Display events with unregistered sources

When using the PATROL KM for Microsoft Windows OS graphical interface to create an event filter, the events that you choose to monitor must have registered event sources. Unregistered sources do not appear in the interface. To work around this issue, follow these steps to display an unregistered source in the interface so that it can be selected.  

1. Using the Configure Windows Event Log Monitoring > Create Filter menu command, create a new filter. In the Create Filter dialog box, select the Filter Property - Source, and clear the option to Automatically include new sources. This sets the following agent configuration variable to 0:
   /PSX_P4WinSrvs/PWK_PKMforMSWinOS_config//EventLogMonitoring/eventlog/EventFilters/filtername/IncludeAllSources
2. Using PATROL Configuration Manager or the wpconfig utility, manually add the unregistered event source to the following agent configuration variable.
   /PSX_P4WinSrvs/PWK_PKMforMSWinOS_config//EventLogMonitoring/eventlog/EventFilters/filtername/SourceList/list
3. Apply the change to the PATROL Agent.

Example: Creating an event filter to monitor WinMgmt events

Assume that you want to create an event filter that monitors for the following events:

You want to be notified immediately when these particular events occur. However, you want to be notified only when the event is related to the perfproc.dll performance library, not any other performance counter libraries.

In addition, you do not want to be flooded with events, so if these events are generated multiple times within a short period, you want to be notified only once.

Finally, if these events are detected, you want PATROL to remain in alarm until the alarm is acknowledged by an operator.

Using the Event filter options presented in the Configuring Windows Event Monitoring > Create Filter dialog boxes, you can create a filter with all of the properties proposed in this example.