IBM Enterprise Console manual Prefiltering Windows Log Events, EventId

The WINEVENTLOGS statement is a comma-delimited list with no spaces that can contain the following values: Application, Directory (Directory service), DNS, FRS, Security, System, All, and None.

In the following WINEVENTLOGS statement, the System, Security, and File Replication service event logs are monitored and all others are ignored:

WINEVENTLOGS=System,Security,FRS

In the following statement, all event logs are monitored:

WINEVENTLOGS=All

If a statement contains one or more event logs as well as the All or None option, the All or None option is used and the list of event logs is ignored. In the following example, all event logs are monitored even though specific event logs are also listed:

WINEVENTLOGS=DNS,Directory,All

If a statement contains both the All and None options, the None option overrides all other options. In the following example, no event logs are monitored:

WINEVENTLOGS=Application,All,FRS,Directory,None

After changing the WINEVENTLOGS statement in the

tecad_win.conf file, you must restart the adapter for the changes to take effect.

Prefiltering Windows Log Events

You can improve Windows event log adapter performance by filtering events in the Windows event logs so only those events that are of importance to administrators are processed by the adapter. This type of filtering is called prefiltering because it specifies selection criteria based on the raw Windows event record rather than the formatted IBM Tivoli Enterprise Console event. The prefiltering is performed before the event is formatted into an IBM Tivoli Enterprise Console event and subjected to any filtering specified with the Filter or FilterCache configuration file keywords.

Like other adapter filtering, prefiltering is specified in the adapter configuration file using a similar syntax. The prefiltering statements, PreFilter and PreFilterMode, are described in “Configuration File” on page 112.

As with any modification to an adapter configuration file, you must stop and restart the adapter for the changes to take effect.

There are four attributes of the Windows event logs that you can use in defining prefilter statements. They are described in the following list:

Log Specifies one or more of the Windows event logs to prefilter. Valid values are System, Security, Application, DNS, FRS, Directory, or any combination of these separated by commas. The default is all these event logs.

EventId

Specifies the event number assigned by Windows. You can specify up to sixteen event numbers. Multiple event numbers must be separated by commas.

Chapter 10. Windows Event Log Adapter 115