Event filter definitions

Event filters can be used to select specific instances of an event based on the event parameters. Besides the event number and the message, events often contain additional information. This information can be used to distinguish relevant from less relevant events. By defining event filters separately, they can be quickly reused in rules that require event selection.

To create an event filter, right-click Event filter definition sub-node and select New... from the menu. A list of available events is displayed. Select the event to which this filter should be applied and click OK .

A dialog box with tabs will be displayed. On the General tab, a name for the filter can be entered in Description - this is the name that will be displayed in the event filter list once the definition is saved.

The filter criteria tab is used to define how the various instances of the event are to be filtered. Click Add , to add criteria and logical operators to the filter specification. The available criteria vary by event type, depending on the additional information logged with the event. Logical operators can be used to combine multiple conditions for event selection.

For describing a condition, start by adding an operator. Following operators are available:

  • AND: All criteria associated with this operator must match

  • OR: At least one of the criteria associated with this operator must match

  • N: At least n criteria of the listed (more than n) associated with this operator must match The number n is selected when the operator is added.

To link a criterion to an operator, select the operator in the list, click Add and select Criterion. Select one from the displayed list of event parameters. The next dialog box is where you complete the criterion by selecting a comparison or match operator and one or more value(s) to compare. To add the criterion to the filter description, click OK.

You can change operators and conditions by selecting them and clicking Edit .

The Computers, Networks and Times tabs can be used to enable or disable the use of the filter on specific computers connected to specific networks during specific time periods.

Save the new filter definition. It will be added to the Alert definitions list on the right.

The global setting Evaluate event filters allows you to specify whether event filters or alerts are evaluated.