Filter Thresholds

Filter thresholds enable you to not only take action when a certain event occurs, but also depending on how often the event occurs. For example, you can be notified if an event occurs at least 10 times an hour, or you can prevent many same events from flooding a action.

Thresholds are setup on a per-filter basis, and you can access the threshold settings by editing a filter and clicking on the Threshold tab. Click the "Enable Threshold" checkbox to activate threshold settings for a filter. Filters with thresholds are shown with a little ruler

in the list.

Allows you to configure whether events are forward to the configured notification before and/or after the threshold has been met. You can either check all, one or none in this section.

Checking this box means that events matching your filter will be processed (and forwarded to the notification) until the threshold is met.

Checking this box means that events matching your filter will be processed when and after the threshold has been met.

You can configure a threshold filter to only forward the first event after a threshold has been met, instead of forwarding all events after the threshold has been met.

This is particularly useful when working with events from the security log. When you configure a threshold for a failed-login type of filter (e.g. notify me when there are more than 5 failed logins in 5 minutes), then you will usually not want to receive the first failed login attempts, since users type in wrong passwords all the time. If the threshold is exceeded however, you probably do want to know which user is trying to log in. If you just configure the filter to forward all events after the threshold, then you will get an email for every wrong password attempted, which is usually also not desired. Instead, you configure the filter to only forward you the first event after the threshold has been exceeded, and then write an event to the event log when the period has expired to indicate how many failed logon attempts there have been for this user account.

Selecting none of the two check boxes is allowed when you check at least one check box in the "Event Logging" section. In this case the filter will never forward any events, but write an event to the event log when the threshold has been met.

If you want to be notified when a filter has reached its threshold by a separate event then you can check one or both of the following checkboxes.

Checking this box results in an event being written to the Application event log immediately when the filter meets its threshold.

This option is similar to the first one, except that this feature will log an event only after the threshold has been met and the threshold interval has elapsed. The advantage of this option is that the event logged by the threshold filter will let you know how many events have been processed by this filter, and how many were dropped.

Specify whether you would like events logged as Error, Warning or Information events. Please see Event Logs for more information as to which events are logged to the event log by this feature.

By default the internal counters (that count towards the threshold limits) are increased every time an event matches a filter (Filter setting). While this is desirable in most cases, you can also have threshold counters be applied to event records, which allows for more granular threshold settings but is slightly more resource consuming.

Every time an event matches the filter the internal threshold counters are increased. This is the recommended option for threshold filters applied to events that are not from the Security event log.

Every event that has the same values for the selected properties will increase the internal threshold counters, this feature is mostly useful for events from the Security event log, for example to analyze failed logins. Instead of every event counting towards the threshold, only events that share certain event properties will count towards the total counter. The table below shows how EventSentry increases threshold counters when the match type are set according to the screenshot below.

Threshold Counter	Threshold Counter #	Log	Severity	Source	Category
1	A	Security	Audit Failure	Security	Logon/Logoff
1	B	Security	Audit Failure	Security	Account Logon
2	A	Security	Audit Success	Security	Logon/Logoff

Every time an event occurs that shares the same Log, Severity, Source and Category as an already existing threshold entry, the counter is increased. If a new "combination" is encountered (such as line two, "Account Logon") then a new counter is started with a counter of 1.

For example, if your threshold is one event per hour and you just check the "Log" checkbox, then you will receive a maximum of 1 event per hour per event log. If you check both Log & Source, then you will get one event per hour per event log & event source.

This means that you would get an NTBackup event from the application log only once per hour (even when multiple events have different IDs), but you would also get an UserEnv event during that same hour since it has a different event source.

Generally speaking the more check boxes you select, the fewer events you will suppress. Checking the "Text" checkbox is usually not necessary unless you are processing events from the security event log.