Navigation:  Management Console / Utilities >

Testing Event Log Filter Rules

Top  Previous  Next

The Filter Rules Test utility allows you to test your filter rules against actual event log events, without having to actually wait for events to happen. The utility is also integrated with the built-in event log viewer, and will show you which filter rules would match the event, including the action that would be triggered.

 

This makes it easy to ensure that your event log filter rules are setup correctly.

 

clip0041

 

Launching the Filter Rules Test Utility

You can either launch the utility through the main menu by navigating to Tools -> Utilities -> Filter Rules Test Utility, or you can access the tool by right-clicking an event from the built-in event log viewer and selecting "Test against filter rules". The latter is generally easier, as all the event properties are automatically filled into the "Event Log Record" section.

 

Computer

Since event log filters are assigned to computers and groups, different computers might have different rules assigned to them. As such, EventSentry needs to know which filter rules to load and test against. If you do not specify a computer name here, then the event log record will be tested against all filter rules.

 

Verbose: Show all filters, including non-matching

Checking this option allows you see exactly why a filter is not matching your event. By default, the tool will only display the first filter rule that matches the event specified in the "Event Log Record" section. This means that if an event matches an exclude and an include filter for example, then only the exclude filter will be shown without the "Verbose" option.

 

Filters that do not match the event will not be displayed. For example, if you need to troubleshoot why a filter you created isn't matching and processing a given event, then this option will show you all non-matching filter and indicate why it didn't match the event

 

Event Log Record

Specify as many properties from the actual event as possible. You are required to enter at least the

 

Event Log
Event Severity
Event Source
Event ID

 

Viewing the Results

Click the TEST button to view the results of the test. The results will look similar to the screenshot shown below if you do not check the "Verbose" check box:

 

clip0042

Note that the "Match Reason" will be empty if the matching filter does not have a source, category, event id or event detail configured. Otherwise the column will show which fields of the filter matched the event.

 

If you select the "Verbose" option, then the output will look slightly different and include additional columns:

 

clip0043

 

The list will now include all filters, and non-matching filters will indicate why they did not match the event that was passed. For example, most of the exclude filters in the above screenshot did not match the event because the severity selected in the filter did not match the event severity.

 

You can double-click a filter in the list to locate and edit the filter details.