Tutorial  
 

Ignoring Events

In most cases, there are some events that we would like to ignore. Events we know to occur often and we also know to be of no interest for what we try to accomplish. Most often, there are events that we do not want to store in our log files and that should also not cause any other action.

We handle these events on top of our rule set. This ensures that only minimal processing time is needed and they are discarded as soon as possible.

In this tutorial, we define a filter that discards such events. In our example, we assume that Events with the ID105, 108 and 118 are not required. Please note that for simplicity reasons we only filter based on the event ID. In a production environment, you might want to add additional properties to the filter set.

In this sample, no service or rule set is yet defined. It is just a “plain” system right after install, as can be seen in the following screen shot:

We begin by defining a rule set. Right-click on “RuleSets” and choose “Add RuleSet” from the context menu. Type in a name of your choice. In this tutorial, we use the name "Defaults". Click on "Next". Leave all as is in the next dialog. Click "Next", then "Finish". As can be seen in following screen shot, the rule set "Defaults" has been created but is still empty.

Of course we can only use a rule if we configure a corresponding service. To do so, right-click on "Running Services" and choose "Service" in the context menu. Then select “Add Services" and "Event Log Monitor". Provide a name of your choice. In our sample, we call the service "Event Log Monitor". Leave all defaults and click “Next”, then “Finish”. Now click on "Event Log Monitor" under "Running Services". You screen should look as follows:

Because there we created the “Defaults” rule set initially, it is shown as the rule set to use for this service. For our purposes, that is correct. To learn more on the power of rule set assignments, see other sections of this manual. Now we will do something with the data that is generated by the event log monitor. To do so, we must define rules inside the rule set. In the tree view, right-click "Defaults" below “RuleSets”. Then, click "Add Rule". Choose any name you like. In our example, we call this rule "Discard". Then, expand the tree view until it looks like the following screen shot:

Click on “Filter Conditions” to see this dialog:

In that dialog, we will define our filter. Remember: we are about to filter those events, that we are not interested in. As we would like to discard multiple events, we need the Boolean “OR” operator in the top level node, not the default “AND”. Thus, we need to change the Boolean operator. There are different ways to do this. Either double-click the “AND” to cycle through the supported operations. Or select it and click “Change Operator”. In any way, the Boolean operation should be changed to “OR”. We filter out “uninteresting” events via their event id. Again, there are different ways to do this. In the sample, we do it via right-clicking the “OR” node and selecting “AddFilter” from the pop up menu. This can be seen in the screen shot below:

I prefer to add all three event id property filters first and later on change the event id to the actual value I am looking for. When you have added them, it should look as follows:

In order to enter the actual values, select each of the three filter. A small dialog opens at the bottom of the screen. There you enter the values you are interested in. In our sample, these are IDs 105, 108 and 118. As we are only interested in exactly these values, we do a comparison for equality, not one of the other supported comparison modes. When you have made the updates, you screen should look as follows:

Save the settings by clicking the (diskette-like) “Save” button. We have now selected all events that we would like to be discarded. In reality, these are often far more or a more complicated filter is needed. We have kept it simple so that the basic concept is easy to understand – but it can be as complex as your needs are. Now let us go ahead and actually discard these events. This is done via an action. To do so, right-click on "Actions" and select "Discard."

Again, name the action as you like in the following dialog. We use “Discard” as this is quite descriptive. Select “Next” and then “Finish” on the next page. Your screen should like follows:

This concludes the definition of our first rule. If we would start MonitorWare Agent service now, all events with IDs 105, 108 and 118 would be handled by this rule and thus be discarded. All other events will not cause the filter condition to evaluate to true and thus those would be left untouched. Consequently, only these other events will flow down to rules defined behind the “Discard” rule. Obviously, our configuration effort is not yet completed. We just finished a first step, excluding those events that we are not interested in. And of course, in reality you need to decide which ones to discard in a real rule set.

MonitorWareAgent
 Home
 Product Info
General Information
MonitorWare Products
Edition Comparison
Order and Pricing
Upgrade Insurance Info
News Releases
Version History
Product Tour
 - Screenshots
 Download
 Reference library
General Information
Step-by-step guides
 - All
 - Installation and Configuration
 - Services related
 - Actions related
 - MW Agent All Versions
Common Uses
Centralized monitoring
Security Reference
 Help
Support
Manual
FAQ
 - All
 - General questions
 - Configuration related
 - Installation and Configuration
 - Services related
 - Actions related
 - Central Monitoring
Articles
Seminars Online
 - All
 - General
 - MonitorWare Agent
 Order & pricing
Order now
Editions
Pricing Information
Upgrade Insurance Info
Local Reseller
 Contact Us
 Search
 
 



Printer Version Send this page to a friend

Copyright © 1988-2005 Adiscon GmbH All rights reserved.
Contact us via Secure Web Response | Privacy Policy
Topic Links: syslog | Free Weblinks Directory