Filter Timers

Filter timers give you the ability to ignore an event - even if it matches one of your filters - if a particular subsequent event occurs within a configurable amount of time. This feature works best when the events that set and clear a timer or of the same structure, that is contain the same insertion strings in the same order.

Consider the following scenario: A critical service stops but is automatically restarted within 1 minute (e.g. after an AntiVirus engine has updated itself), resulting in two events generating an error in the event log. First, when the service stops and again when the service is restarted. You could of course stop the service from being monitored altogether, but that would not be desirable since you would want to be notified when the service stop without being restarted. Filter-Timers offer a solution to this problem.

Filter timers solve this problem by letting you create two filters: One filter to match the first event, and one to match the subsequent event which, in turn, clears the first alert. As such, you will never be notified of the original event if it has been cleared within the timeout period.

To enable a timer on filter, edit the filter and click on the Timers tab. On the Timers tab, select "Enable Timer" to activate the timer. Then, specify a timeout period (e.g. 2 minutes) and specify a filter that will clear the timer by clicking the plus + button. Clicking this button will bring up a dialog showing all suitable filters (e.g. include filters) that can be used to clear this timer.

This filter is referenced by a timer filter, and has the ability to clear the timer. When setting up this filter, specify the same action as the action specified in the timer filter. If this filter matches while a timer filter is counting down from the set timeout, it will clear the timer, and the action will not be notified.

If the clearing filter matches an event while no timer is active, it will behave like a regular filter. As such, you can specify multiple actions on the clearing filter.

Filters referenced by a timer-enabled filter will not forward events to notifications if they match an event while a filter timer is counting down. Instead, they will simply clear the timer.

If the filter matches an event while there is no filter timer active, it will behave like a regular filter.

This feature is particularly useful when creating a filter timer that should match a variety of events. For example, a "service stop / service start" combination or a "process end / process start" combination. Without utilizing the insertion string feature, it would be necessary to create a filter pair for every unique event (e.g. service) you wanted to monitor.

Let's say that you want to be notified if any monitored services were stopped for more than 5 minutes. Let's assume that the DNS Server service were stopped, which would trigger a timer that would expire in 5 minutes. Let's also assume that the License Logging service were started on the same host 3 minutes after the DNS Server service was stopped. Because they both matched the generic filter that catches service start events, the timer would be cleared and you would not be notified of the stopped service.

Using insertion strings however, you can force EventSentry to compare the selected insertion strings from the originating event that set the filter timer, and the timer that is about to clear the filter. If they match, then the filter timer is cleared, otherwise it is not. We recommend that you use the Event Message Browser to determine the number and position of insertion strings inside events.

Consider the following EventSentry events that pertain to service monitoring as well as process creation / termination

Event Source	Event Category	Event ID	Event Description (insertion strings start with % character)
EventSentry	Service Monitoring	10100	The status for service %1 (%2) changed from %3 to %4.
Security	Detailed Tracking	592	A new process has been created: New Process ID: %1 Image File Name: %2 Creator Process ID: %3 User Name: %4 Domain: %5 Logon ID: %6
Security	Detailed Tracking	593	A process has exited: Process ID: %1 Image File Name: %2 User Name: %3 Domain: %4 Logon ID: %5

Whenever EventSentry records a service status change, it logs event 10100 to event log, and substitutes %1 with the name of the service whose status changed. As such, if require a match of insertion string #1, then an event pertaining to the "License Logging" service cannot clear the timer that was set from the "DNS Server service".

A similar setup could be achieved with the events logged by Windows when a process is created or terminates. If we set a filter timer based on event 592, and the filter clearing timer based on event 593, then we could specify either insertion string #1 or #2, since both would contain the same information. We could also specify both insertion strings.

When an event matches a timer-enabled filter, EventSentry will wait until the timeout period has elapsed before it will forward the event to the configured notifications. EventSentry will append the string TIMER-DELAY to the subject of an email if one of the configured notifications is of type SMTP.

If the filter specified in the "Filter that can clear this timer" list matches an event within the timeout period, then the neither the original nor the "clearing" filter will process the notification, the objective of this feature.