21 minutes ago, Stuart Weenig said:
Sorry, was headed into a meeting and didn't have time to explain. Pre-reading: https://www.logicmonitor.com/support/logicmodules/eventsources/types-of-events/windows-event-log-monitoring Pay particular attention to the FILTEREDEVENTS option.
You can combine multiple sets of criteria into a single EventSource. You do this in your filters. As you found, you can set very specific filters so that each EventSource is responsible for alerting on a particular event. Instead, be less specific and one EventSource can capture multiple events. You can use RegEx to create a filter as complex as needed. When the alert is opened the "Alert Message" template is used to create the alert message displayed in the alert. Since it uses tokens, you can use a single template for most (or all) of the events.
No problem!!!
Ok I think I got that, within the 'Application' log we've multiple filters where we want to fetch events from multiple different sources & for each of those sources only grab specific IDs.
Example (just using two events we get from the Application events):
Both of those events fall into the 'Application' logs but contain different sources & different IDs per source.
From looking into the Event Source definition I'm able to pass the Source(s) & ID(s) but, in a separate way:
This will not restrict those IDs to the actual Source(s).
But, if I use the Complex thing I can achieve it (examples below)
First event (1st image) -> (EVENTID == 1540 || EVENTID == 1541) && (SOURCENAME ==~ /(?i)Citrix\sMetaframe\sConferencing\sManager.*/)
Second event (2nd image) -> (EVENTID == 9032) && (SOURCENAME ==~ /(?i)Citrix\sICA\sService.*/)
Combining both (using OR logic) -> ((EVENTID == 1540 || EVENTID == 1541) && (SOURCENAME ==~ /(?i)Citrix\sMetaframe\sConferencing\sManager.*/)) || ((EVENTID == 9032) && (SOURCENAME ==~ /(?i)Citrix\sICA\sService.*/))
Would this work & only capture those 2?
If yes, that would be great :)/emoticons/smile@2x.png 2x" title=":)" width="20">
Advisor
