Event filter options
When you select the ConfigureWindows Event Monitoring > Create Filter or Modify Filter menu commands from a Windows Event instance, you are presented with several filter options. The following table provides you with the name, description, and associated configuration variables for the event filter options you can select.
Event filter options
Option | Description | Configuration variables |
|---|---|---|
Filter name | A unique name that represents the event filter. If you change the filter name, you will lose the historical data stored under the old name. The filter name must contain fewer than 127 characters. | child_list For more information, see Using the child_list variable. |
Description | A description of the event filter. You can change the description at any time. | |
Report the number of events.... | If you select this option, PATROL monitors the number of events that match the filter criteria during each collection cycle. Depending on which event types the filter monitors, the following parameters are used to report this data:
| |
Notify PATROL immediately.... | If you select this option, PATROL immediately updates the appropriate parameter when an event matches the filter criteria. Depending on which event types the filter monitors, the following parameters are displayed in an alarm state when an event matches the filter:
For more information about these parameters, see PATROL KM for Microsoft Windows OS parameters. | NA |
Source filter properties | ||
Source | Registered sources for which events can be monitored | NA |
Select/Deselect source(s) for this filter | Applications running on the server that PATROL is currently monitoring. | |
Automatically Include New Sources | If you select this option, this event filter automatically monitors any new applications that are added to the system. | |
Disable Case Sensitivity | If you select this option, the event filter makes filter comparisons in a case-independent manner. | |
Event Type filter properties | ||
Select Event Types to monitor | The Windows event types monitored by this event filter. | |
Consolidate event types... | If you select this option, events of different types (Warning, Information, and Error, for example) are reported using one parameter: ELMStatus (or ELMNotification if you have also chosen to be notified immediately when the event occurs). If you want to have separate parameters for each event type that can alarm independently, clear this option. | |
Event ID filter properties | ||
Enter a Windows Event ID or a range of IDs | The Microsoft Windows event IDs that you want to monitor with this filter. To specify a range of event IDs, separate the beginning and ending of the range with a dash. For example, to monitor events 100 through 200, enter 100-200. | |
Include all Windows event IDs in the list | Specifies that all of the Windows event IDs in the list are monitored by the event filter. | |
Include all Windows event IDs except those in the list | Specifies that all of the Windows event IDs except those in the list are monitored by the event filter. Select this option when there are certain event IDs that you are not interested in monitoring and you want to exclude them from the event filter. | |
Event Handling filter properties | ||
Annotate graph parameter... | Annotates the PATROL parameter graphs associated with this event filter with information about the event You can display the annotations by placing the cursor over the graph data points. | |
Write event details... | Writes details about the events that occur to a parameter Depending on which event types the filter monitors, the following parameters are used to report this data:
For more information about these parameters, see PATROL KM for Microsoft Windows OS parameters. | |
Use event details... | Saves information about the event in the agent configuration variable RetainEventDescriptions so that you can use this information in recovery actions. For example, if you create a recovery action that generates an e-mail when the event filter alarms, you could include the event description in the e-mail. If you do not use recovery actions or do not plan to use them, clear this option to limit use of the agent database space. | |
Report multiple events... | When you select this option, PATROL reports a single event when the event occurs many times within a short period. Example: For example, if you select to report multiple events as one event if 10 events occur within 3 seconds, then if 20 events occur in 2 seconds, the event filter generates an alarm. However, if only 5 events occur in 2 seconds, the event filter does not alarm. Consolidating event types: If you select this option, event consolidation is also enabled. This means that events of different types (Warning, Information, and Error, for example) are reported using one parameter, ELMStatus (or ELMNotification if you have also chosen to be notified immediately when the event occurs). Annotation details: Even though one data point may represent multiple events of different types, the data point annotation contains information about each of the events that occurred. For more information about event consolidation, see the description for the Event Type tab in this table. Resetting to default setting: To return to the default setting, which is not reporting multiple events as one event and not consolidating events, enter 0 as the number of times that the event occurs. | |
Acknowledge Alarms |
Requirements for using: You must create an event filter that monitors for the required event and select that event filter from the drop-down list. In addition, the event filter must be configured to notify PATROL immediately when an event matches the filter criteria. | |
Advanced properties - Users | ||
Enter the user associated with the event | The user ID of a user whose events you want to monitor The user name cannot include commas. When entering a user whose name includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (/), you must escape each special character with a slash. For example, if the user name is $Smith, you must enter the category as \$Smith. | |
Include all users in the list | Specifies that all of the user IDs in the list are monitored by the event filter. | |
Include all users except those in the list | Specifies that all of the user IDs except those in the list are monitored by the event filter. Select this option when there are certain user IDs that you are not interested in monitoring and you want to exclude them from the event filter. |
|
Disable Case Sensitivity | If you select this option, the event filter makes filter comparisons in a case-independent manner. | |
Advanced properties – Category | ||
Enter the category associated with the event | The event category that you want to monitor with this event filter. Categories are defined by the application that generates the event. The category name cannot include commas. When entering a category whose name includes special characters that are used in regular expressions, such as a dollar sign, a period, or a parenthesis, you must escape each special character with a slash. For example, if the category name is (100), you must enter the category as (100). | |
Include all categories in the list | Specifies that all of the categories in the list are monitored by the event filter. | |
Include all categories except those in the list | Specifies that all of the categories except those in the list are monitored by the event filter. Select this option when there are certain categories that you are not interested in monitoring and you want to exclude them from the event filter. | |
Disable Case Sensitivity | If you select this option, the event filter makes filter comparisons in a case-independent manner | |
Advanced properties - Strings | ||
Enter strings | The text strings that you want to monitor with this event filter. The text string cannot include commas. When entering strings which include special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (/), you must escape each special character with a slash. For example, if the user name is $Smith, you must enter the category as \$Smith. | |
Include all strings in the list | Specifies that all of the strings in the list are monitored by the event filter. | |
Include all strings except those in the list | Specifies that all of the strings except those in the list are monitored by the event filter. Select this option when there are certain strings that you are not interested in monitoring and you want to exclude them from the event filter. | |
Disable Case Sensitivity | If you select this option, the event filter makes filter comparisons in a case-independent manner. | |
Advanced properties - Enter a Regular Expression for Source | ||
Enter a Regular Expression for Source | The regular expression that is used as a criteria for including or excluding sources to be monitored with the Windows event filter. If you have configured the sources for the filter and an event occurs, the event is matched with the configured source list. If the source generating the event does not exist in the configured source list, the source generating the event is compared with the specified regular expression. For example, if the sources are Norton AntiVirus Client or Symantec AntiVirus Client, the regular expression should be configured as '^(Norton|Symantec) AntiVirus Client'. For more information about using regular expressions, see Using regular expressions. | |
Advanced properties - Enter a Regular Expression for Event ID | ||
Enter a Regular Expression for Event ID | The regular expression that is used as a criteria for including or excluding event IDs to be monitored with the Windows event filter. If you have configured the event IDs for the filter and an event occurs, the event is matched with the configured event ID list. If the event ID does not exist in the configured list, the event ID is compared with the specified regular expression. For more information about using regular expressions, see Using regular expressions. | |
Advanced properties - Computer name | ||
Computer name | Enables you to create a filter that monitors events generated only by a specified computer. Enter the name of the computer that you want the event log filter to monitor. You can also use the following new pconfig variables to configure or to view the names of the computers that you want the event log filter to monitor:
You can use the FilterDisableCase pconfig variable to disable case sensitivity for the computer names. The pconfig variable contains a field or bit for computer name. | |