Environment
Situation
Resolution
To raise an Event only when a particular message is posted but not when it is posted with other specific information (raise an Event when X occurs, but not when X and Y occur together), use the following format to exclude criteria for each Event being filtered:
路 All filtering fields are augmented with exclude capability. The include and exclude fields are delimited by a colon ?:?.
路 If the same pattern appears in both Include and Exclude list, that entry is excluded.
路 Multiple include and exclude items, separated by comma, can be specified.
For example:
路 Computer filter is set to ?ENGR:02,06?. These machines will be included: ENGR01, ENGR03, ENGR04, myENGR, xxENGRyy.
路 Category filter is set to ?SQL:?. All categories with SQL are included. This is equivalent to ?SQL? without the colon.
路 Description filter is set to ?:ODBC,RPC?. All entries with ODBC or RPC in their descriptions will be excluded.
路 EventID filter is set to ?1-5,10,20-100:2,30-33?. This filter accepts these event Ids: 1,3-5,10,20-29,34-100.
***
To filter on users or events from a particular domain, in the NT Event Security Log for example, use the format:
Domain\users:Domain\users
This will include or exclude the domain information.
***
To filter for users containing the value BLDGxx, for example, in the user name:
\Bldgxx
This will include the users containing BLDGxx from any domain.
***
To include users from any domain beginning with Account and users named Jones:
Account\Jones
This will include users with "Jones" in the name from a domain beginning with Account.
Or
Account\John:Account1\
This will include all users containing ?John? from all ?Account? domains except the Account1 domain.
***
To exclude events from only a specific specific source (such as Microsoft SQL Server) into the source field in the Knowledge script monitoring the Application log enter:
:MSSQLServer