In EventSentry we create an include filter when we want an action to be taken when an event matches our conditions. The more specific our matching conditions, the fewer events will be forwarded to the action. Let's assume we would like to send an email to Bob when OWL is rebooted.
"Event 6009 is logged during every boot and indicates the operating system version, build number, service pack level, and other pertinent information about the system." MS KB-196452
This approach works when there is a predictable state. We know when the server is rebooted an information event will be logged with ID 6009. However, when we want to be notified of unexpected errors or we would like to consolidate events to a centralized database, we would want our filter to be broadly configured.
This filter will match any Error and forward it to our sysadmin.