 29, 2017 in EventSentry Light by WILOG (160 points)
Trying to configure a package for a file server that sends an email on Event 4663.  This part is working.

Can you configure that the email is not triggered all the time? (eg. the event contains certain string)

1 Answer

0 votes
answered Dec 29, 2017 by Ingmar (5,400 points)
selected Dec 29, 2017 by WILOG
 
Best answer

Yes, there are two ways to configure EventSentry to only trigger an email if a certain text appears in the event.

Option 1
This method will match the string you supply in any part of the event (file name, user name, ...)

  1. Select the filter you want to customize
  2. In the "Content Filter & Notes" section of the filter, click the plus + icon
  3. In the resulting popup dialog, specify the string the event needs to include in order to match with a heading and trailing wildcard, e.g. *filename.txt". Click OK.
  4. To add multiple strings, simply repeat the process. Make sure that "Chain multiple content filters ..." is set to "OR" if you want the filter to match ANY of the content filters you put in place

Option 2
This method will only match the string you specify in the file name of the 4663 event.

  1. Select the filter you want to customize
  2. In the "Content Filter & Notes" section of the filter, click the plus + icon
  3. In the resulting popup dialog, select change the default option of "Wildcard match" to "Insertion string match"
  4. Select insertion string 7
  5. Specify the file name or part of the filename you want to include (match). Be sure to add a heading and/or trailing wildcard if you are only specifying a partial match, e.g. *somefile.doc
  6. To add multiple strings, simply repeat the process. Make sure that "Chain multiple content filters ..." is set to "OR" if you want the filter to match ANY of the content filters you put in place

Please also see our tutorials for more examples on how to setup filters: https://www.eventsentry.com/support/tutorials. You may also find our Youtube channel of interest: https://www.youtube.com/user/netikusnet

commented Feb 21 by Kenny
What if you want to exclude events that contain a certain string but still trigger on a threshold?
commented Feb 21 by Ingmar (5,400 points)
To clarify, you don't want to get the actual events if they contain a certain string, but still get a threshold notification if X events occur in a certain time period?
commented Feb 21 by Kenny
Yes but to be even more specific I want to get a threshold notification in X events occur in a certain time period with a matching Insertion String on 1
commented Feb 21 by Kenny
If event 4663 has string 12 = kaspersky.exe, then do nothing > if string 1 = X threshold set for string 1 send email alert.
commented Feb 22 by Ingmar (5,400 points)
The easiest way to make sure certain event messages are not included in the threshold is to create an exclude filter for them. So you would create a separate exclude filter which would have a content filter for insertion string 12 matching *kaspersky.exe. Make sure that you include a heading asterisk since a path is usually included in 4663 events as well. The filter has to be configured for the same email action that the actual threshold filter is set for.

Then you would just create another filter with the appropriate content filter and threshold settings. If you tell me how you want the threshold to work specifically (maybe with an example) then I can provide more detailed info on the actual threshold filter.
commented Feb 22 by Kenny
So this is done by created 2 separate filters in a package? I am sorry for the ignorance, and thank you for the help!
commented Feb 23 by Ingmar (5,400 points)
Yes, that's the approach that I would recommend - it would be the cleanest way to set it up and make it easy to add other processes to the exclusion filter in the future. Of course you're welcome, let us know if you have any additional questions.
Welcome to EventSentry Q&A, where you can ask questions and receive answers from other members of the community.
...