|
claidham -> Wild Card Problems (12.Feb.2009 8:36:52 AM)
|
I'm having some trouble getting a Wild Card to work in the event processing rules, although the pattern seems to work all right in Event Browser queries.
I'm trying to mark our Anti-virus software logins as Noise on all systems - the software uses a local admin account created on each system to do a login as Service.
In Events Browser, my query is:
"Field 1: Contains %Sophos%", "Field 4: Contains 5" - this works and shows me lots of events with Sophos in the username.
In Event Processing Rules, my query (under Noise reduction) is:
"Field 1: Contains the text %Sophos%", "Field 4: Equal to 5" - this doesn't seem to work at all.
I have confirmed that the rule is applied across my windows systems, but I can't seem to get this message to match.
==========
Feature Request -
In the next version of Events Manager, is it possible to have a button in the Events Browser window that allows you to convert an existing query into a new rule? Even a cut & paste feature would help eliminate transcription errors.
|
|
|
|