How do I add exclude statements to the General_EventLog knowledge script? (NETIQKB761)

  • 7700761
  • 02-Feb-2007
  • 27-Aug-2010

Environment

NetIQ AppManager 7.0

Situation

How do I add exclude statements to the General_EventLog knowledge script?

Resolution

To raise an Event only when a particular message is posted but not when it is posted with other specific information (raise an Event when X occurs, but not when X and Y occur together), use the following format to exclude criteria for each Event being filtered:

        All filtering fields are augmented with exclude capability. The include and exclude fields are delimited by a colon ?:?.

        If the same pattern appears in both Include and Exclude list, that entry is excluded.

        Multiple include and exclude items, separated by comma, can be specified.

For example:

         Computer filter is set to ?ENGR:02,06?. These machines will be included: ENGR01, ENGR03, ENGR04, myENGR, xxENGRyy.

         Category filter is set to ?SQL:?. All categories with SQL are included. This is equivalent to ?SQL? without the colon.

         Description filter is set to ?:ODBC,RPC?. All entries with ODBC or RPC in their descriptions will be excluded.

         EventID filter is set to ?1-5,10,20-100:2,30-33?. This filter accepts these event Ids: 1,3-5,10,20-29,34-100.

***

To filter on users or events from a particular domain, in the NT Event Security Log for example, use the format:

Domain\users:Domain\users

This will include or exclude the domain information.

***

To filter for users containing the value BLDGxx, for example, in the user name:

\Bldgxx

This will include the users containing BLDGxx from any domain.

***

To include users from any domain beginning with Account and users named Jones:

Account\Jones

This will include users with "Jones" in the name from a domain beginning with Account.

Or

Account\John:Account1\

This will include all users containing ?John? from all ?Account? domains except the Account1 domain.

***

To exclude events from only a specific specific source (such as Microsoft SQL Server) into the source field in the Knowledge script monitoring the Application log enter:

:MSSQLServer

 

 

 

 

Additional Information

Formerly known as NETIQKB761