How do I configure a basic Event Log Filter?

Article ID: 481
Category: Event Log Monitoring
Updated: 2023-02-21

Filters are an essential part of EventSentry which allow you to configure a set of actions to activate whenever an event occurs. For example, you can setup a filter to forward events to a database or in case of emergency send an email or SMS message to your phone.

A filter can either be an include filter (and forward events to a configured action) or be an exclude filter (and prevent events from being forwarded to an action). Please note that exclude filters are always processed before include filters.

A fresh installation of EventSentry includes several pre-configured filters that should be enough to get started, however it is important to know how these filters work and how to create your own.

Include Filters

In EventSentry, we create an include filter when we want an action to be taken whenever an event matches our configured conditions. The more specific our matching conditions, the fewer events will be forwarded to the action. Let's use the example that we would like to receive an email whenever a server is rebooted. In this case, we can configure an include filter for event 6009:

"Event 6009 is logged during every boot and indicates the operating system version, build number, service pack level, and other pertinent information about the system." MS KB-196452

Here is an example 6009 event:

And here in an include filter we can create for a 6009 event:

This approach works when there is a predictable state. We know whenever a server is rebooted an information event will be logged with ID 6009, therefore our 6009 filter will notify our email action. However, when we want to be notified of unexpected errors or we would like to consolidate events to a centralized database, we would want our filter to be broadly configured. Take this as an example:

This filter will match any Error and forward it to our sysadmin action. We specify multiple log types, and there is no specific Event Source, Category, or ID the filter is looking for. Therefore, this broadly configured filter will match all Error logs in the configured log types.

Exclude Filters

Exclude filters are configured the same way as an include filter, but perform the opposite function. Exclude filters prevent certain events from being forward to an action, and can either apply to all actions or only to a particular action. This gives you the ability, for example, to only exclude events for some actions (e.g. email), while logging everything to another action (e.g. database consolidation). Exclude filters are always processed before include filters. To turn an event log filter into an exclude filter, simply click the "exclude" button under Filter Settings. Otherwise, the process of configuring the filter is exactly the same as an include filter!




Try EventSentry on-premise

FREE 30-day evaluation

Download Now