How do I add exclude statements to the General_EventLog knowledge script? (NETIQKB761)

  • 7700761
  • 02-Feb-2007
  • 27-Aug-2010


NetIQ AppManager 7.0


How do I add exclude statements to the General_EventLog knowledge script?


To raise an Event only when a particular message is posted but not when it is posted with other specific information (raise an Event when X occurs, but not when X and Y occur together), use the following format to exclude criteria for each Event being filtered:

·        All filtering fields are augmented with exclude capability. The include and exclude fields are delimited by a colon ?:?.

·        If the same pattern appears in both Include and Exclude list, that entry is excluded.

·        Multiple include and exclude items, separated by comma, can be specified.

For example:

·         Computer filter is set to ?ENGR:02,06?. These machines will be included: ENGR01, ENGR03, ENGR04, myENGR, xxENGRyy.

·         Category filter is set to ?SQL:?. All categories with SQL are included. This is equivalent to ?SQL? without the colon.

·         Description filter is set to ?:ODBC,RPC?. All entries with ODBC or RPC in their descriptions will be excluded.

·         EventID filter is set to ?1-5,10,20-100:2,30-33?. This filter accepts these event Ids: 1,3-5,10,20-29,34-100.


To filter on users or events from a particular domain, in the NT Event Security Log for example, use the format:


This will include or exclude the domain information.


To filter for users containing the value BLDGxx, for example, in the user name:


This will include the users containing BLDGxx from any domain.


To include users from any domain beginning with Account and users named Jones:


This will include users with "Jones" in the name from a domain beginning with Account.



This will include all users containing ?John? from all ?Account? domains except the Account1 domain.


To exclude events from only a specific specific source (such as Microsoft SQL Server) into the source field in the Knowledge script monitoring the Application log enter:






Additional Information

Formerly known as NETIQKB761