General Filter Options

You can filter against every field of an event log record except the Computername (which is assumed to be the localhost) and the Date and Time (you can filter based on hour and day, please see Day & Hour Configuration on the next page for details).

All fields in the Details section support wildcards, negation and multiple values separated by commas. Please see Advanced Text Processing for more options.

The filter name is chosen by you and can be any text no longer than 128 characters. Filter names must be unique. The filter name may not contain a backslash (\).

The group this filter belongs to. To change this move the filter to a different group.

All targets that are to be notified (include filter) or not to be notified (exclude filter) when this filter matches.

Select which types of events this filter should match. "Audit Success" and "Audit Failure" are only relevant when you also monitor the security event log.

Select which event log(s) this filter should monitor. The event logs, "Directory Service" and "File Replication (Service)," are only useful on Windows 2000 (and higher) domain controllers. The event log "DNS Server" is only useful on Windows 2000 servers (and higher) when a DNS server is installed.

Even when you configure the filter on a WindowsNT workstation, "Directory Service," "File Replication (Service)" and "DNS Server" can still be checked. This is because you can rollout filters to remote installations that might have these event logs. There is no overhead when you select these options even when they don't exist, they will simply be ignored.

Specify which source this filter should match. If you do not specify an event source, the filter will match any source.

Specify which category this filter should match. If you do not specify an event category, the filter will match any category.

Specify which Event ID this filter should match. You can separate multiple Event IDs with a comma, for example "3,5,118".

Please note that Event IDs are only unique within an event source. It is therefore recommended that you only specify an Event ID when also specifying an event source. Otherwise your filter could include or exclude events you never planned.

Specify which username this filter should match. This is currently only relevant for the security event log. Usernames are logged by the Operating System in the form DOMAIN\Username.

Specify which computer this filter should match. If you do not specify a computer name, the filter will match any computer.

•	Include If the filter matches then the target specified in Target will be notified.

•	Exclude If the filter matches then the target specified in Target (or no targets if Apply to all targets is checked) will not be notified. Exclude filters always have to appear before the include filters they want to exclude. See Filtersfor more details.

If you check this box then this filter will be the last to process this record, even if it is not the last one in the list.

If you would like to filter against a certain text string instead of or in addition to the properties listed above, you can utilize the Filter Text field. Type any text you want the filter to match in the actual event description, you can separate multiple strings with a comma (make sure there are no spaces after the comma). To include the comma as a text filter itself type it twice (e.g. "event description, something else"). This field is case insensitive (since v1.15).

This field behaves differently depending on whether wildcard support (configure in "Service Options") is activated or not:

Wildcard Support Not Active: EventSentry will check whether one of the strings you specified will occur in the event description, a 1:1 match is not required.

Wildcard Support Active: Please see Wildcard Support for details. You will need to either use wildcards or specify an exact 1:1 match in this case.