Filter Properties

All fields in the Details section are not case sensitive and support wildcards, negation and multiple values separated by commas. Please see Advanced Text Processing for more information.

If you are creating a filter based on an event you copied to the clipboard from the Windows event viewer or have received via email from EventSentry, then you can automatically paste the key event properties (Event Log, Event Severity, Event Source, Category, Event ID and Username) into the dialog by clicking on any field and pressing CTRL+V.

Via Email: Open the email in your email client and select the event. If the email contains only one event then you should be able to simply press CTRL+A, otherwise select the event. If the email contains multiple events and you select all of them, then only the first event will be used. When the event has been selected, copy it to the clipboard by pressing CTRL+C.

Via Windows Event Viewer: Open the event in question and click the copy button on the dialog.

Then, switch to the management console and either create a new filter or open an existing filter. Click on any field (e.g. Category) and click CTRL+V. All the key event properties with the exception of the event message should now have been filled in. Once the key event properties have been pasted you can customized the filter further by selecting between an include and/or exclude filter and so forth.

Please note that right-clicking and selecting "Paste" will not work with this feature, you have to click CTRL+V. As such, if you just want to paste text into one field in this dialog, right-click the field and select "Paste".

The filter name is chosen by you and can be any text no longer than 128 characters. Filter names must be unique. The filter name may not contain a backslash (\).

All actions that are to be notified (include filter) or not to be notified (exclude filter) when this filter matches.

Select which types of events this filter should match. "Audit Success" and "Audit Failure" are only relevant when you also monitor the security event log.

Select which event log(s) this filter should monitor. The event logs, "Directory Service" and "File Replication (Service)," are only useful on Windows 2000 (and higher) domain controllers. The event log "DNS Server" is only useful on Windows 2000 servers (and higher) when a DNS server is installed.

Specify which source this filter should match. If you do not specify an event source, the filter will match any source.

Specify which category this filter should match. If you do not specify an event category, the filter will match any category.

Specify which Event ID this filter should match. You can separate multiple Event IDs with a comma, for example "3,5,118".

Please note that Event IDs are only unique within an event source. It is therefore highly recommended that you only specify an Event ID when also specifying an event source. Otherwise your filter could include or exclude events you never planned.

Specify which username this filter should match. This is currently only relevant for the security event log. Usernames are logged by the Operating System in the form DOMAIN\Username.

Specify which computer this filter should match. If you do not specify a computer name, the filter will match any computer the package is applied to.

•	Include If the filter matches then the action specified in Action will be notified.

•	Exclude If the filter matches then the action specified in Action (or no actions if "Trigger all actions" is checked) will not be notified.

Check this box to avoid further filter processing when this filter matches an event. It is important that filters that you wish not to be processed when this filter matches either

This is because the package order cannot be set starting with version 2.70, you can however configure packages (which applies to all filters in the package) to be a Catch-All package, resulting in the filters always being processed after regular packages.

You can require that events matched by a filter to be acknowledged. This feature is only useful when you are forwarding events to a database, in which case you can query for events that need to be acknowledged within the web reports.

For example, you can create a filter for events that pertain to a failed backup event. If a backup fails, then this event will show up in the web reports as "pending acknowledgment", requiring an administrator to document what action was taken to resolve the issue.

Important Information: When using this feature make sure that you do not have other include filters (that do not have Require Acknowledgment set) that match the same events as your filter which has "Require Acknowledgment" checked. When multiple include filters match the same event and action, then only the first one will process the event.

Utilize the Content Filter to filter against a certain text string instead of or in addition to the properties listed above. Click the + button to add a new condition to the list list of content filters, or select a string and click the - button to remove it from the list.

If you specify multiple content filters, then you can chain them either with a logical OR or a logical AND.

You can annotate filters with personal descriptions which might provide useful to co-workers or yourself in the future.