Configuring Windows Event Log in TrueSight

List of Event Logs: Click  button to configure the event logs. 

Log Name

Specify the event log name for which you want to create a filter.

For example, you can enter Application or System or Security or operational event logs like, Microsoft-Windows-WinRM/Operational as the log name.

Forward Windows Events To Event Manager

Select this option to forward either all, or filtered or no events to the event manager.

• Do not forward Windows Events to Event Manager
• Forward all Windows Events to Event Manager
• Forward filtered Windows Events to Event Manager

Use File Bookmark

This field indicates whether each event log should use a checkpoint value to guarantee that no events are missed in the event that the PATROL Agent or the KM is not loaded for a period of time.

List of Filters:  Click  button to filter the event logs. 

Name

Enter a unique name that represents the event filter, and follows these rules:

• The filter name cannot exceed 127 characters.
• The filter name cannot use the following format: user@domain.com. If this format is used for the filter name, the filter fails to filter events.

Description

Enter a short description of the filter you are creating. This is additional information regarding the filter and you can change the description at any time.

Report/Notify

Select one of the following options, as appropriate:

• Report the number of events that match the filter criteria during each collection period - If you select this option, PATROL monitors the number of events that match the filter criteria during each collection cycle. Depending on which event types the filter monitors, the following parameters are used to report this data:
  • Number of Error Events (ELMError)
  • Number of Failure Audit Events (ELMFailureAudit)
  • Number of Information Events (ELMInformation)
  • Number of Other Type Events (ELMOtherTypes)
  • Number of Events (ELMStatus)
  • Number of Success Audit Events (ELMSuccessAudit)
  • Number of Warning Events (ELMWarning)
• Notify immediately when an event matches the filter criteria - If you select this option, PATROL immediately changes a parameter to an alarm state when an event matches the filter criteria.Depending on which event types the filter monitors, the following parameters are displayed in an alarm state when an event matches the filter:
  • Notifications-of-Error-Events-ELMErrorNotification
  • Notifications-of-Failure-Audit-Events-ELMFailureAuditNotification
  • Notifications-of-Warning-Events-ELMWarningNotification
  • Notifications-of-Windows-Events-ELMNotification
    (This parameter is active only when you have selected both of the option, Notify immediately and consolidate event types.

Source Details

Click  button to configure the source name. 

Specify the event log source name or a regular expression.

Click to save the configuration.

Click to close the dialog.

Select this check box if you specified a regular expression in the Name field.

Select this check box to disable case sensitivity for the source filtering.

You can specify whether to make filter comparisons in a case-independent manner for the source, user, category, and string options of a Windows event filter. To disable case-independent comparisons for any of the options, ensure that the corresponding Disable Case Sensitivity check box while configuring windows event monitoring is cleared.

The /PSX_P4WinSrvs/PWK_PKMforMSWinOS_config/EventLogMonitoring/eventlog/EventFilters/filter/FilterDisableCase configuration variable stores information about case-sensitivity of the event filter options.

This variable has five bit values, depending upon case sensitivity, one bit corresponding to each of Source, User, Category, String, and Computer name, respectively. If any bit value is 1, a case-independent filter comparison is made for the corresponding field.

You can set this variable to either of the following values:

• 00000 = none checked (default)
• 11111 = all 5 categories checked
• A combination of 0s and 1s, depending on which of the 5 categories were checked

To disable case-sensitivity in the event filters, set the value of the FilterDisableCase configuration variable to 00000.

Select one of the following options, as appropriate:

• Include all event sources in the list
• Exclude all event sources in the list

Event Type Details

This option helps you to configure event details.

Select one or more of the following event types to use in the filter for monitoring.

• Critical
• Error
• Warning
• Information
• Verbose
• Success_Audit
• Failure_Audit
• Others

• Select this option if you want various types of events (for example, Warning, Information, Error) to be reported by using one parameter, ELMStatus (or ELMNotification if you configured to be notified immediately when an error occurs while defining the Report/Notify option).
• Clear this check box, if you want to have separate parameters for each event type that can raise alarms independently.

Event ID Details

Click  button to configure event ID details. 

You can select one or more multiple IDs in the following ways:

• Single event ID. For example: 100
• Comma-separated list of multiple event IDs. For example: 100,110,120
• Range of event IDs. For example: 100-120
• Regular expression. For example: 1[0-5]3

Select this check box if you specified a regular expression in the Windows Event ID(s) field.

Select one of the following options, as appropriate:

• Include all event IDs in the list
• Exclude all event IDs in the list

Event Handling

Choose how to handle your Windows events.

Annotates the PATROL parameter graphs associated with this event filter with information about the event. You can display the annotations by placing the cursor over the graph data points.

Select this check box to annotate additional event data for the event in the annotation. You can display the annotations by placing the cursor over the graph data points.

Note: Restart the PATROL Agent to apply the changes.

Writes details about the events that occur to a parameter. Depending on which event types the filter monitors, the following parameters are used to report this data:

• EvRptOfError
• EvRptOfFailureAudit
• EvRptOfInformation
• EvRptOfStatus
• EvRptOfSuccessAudit
• EvRptOfWarning
• EVReportOfOtherTypes
• EvRptOfNotification: This parameter is active only when you have selected both of the following options:
  Notify immediately and consolidate event types.

Saves information about the event in the agent configuration variable RetainEventDescriptions so that you can use this information in recovery actions that you create.

For example, if you create a recovery action that generates an e-mail when the event filter alarms, you could include the event description in the e-mail. If you don’t use recovery actions or don’t plan to use them, deselect this option to limit use of the agent database space.

For more information, see Retained-event-descriptions.

Enables event consolidation under the conditions you specify. If X number of events (of any type) occur within X seconds or minutes, they are reported using one parameter.

Only one datapoint is used, but the datapoint annotation contains information about each of the events that occurred.

For more information on event consolidation, see Event-Type-dialog-box.

To return to the default setting (not reporting multiple events as one event and not consolidating events), enter 0 as the number of times that the event occurs.

By default, this value is set to 1.

Specify the number of seconds that must be used for reporting multiple events as a single event.

By default, this value is set to 0.

Maximum Value: The maximum accepted value for this field is 35791394 minutes.

Specify how you want to acknowledge the alarm raised by the event filter. You can specify one of the following values:

• automatic: If you specify automatic, then PATROL acknowledges alarms and returns the filter to an OK state if the filter criteria are not met during the most recent collection cycle. In other words, if the events you are monitoring do not occur during the collection cycle, the event filter state is changed back to OK. With this option you are not actively monitoring for alarms, you might not notice when the monitored events occurs because any alarms will be reset during the next collection cycle if the monitored events do not re-occur.
  Note: With this option, PATROL cannot acknowledge the alarm or return the filter to an OK state.
• filterName: If you specify the filter name, then PATROL changes the filter state from an alarm state to an OK state when the criteria of a second event filter are met. To use this option, you must create an event filter that monitors for the required event and that is configured to notify PATROL immediately when that filter criteria is met, and then specify the filter name in this field.

By default, this value is set to automatic.

Advanced Properties

Click this tab to specify advanced properties for events.

Specify the user name associated with the events that you want to monitor or exclude from monitoring.

Note: When entering a user that includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (\), you must escape each special character with a slash.

For example, if the user name is $Smith, you must enter the category as \$Smith. Event log filter fails to filter events generated with user-based filters entered with a user@domain.com format. Use just the user name (e.g. Administrator) or the Domain\User format (e.g. CIVILWAR\Administrator).

Click to save the configuration.

Click to close the dialog.

Select one of the following options, as appropriate:

• Include all users in the list - Specifies that all of the users in the list are monitored by the event filter. Select this option when you only want to monitor specific users.
• Exclude all users in the list - Specifies that all the users except those in the list are monitored by the event filter. Select this option when you want to monitor all the users, except for a few specific users, which you want to exclude from the event filter.

If you select this option, the event filter makes filter comparisons in a case-independent manner.

Specify the category name associated with the events that you want to monitor or exclude from monitoring.

Note: When entering a category that includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (\), you must escape each special character with a slash.

For example, if the category is $Smith, you must enter the category as \$Smith. Event log filter fails to filter events generated with user-based filters entered with a user@domain.com format. Use just the user name (e.g. Administrator) or the Domain\User format (e.g. CIVILWAR\Administrator).

Click to save the configuration.

Click to close the dialog.

Select one of the following options, as appropriate:

• Include all categories in the list - Specifies that all of the categories in the list are monitored by the event filter. Select this option when you only want to monitor specific categories.
• Exclude all categories in the list - Specifies that all the categories except those in the list are monitored by the event filter. Select this option when you want to monitor all the categories, except for a few specific categories, which you want to exclude from the event filter.

If you select this option, the event filter makes filter comparisons in a case-independent manner.

Specify the string from event description associated with the events that you want to monitor.

When entering a string that includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (), you must escape each special character with a slash. For example, if the string is $Error, you must enter the string as \$Error.

Click to save the configuration.

Click to close the dialog.

Specify the string from the event description associated with the events.

When entering a string that includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (), you must escape each special character with a slash. For example, if the string is $Error, you must enter the string as \$Error.

If you select this option, the event filter makes filter comparisons in a case-independent manner.

Click to save the configuration.

Click to close the dialog.

Click this option to save your details

Specify the computer associated with the events that you want to monitor or exclude from monitoring.

Click to save the configuration.

Click to close the dialog.

 Select one of the following options, as appropriate:

• Include all computers in the list - Specifies that all of the computers in the list are monitored by the event filter. Select this option when you only want to monitor computers.
• Exclude all computers in the list - Specifies that all the computers except those in the list are monitored by the event filter. Select this option when you want to monitor all the computers, except for a few specific computers, which you want to exclude from the event filter.

 Select this check box to disable case sensitivity for computer comparison.

Note: Any modification made to the configuration requires PATROL Agent restart. Only 20 combinations of sources and event IDs are supported.

Event Sources

Enter a comma separated list of event sources.

Note: You must specify the event sources and ids based on the filters that you have configured (using the List of Filters option) for the respective event log.

Event IDs

Enter comma separated list of event ids or event range.

For example: 100,1000-1010,500

OK

Click to save the configuration.

Cancel

Click to close the dialog.