Filter thresholds enable you to not only take action when a certain event occurs, but also depending on how often the event occurs. For example, you can be notified if an event occurs at least 10 times an hour, or you can prevent many same events from flooding a target.
Thresholds are setup on a per-filter basis, and you can access the threshold settings by editing a filter and clicking on the Threshold tab.
Threshold Types
You have two threshold types at your disposal:
1. Maximum Threshold
| Most useful when you want to prevent a large number of events (matching a filter) flooding a target, such as SMTP target. You specify the maximum number of events allowed, and whether you want to be notified that the threshold has in fact been exceeded. |
Log Exceeded Threshold: The exceeded threshold event is logged after the specified time period has elapsed, not when the first event exceeds the threshold. |
2. Custom Threshold
| Choose this option when you want to determine whether an event has been logged at least X times. You can choose to ignore or process events before and after the limit has been reached. |
Threshold Options (Match Types)
By default the internal counters (that count towards the threshold limits) are increased every time an event matches a filter (Filter setting). While this is desirable in most cases, you can also have threshold counters be applied to event records, which allows for more granular threshold settings but is slightly more resource consuming.
Filter (every event processed by this filter)
Every time an event matches the filter the internal threshold counters are increased.
Event (every event that shares the same properties below)
Every event that has the same values for the selected properties will increase the internal threshold counters. The table belows shows how EventSentry increases threshold counters when the match type are set according to the screenshot below.
|
Threshold Counter |
Log |
|
Severity |
|
Source |
|
Category |
|
15 |
Security |
|
Audit Failure |
|
Security |
|
Logon/Logoff |
|
4 |
Security |
|
Audit Failure |
|
Security |
|
Account Logon |
|
1 |
Security |
|
Audit Success |
|
Security |
|
System Event |
Every time an event occurs that shares the same Log, Severity, Source and Category as an already existing threshold entry, the counter is increased. If a new "combination" is encountered (such as line three, "System Event") then a new counter is started with a counter of 1.
Event Log Logging
If configured, EventSentry logs certain status information to the event log (threshold exceed, etc.). You can specify the severity at which these messages are written to the event logs. Please see Event Logs for more information on the event messages logged by the threshold feature.