Forum Discussion

Gary_Dewrell's avatar
Gary_Dewrell
11 years ago

Need more granular way to filter event logs.

Currently the filtering capabilities for Windows Events are not granular enough to be very effective because there is no tie between Event ID and DataSource.

This is a big problem because it is not uncommon for different EventSources to use the same Event ID.

I would suggest adding another filter option that would allow us to filter on a combination.

Name Operation Value

Complex Exclude (EventID = 123) & (EventSource = IIS)

This would filter Even 123 from EventSource IIS only.

answered
  • Heather_Lasher's avatar
    Heather_Lasher
    Former Employee
    11 years ago

    Multiple filters are combined with an AND, not an OR. So if you had 2 filters:

    EVENTID NotMatch 123

    EVENTSOURCE NotMatch IIS

    A single eventsource with these two filters will include all events except those with ID123 and are from the IIS source

  • Heather_Lasher's avatar
    Heather_Lasher
    Former Employee
    11 years ago

    Moved this out of feature requests, as it looks like Phil provided a way. Let us know if this doesn't answer your need. Marking it answered for now.

    Thanks,

    Michael

  • Gary_Dewrell's avatar
    Gary_Dewrell
    11 years ago

    That works for a single filter but what happens when I have to do multiple. Lets say I want to filter out Event ID 123 from source ABC and event id 456 from source DEF and event id 789 from source HIJ. If I created the to rules you specified:

    EVENTID NoMATCH 123|456|789

    EVENTSOURCE NoMatch ABC|DEF|HIJ

    I have in affect filtered out event id 123 and event ID 456 and event ID 789 from all three sources ABC, DEF, and HIJ.

    Now what happens if EVENTSOURCE DEF has an event 123 that is critical?

  • Allen_Chan's avatar
    Allen_Chan
    11 years ago

    I wasn't aware that different event sources would use the same event ID.  Currently, I have a filter on all four eventsources that say

    eventid regexnotmatch FILTEREDEVENTS

    I have a property on the global level that has a long list of IDs that we do not want to see.

     
    filteredevents
    		 
      108|2028|9646|999|2156|2915|8010|1100|36888|36874|7011|56|10016|50|3004|11|9877
     

    With this new knowledge about eventIDs not being unique, i will refactor the filters to use new properties FILTEREDIISEVENTS, FILTEREDSYSTEMSEVENTS, FILTEREDEXCHANGEEVENTS and etc etc.

    Definitely not elegant but maybe that would work for you until Logicmonitor can create something better?

  • Gary_Dewrell's avatar
    Gary_Dewrell
    11 years ago

    Achan I use the same method to prevent EventID overlap between System, Application, Security , etc logs. However that does not resolve the issue of multiple sources that write to the same log using the same Event ID. The Event ID is selected by the programmer and not the OS so it is not unheard of for two different applications to the same Event IDs even though the sources will be different.

    For example there is an EVENT ID 50 from both NTFS and WIN32Time. Suppose you wanted to filter out the Win32Time EventID 50 but not the NTFS Event ID 50. Currently I do not know of a way to accomplish this.

  • Gary_Dewrell's avatar
    Gary_Dewrell
    11 years ago

    That is great news. I will even forgive you for butchering my name :)/emoticons/smile@2x.png 2x" title=":)" width="20">

    Thank you guys for being so responsive to our needs.

    Best support from any company I have ever worked with.

    Gary