Filters are an integral part of EventSentry and allow you create rules as to which event log record gets forwarded to which notification. he simplest EventSentry configuration for example would consist of a single filter forwarding all events from all event logs to a database.
list of filters in event log package "Compliance"
Filter Processing
Since Exclude filters are always processed before include filters, it doesn't matter whether an exclude filter is located before or after an include filter, or located in a different package.
Include filters inside a package are still processed sequentially - from top to bottom. The sequence of include filters however is irrelevant in most scenarios, unless you use advanced features such as thresholds and "require acknowledgment".
The only exception are "Catch-All" packages and packages configured to ignore exclude filters from other packages, see Package Options for more information.
A filter can either be an include filter (and forward events to a notification) or be an exclude filter (and prevent events from being forwarded to a notification):
Exclude Filters
Exclude filters prevent certain events from being processed, and can either apply to all actions or only to a particular action. This gives you the ability to only exclude events for some actions (e.g. email), while logging everything to another action (event log consolidation). Exclude filters are always processed before include filters.
It does not matter into which event log package an exclude filter is placed, exclude filters are always evaluated before include filters are processed. The only exception are event log packages configured to ignore exclude filters from other packages.
Exclude filters are indicated in the filter list with a red "remove" button .
Include Filters
Include filters process event records that match their filter criteria and pass them on to the configured action or all actions. The more fields you restrict in a filter (e.g. Source, Category, ID ...) the fewer events will match that filter.
You can also apply threshold settings to include filters, or configure include filters as summary notification filters.
Include filters are indicated in the filter list with a blue arrow .
Recurring Event Filters
Recurring event filters appear like regular include filters, but do not actually forward events to a notification. Instead, recurring event filters write an error to the application event log when an event does not appear in the event log during a certain time period. For example, a recurring event filter can notify you when a backup job did not write a success event to the event log. See Recurring Event Filters for more information.
Filter Properties
You can filter events based on every property of an event record, including:
•Event Log (including custom event logs)
•Event Severity
•Event Source
•Event Category
•Event ID
•Event User
•Event Computer
•Event Description
•Day / Hour
See Filter Properties for more information. You can also paste event properties from an email sent by EventSentry or an event copied by the Windows event viewer into the general filter dialog.