Now that EventSentry is logging service changes to the event log we can set up a filter that will alert us of these status changes.
The easiest way for us to do this is to simply use the include option in the EventSentry Event log Viewer which will automatically create a filter based on the event you are currently viewing.
However, for the sake of this tutorial we will manually walk through how to create a specific filter that will notify us only when the Print Spooler service changes its status and ignore status changes of other services.
To keep things organized, we will create new package called Service Changes, assign it globally, and add an include filter named Print Spooler.
Now we will declare our target as Default Email which will send an email if the conditions specified on this filter match an event. Since we know that the event occurs in the Application log and it will log as an Error, we can focus this filter on only events that share those properties. We will also fill in EventSentry as the source, Service Monitoring as the category, and 10100 as the event id.
Seeing as we configured Service Monitoring to log changes to the database, assigned it globally, and created an include filter, we are all set right? Well, not quite.
With the current filter, you will receive an email for every service change reported by the service monitoring object. This means that you will potentially receive dozens of emails a day from services known to change their status frequently (e.g. CD-ROM Driver). As such, we will focus this filter to only let us know when the Print Spooler service changes its status.
Please note that wildcards must be enabled under General Options for this filter to work properly.