How do I configure a filter timer?

Article ID: 488
Category: Event Log Monitoring
Updated: 2023-03-01

Filter Timers give you the ability to ignore events if they are followed by a specific second event within a set time period. For example, you probably want to be notified when a server goes offline for more than 5 minutes, but it might be OK if the server comes back online after 2 minutes.

Another example where a filter timer would be useful is for service status changes.

The Print Spooler service (spooler) changes its status from running to stopped at 11:33:51 AM. Someone was restarting the service, and the service started again several seconds later. Please note that you will need to monitor services with EventSentry in order for the following events to be logged to the event log.

After 6 seconds, the service is running again:

In this case we really don't need to be notified that the service went down. Since the service restart above took only 6 seconds, we can judge that it is OK if the Print Spooler service is stopped for less than 1 minute. If the service is stopped for more than 1 minute however we need to be notified.

The Filter Timer works by setting up at least two filters: One to send the alert and another one to (optionally) clear it. You can either create a new filter package for a filter timer or add the filter timers to an existing package (e.g. in its own folder). For this example we will create a new package appropriately named Filter Timer.

Configuring the Filter

We will add a filter and name it "Spooler Stop" which will forward events to our email target when the spooler service stops.

HINT: see more on configuring content filter matches in our article here!

Setting up the clearing filter

Now we will need to setup a filter that will clear our Spooler Stop filter. The easiest way to accomplish this would be to copy and paste the filter. The clearing filter will be the same as the Spooler Stop filter, with the exception of the filter text.

We will rename this filter to Spooler Start.

The only change we will make to the Spooler Start filter is to change the second content filter text from *Running to Stopped* to *Stopped to Running*

Setting the timer

Now that we have our clearing filter, we can open the Spooler Stop filter and click the Timers tab. Here we enable the timer, set the timeout period to 1 minute, and specify the filter that will clear Spooler Stop notification.

Please note that the timeout value will delay the alert regardless whether it is cleared or not. For example, if you set the timeout value to 30 minutes and the filter was not cleared, then you will receive the alert 30 minutes delayed, after the timeout period has elapsed.

Click the + button next to "Filters that clear this timer," then from the "Filter Selection" list we select the Spooler Start filter, since an event indicating that the service started should clear the alert.

Conclusion

We now have two filters, one to send an alert and one that will clear that alert. Now you will only be notified if the service is stopped for an extended time period, and not receive an alert when the service is only stopped for a short time period. Don't forget to save the configuration and update the configuration on the remote machines.



Try EventSentry on-premise

FREE 30-day evaluation

Download Now