Filtering Question
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Filtering Question - 28.Mar.2008 9:19:30 AM
|
|
|
kellys
Posts: 1
Score: 0
Joined: 28.Mar.2008
Status: offline
|
Super-easy question, I've been over the documentation and I've tried a dozen different filters and I'm still not seeing the obvious.
What field do you pick when trying to filter for a bit of text on an application event log entry? As in, the body of the event log entry?
Edit: I'm using EventsManager 7.
|
|
|
|
|
RE: Filtering Question - 31.Mar.2008 5:04:52 AM
|
|
|
Sven Berger
Posts: 184
Score: 0
Joined: 25.Feb.2008
Status: offline
|
Hi Kellys,
instead of posting the quick and definite answer to your Question, I would like to post a little trick that I usually use in a case like this:
If you are looking for a certain field type in order to configure an event alert, make sure you would archive the event first in the EVM8 Database.
Once it is archived and displayed in the Evensbrowser, you can see which property of the Windows Event has been assigned to which field in Evetnsmanager. For example, let's look at the following event:
Event Origin Details:
Date: 3/18/2008
Time: 10:49:24 AM
Type: Information
Username: N/A
Computer: DC
Source: DrWatson
Category: None
Event ID: 4097
Internal Event ID: D253EEC11624
Rule Name: N/A
In Work Hours: Yes
The application, C:\WINDOWS\Explorer.EXE, generated an application error
The error occurred on 03/18/2008 @ 10:49:23.987
The exception generated was c0000005 at address 7C839E96 (ntdll!LdrAccessResource)
The actual Text (in Bold) is NOT archived, but all the parameters that are used to create this message in Bold text ARE.
For instance, if you look at this Event in the Evetnsbrowser, the following Parameters are fed into the following Fields:
"C:\WINDOWS\Explorer.EXE" => Field 1
"03/18/2008 @ 10:49:23.987" => Field 2 - Field 8
"c0000005 " => Field 9
etc.
So you see that searching for "The application, C:\WINDOWS\Explorer.EXE, generated an application error" will not actually return something because there is no field that contains the entire text.
You would need to find out which parameter you are after and then search for this parameter in the appropriate field, or a combination thereof.
Hope this helps you to configure your alert appropriately.
_____________________________
Sven Berger
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Filtering Question - 27.Oct.2009 7:19:24 AM
|
|
|
sgravel
Posts: 2
Score: 0
Joined: 27.Oct.2009
Status: offline
|
Sorry to dredge up an old post, but I have some questions regarding these additional fields. Basically, my questions center around the fact that the field number relating to the data I may be interested in is hard to predict. As the previous example shows, three lines of data are split into 9 fields, and without someone telling you, there is a fair amount of trial and error involved in guessing which field contains which data.
I wrote a query that searches the DESCRIPTIONS table in the EM database for a given Event ID, so that I can look at the template for that Event ID and see which field number goes with the element I am interested in filtering on, etc., but that seems like it's more than should be required. I also notice that if I switch to XML view and count the number of <Data Name> tags till I get to the thing I want, that this is a way to know the field number. Again, it doesn't make sense that it should be that hard.
Is there another way to know the field number for a given bit of data I want for a given Event ID?
Feature Request: Make the event data shown on the right hand side of the events browser such that field data (as opposed to static template text) is identified, and make it so that when you hover over actual data, the field number is displayed as rollover text.
Thanks,
Steve
|
|
|
|
|
RE: Filtering Question - 29.Oct.2009 3:20:19 AM
|
|
|
mherberg
Posts: 60
Score: 0
Joined: 19.May2009
Status: offline
|
sgravel,
You are correct, an SQL query to the descriptions field of the actual database does seem to be very complicated to find out which data is stored in which field and is fortunately also not necessary.
If you open your Events Browser you will see, that for all events the information used on the right hand side as description is actually shown in the middle pane split up in the respective columns (Field1, Field2, etc.) - So basically, all you need to do is to archive a certain event once, open your Events Browser, find the event and scroll to the right until you see the 'Field'-columns. You will then see, that these fields combined make up the description on the right.
NOTE: If you don't see the 'Field'-columns, click on "Customize view" and make sure you have ticked all the boxes for these columns.
Hope this helps.
Let me know if you have any further questions.
_____________________________
Regards,
Matthias Herberg - Product Specialist
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Filtering Question - 29.Oct.2009 6:12:21 AM
|
|
|
sgravel
Posts: 2
Score: 0
Joined: 27.Oct.2009
Status: offline
|
That's what I was looking for! These weren't in my view. Much better now... thanks.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
