The Filter Rules Test utility allows you to test your filter rules against actual event log events, without having to actually wait for events to happen. The utility is also integrated with the built-in event log viewer, and will show you which filter rules would match the event, including the action that would be triggered.
This makes it easy to ensure that your event log filter rules are setup correctly.
Launching the Filter Rules Test Utility
You can either launch the utility through the main menu by navigating to Tools -> Utilities -> Filter Rules Test Utility, or you can access the tool by right-clicking an event from the built-in event log viewer and selecting "Test against filter rules". The latter is generally easier, as all the event properties are automatically filled into the "Event Log Record" section.
Computer
Since event log filters are assigned to computers and groups, different computers might have different rules assigned to them. As such, EventSentry needs to know which filter rules to load and test against. If you do not specify a computer name here, then the event log record will be tested against all filter rules.
Verbose: Show all filters, including non-matching
Checking this option allows you see exactly why a filter is not matching your event. By default, the tool will only display the first filter rule that matches the event specified in the "Event Log Record" section. This means that if an event matches an exclude and an include filter for example, then only the exclude filter will be shown without the "Verbose" option.
Filters that do not match the event will not be displayed. For example, if you need to troubleshoot why a filter you created isn't matching and processing a given event, then this option will show you all non-matching filter and indicate why it didn't match the event.
Event Log Record
Specify as many properties from the actual event as possible. You are required to enter at least the
•Event Log
•Event Severity
•Event Source
•Event ID
Viewing the Results
Click the TEST button to view the results of the test. The results will look similar to the screenshot shown below if you do not check the "Verbose" check box:
Note that the "Match Reason" will be empty if the matching filter does not have a source, category, event id or event detail configured. Otherwise the column will show which fields of the filter matched the event.
If you select the "Verbose" option, then the output will look slightly different and include additional columns:
The list will now include all filters, and non-matching filters will indicate why they did not match the event that was passed. For example, most of the exclude filters in the above screenshot did not match the event because the severity selected in the filter did not match the event severity.
You can double-click a filter in the list to locate and edit the filter details.
