|
All fields in the Details section are not case sensitive and support wildcards, negation and multiple values separated by commas. Please see Advanced Text Processing for more information. |
If you are creating a filter based on an event you copied to the clipboard from the Windows event viewer or have received via email from EventSentry, then you can automatically paste the key event properties (Event Log, Event Severity, Event Source, Category, Event ID and Username) into the dialog by clicking on any field and pressing CTRL+V.
Via Email: Open the email in your email client and select the event. If the email contains only one event then you should be able to simply press CTRL+A, otherwise select the event. If the email contains multiple events and you select all of them, then only the first event will be used. When the event has been selected, copy it to the clipboard by pressing CTRL+C.
Via Windows Event Viewer: Open the event in question and click the copy button on the dialog.
Then, switch to the management console and either create a new filter or open an existing filter. Click on any field (e.g. Category) and click CTRL+V. All the key event properties with the exception of the event message should now have been filled in. Once the key event properties have been pasted you can customized the filter further by selecting between an include and/or exclude filter and so forth.
Please note that right-clicking and selecting "Paste" will not work with this feature, you have to click CTRL+V. As such, if you just want to paste text into one field in this dialog, right-click the field and select "Paste".
Via JSON Syntax: Copy the entire JSON syntax into the clipboard and click the "Apply Json Rule" button in the ribbon. You can also paste JSON syntax by selecting any event log package and clicking the PASTE button in the ribbon.
Detailed Field Descriptions:
Name
The filter name is chosen by you and can be any text no longer than 128 characters. Filter names must be unique. The filter name may not contain a backslash (\).
Actions
All actions that are to be notified (include filter) or not to be notified (exclude filter) when this filter matches.
Trigger all actions
Check this checkbox to notify all configured actions instead of selected ones.
Event Severity
Select which types of events this filter should match. "Audit Success" and "Audit Failure" are only relevant when you also monitor the security event log.
Log
Select which event log(s) this filter should monitor. The event logs, "Directory Service" and "File Replication (Service)," are only useful on Windows 2000 (and higher) domain controllers. The event log "DNS Server" is only useful on Windows 2000 servers (and higher) when a DNS server is installed.
Event Source
Specify which source this filter should match. If you do not specify an event source, the filter will match any source.
Event Category
Specify which category this filter should match. If you do not specify an event category, the filter will match any category.
Event ID
Specify which Event ID this filter should match. You can separate multiple Event IDs with a comma, for example "3,5,118". Event ranges (e.g. 4000-500) and negation (e.g. !4624) are also supported.
|
Event IDs are only unique within an event source. As such, always specify an event source when specifying an event id. Otherwise, a filter may match other events it was never intended to match. |
Username
Specify which username this filter should match. This is currently only relevant for the security event log. Usernames are logged by the Operating System in the form DOMAIN\Username.
Computer
Specify which computer this filter should match. If you do not specify a computer name, the filter will match any computer the package is applied to.
|
When FQDN names are enabled, specify the fully qualified host name (e.g. mailserver.mydomain.com), otherwise specify the NetBIOS name. |
Filter Type
•Include The matching event will be forwarded to the specified action(s)
•Exclude The matching event will be blocked from being forwarded to the specified Action(s) (or no actions if "Trigger all actions" is checked)
•Anomaly The matching event will be evaluated to determine whether is an anomaly
Advanced
Clicking Advanced will bring up the advanced options dialog.
Content Filter
Utilize the Content Filter to filter against a certain text string instead of or in addition to the properties listed above. Click the + button to add a new condition to the list list of content filters, or select a string and click the - button to remove it from the list.
If you specify multiple content filters, then you can chain them either with a logical OR or a logical AND. Content filters are processed from the top down.
OR: The content filter matches as soon as the first condition matches.
AND: The content filter only matches when all listed conditions match.
|
Using multiple negation filters in combination with an OR condition is not recommended as it may lead to unexpected results. |
Notes
You can annotate filters with personal descriptions which might provide useful to co-workers or yourself in the future.
