Multiple Instance EventSources

Professor

9 years ago

I agree Windows event handling really needs an overhaul. It would be probably a lot better to build out an ELK stack with a script eventsource to pull exceptions into LM, but I have to stand something up and give it a try. Of course, this is not really feasible unless your collectors are sturdy enough to handle both LM and the log analysis. Even with the basic Windows event source, normal filtering is too limited, and I have found it very difficult to successfully write a complex filter since there is no "Test" capability in the eventsource creator screen (would love to see this capability). In your case, there have been other threads I've seen that requesting an "event repeat" counter, and this of course would work very well to limit alerting if the counter value was available to decide whether an alert should fire instead of the way alerts trigger now. Ideally, a much more rich capability (e.g., like SEC or a limited correlation capability like nxlog-ce) would be welcome -- perhaps in addition to counters, an ability to record an event as active without an alert and to be able to reference that in another event check as a way to correlate before triggering alerts.

Regards,

Mark

Forum Discussion

Related Content

Dashboard Filtering Using Instance Properties

Change Instance Name

Excluding VMware VMs from instance discovery

Using Postman to create multiple Websites via API & CSV?

Remove multiple devices from a static group

Recent Discussions

Dashboard Sharing – An Inline Framing Method

2021-12-15 US Office Hours

Live Training - Tuning Datapoints and Alerts - 15th JUNE 2022 - APAC

Live Training - Introduction to Dashboards - 18th MAY 2022 - APAC

2022-05-11- APAC Product Overview -Collectors, Resources/Groups, Dashboards