Ad Widget

Collapse

Eventlog monitoring and exclude some eventid

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Kryol
    Member
    • Feb 2011
    • 70
    #1

    Eventlog monitoring and exclude some eventid

    Hi,

    I have a trigger for eventlog monitoring e.g. for System Log Errors
    Code:
    {Template Windows Logging:eventlog[System].logseverity(0)}=4
    Now I would like to exclude some events from triggering, e.g. event 27 for KDC

    I modify this trigger as following
    Code:
    {Template Windows Logging:eventlog[System].logseverity(0)}=4 & ({Template Windows Logging:eventlog[System].logsource(KDC)}=1 & {Template Windows Logging:eventlog[System].logeventid(27)}#1)
    So I need a trigger as A & (B & C)

    Unfortunately it works as A & B & C and not triggering nothing (for KDC I have error 27 only).

    Is it possible to use A & (B & C) or another solution?
    Tags: None
    • mgibson
      Junior Member
      • Jun 2012
      • 14
      #2
      Did you ever find an answer for this? I'm running 2.0.4, and having the exact same issue.

        Comment

        • Kryol
          Member
          • Feb 2011
          • 70
          #3
          I can not find an answer.
          It's strange. I have a trigger A & B | C | D & E | F which seems to work correctly but this A & (B & C) works as A & B & C

            Comment

            • mgibson
              Junior Member
              • Jun 2012
              • 14
              #4
              Isn't A & (B & C) equivalent to A & B & C? No matter where you put the brackets, they all have to be true for the entire expression to be true.

              Also, try .logseverity() without a zero in it.

                Comment

                • Kryol
                  Member
                  • Feb 2011
                  • 70
                  #5
                  I need to switch trigger if A is true and B & C are true simultaneously.

                  For example above it mean that eventlog[System].logseverity(0)}=4 and eventid=27 for source KDC. I think it's A & (B & C).

                  Now I get A & B & C, i.e. if source is not KDC trigger does not switch.

                    Comment

                    Previous template Next
                    Working...