Using Filter Timers

Introduction (Step 1 of 5)

Getting Started

Filter Timers give you the ability to ignore events if they are followed by a specific event within a certain time period. For example, you probably want to be notified when a server goes offline for more than 5 minutes, but it might be OK if the server comes back online after 2 minutes.

Another example where a filter timer would be useful is for service status changes.

The Print Spooler service (spooler) changes its status from running to stopped at 9:06:03 PM. Someone was restarting the service, and the service started again several seconds later. Please note that you will need to monitor services with EventSentry in order for the following events to be logged to the event log.

Service Running to Stopped

After 11 seconds, the service is running again:

Service Stopped to Running

In this case we really don't need to be notified when this occurs, but we would like to know if the Print Spooler stays down, since that would prevent people from printing. Since the service restart above took only11 seconds, we assume at this point that it is OK if the Print Spooler service is stopped for less than 1 minute. If the service is stopped for more than 1 minute however we need to be notified.

The Filter Timer works by setting up at least two filters: One to send the alert and another one to (optionally) clear it. You can either create a new filter package for a filter timer or add the filter timers to an existing package (e.g. in its own folder). For this example we will create a new package appropiately named Filter Timer.

EventSentry GUI

  • Updated on: 2015-02-04
  • Skill Level: Intermediate
  • LEFT/RIGHT arrow keys for navigation