|
|
|
Edit Event Sets
Edit Event Sets let you filter the monitoring of events in Application, Security, and System event logs maintained by the Windows OS of a managed machine. Events matching an event set can trigger an alert or suppress the triggering of an alert when the Ignore checkbox is checked. You can assign multiple event sets to a machine ID.
If any one of a multiple number of event set rows are detected, then the event is included. Any one of a multiple number of Ignore event set rows override ALL included event set rows, if applicable.
Note: You can display event logs directly. On a Windows machine click Start, then click Control Panel, then click Administrative Tools, then click Event Viewer. Click Application, Security or System to display the events in that log. Double-click an event to display its Properties window. You can copy and paste text from the Properties window of any event into Edit Event Set fields.
Event sets are specified using one or more of the following event properties.
- Source
- Category
- Event ID
- User
- Description
To Create a New Event Set
- On the Alerts page, select Application Events, Security Events or System Events from the Select Alert Function drop down list.
- Select
<New Event Set>from the Define events to match or ignore drop down list. The Edit Event Set popup window displays. You can create a new event set by:
- Entering a new name and clicking the New button.
- Pasting an event set data as text.
- Importing event set data from a file.
- If you enter a new name and click New, the Edit Event Set window displays the five properties used to filter events.
- Click Add to add a new event to the event set.
- Click Ignore to specify an event that should not trigger an alarm.
- You can optionally Rename, Delete or Export Event Set.
Ignore
The Ignore checkbox enables you to trigger an alert for all events except for the events you want to ignore. Ignore events always take precedence over other event sets. You must assign multiple event sets to the same machine ID to make use of of the Ignore feature. Example:
- On the Alerts page, select Application Events, Security Events or System Events from the Select Alert Function drop down list.
- Check the Errors checkbox and select
< All Events >from the event set list. Click the Apply button to assign this setting to all selected machine IDs. This tells the system to generate an alert for every error event type. - Assign an event set to these same machine IDs that specifies all the events you wish to ignore.
If any one of a multiple number of include event set rows are detected, then the event is included. If any one of a multiple number of Ignore event set rows are detected, it overrides all included event set rows, if applicable.
Using the Asterisk (*) Wildcard
Using the asterisk (*) wildcard you can create a filter for multiple events. For example:
*yourFilterWord1*yourFilterWord2*
This would match and raise an alarm for an event with the following string:
"This is a test. yourFilterWord1 as well as yourFilterWord2 are in the description."
Exporting and Importing Edit Events
You can export and import event set records as XML files.
- You can export an existing event set record to an XML file using the Edit Event Set popup window.
- You can import an event set XML file by selecting the
<Import Event Set>or<New Event Set>value from the event set drop down list.
Example:
<?xml version="1.0" encoding="ISO-8859-1" ?>
<event_sets>
<set_elements setName="Test Monitor Set" eventSetId="82096018">
<element_data ignore="0" source="*SourceValue*" category="*CategoryValue*" eventId="12345" username="*UserValue*" description="*DescriptionValue*"/>
</set_elements>
</event_sets>
Topic 2886: Send Feedback