Next Topic

Previous Topic

Book Contents

Edit Event Sets

Edit Event Sets filters the triggering of alerts based on the monitoring of events in event logs maintained by the Windows OS of a managed machine. You can assign multiple event sets to a machine ID.

Event sets contain one or more conditions. Each condition contains filters for different fields in an event log entry. The fields are source, category, event ID, user, and description. An event log entry has to match all the field filters of a condition to be considered a match. A field with an asterisk character (*) means any string, including a zero string, is considered a match. A match of any one of the conditions in an event set is sufficient to trigger an alert for any machine that event set is applied to.

Note: Normally, if two conditions are added to an event set, they are typically interpreted as an OR statement. If either one is a match, the alert is triggered. The exception is when the Alert when this event doesn't occur within <N> <periods> option is selected. In this case the two conditions should be interpreted as an AND statement. Both must not happen within the time period specified to trigger an alert.

Note: You can display event logs directly. On a Windows machine click Start, then click Control Panel, then click Administrative Tools, then click Event Viewer. Click Application, Security or System to display the events in that log. Double-click an event to display its Properties window. You can copy and paste text from the Properties window of any event into Edit Event Set fields.

To Create a New Event Set

  1. Select the Monitor > Events Logs Alerts page.
  2. Select an Event Log Type from the second drop-down list.
  3. Select <New Event Set> from the Define events to match or ignore drop-down list. The Edit Event Set popup window displays. You can create a new event set by:
  4. If you enter a new name and click New, the Edit Event Set window displays the five properties used to filter events.
  5. Click Add to add a new event to the event set.
  6. Click Ignore to specify an event that should not trigger an alarm.
  7. You can optionally Rename, Delete or Export Event Set.

Ignore Conditions

If an event log entry matches one more more ignore conditions in an event set, then no alert is triggered by any event set, even if multiple conditions in multiple event sets match an event log entry. Because ignored conditions override all event sets, it's a good idea to define just one event set for all ignored conditions, so you only have to look in one place if you suspect an ignored condition is affecting the behavior of all your alerts. You must assign the event set containing an ignored condition to a machine ID for it to override all other event sets applied to that same machine ID.

Ignore conditions only override events sharing the same log type. So if you create an "ignore set" for all ignore conditions, it must be applied multiple times to the same machine ID, one for each log type. For example, an ignore set applied only as a System log type will not override event conditions applied as Application and Security log type events.

  1. Select the Monitor > Event Log Alerts page.
  2. Check the Error checkbox and select <All Events> from the event set list. Click the Apply button to assign this setting to all selected machine IDs. This tells the system to generate an alert for every error event type. Note the assigned log type.
  3. Create and assign an "ignore event set" to these same machine IDs that specifies all the events you wish to ignore. The log type must match the log type in step 2.

Using the Asterisk (*) Wildcard

Include an asterisk (*) wildcard with the text you enter to match multiple records. For example:

*yourFilterWord1*yourFilterWord2*

This would match and raise an alarm for an event with the following string:

"This is a test. yourFilterWord1 as well as yourFilterWord2 are in the description."

Exporting and Importing Edit Events

You can export and import event set records as XML files.

Example:

<?xml version="1.0" encoding="ISO-8859-1" ?>
<event_sets>
 <set_elements setName="Test Monitor Set" eventSetId="82096018">
   <element_data ignore="0" source="*SourceValue*"
category="*CategoryValue*" eventId="12345"
username="*UserValue*" description="*DescriptionValue*"/>
 </set_elements>
</event_sets>