Event log packages offer additional options in addition to the general package options.
Catch-All Notification Package
It is recommended that you activate this feature on packages containing "catch-all" filters.
Catch-All Filters
We refer to a "Catch-All" filters whenever you have an include filter that will forward all events, for example all errors and warnings, to an action. Catch-All filter examples are:
•A filter forwarding all warnings, errors and audit failures to an email recipient
•A filter forwarding all audit success and audit failure events to a database
Since event logs generate a lot of noise, configurations with Catch-All filters usually also include many exclude and include threshold filters so that unnecessary alerts are not sent to the email recipient.
If you do not configure a package that contains a catch-all filter as a "Catch-All Notification Package" then include filters with thresholds from other packages might not work as expected.
Event Log Packages set to be Catch-All are processed after event log packages which are not set to be Catch-All packages. This makes sure that include filters with advanced features such as Thresholds are processed before filters in a Catch-All package. |
Filter chaining is enabled on the package level and provides simple work-flow-like functionality. When enabled, EventSentry will generate an event (which can be linked to an action) when all filters in the package match in a configurable time period.
Ignore Exclude Filters from other packages
Exclude filters from all packages are, by default, always processed before a notification is sent out. That is, it doesn't matter in which package an exclude filter is contained - it will always apply.
If you have filters for which you would like to ensure that they are not excluded by exclude filters from other packages, then you can add them to a new package and configure the package to ignore exclude filters from other packages.