IBM Enterprise Console manual Prefiltering Windows NT Log Events, PreFilterMode, SpaceReplacement

The PreFilter keyword is optional. All Windows NT log events are sent to the adapter if prefilters are not specified and PreFilterMode=OUT.

For additional information about prefiltering Windows NT log events, see “Prefiltering Windows NT Log Events” on page 130.

PreFilterMode

Specifies whether Windows NT log events that match a PreFilter statement are sent (PreFilterMode=IN) or ignored (PreFilterMode=OUT). Valid values are IN, in, OUT, or out. The default is OUT.

The PreFilterMode keyword is optional; if PreFilterMode is not specified, only events that do not match any PreFilter statements are sent to the adapter.

Note: If you set PreFilterMode=IN, make sure you have one or more PreFilter statements defined as well.

For additional information about prefiltering Windows NT event log events, see “Prefiltering Windows NT Log Events” on page 130.

SpaceReplacement

When SpaceReplacement is FALSE, any spaces in the security ID and subsource fields of the event log messages are left unchanged. When SpaceReplacement is TRUE, any spaces in the security ID and subsource fields of the event log messages are replaced with underscores. Set SpaceReplacement to TRUE if the format file expects the security ID and subsource fields to be a single word (that is, uses a %s format specification for them). The default setting is TRUE.

UnmatchLog Specifies a file to log discarded events that cannot be parsed into an IBM Tivoli Enterprise Console event class by the adapter. The discarded events can then be analyzed to determine if modifications are needed to the adapter format file.

Prefiltering Windows NT Log Events

You can improve Windows NT event log adapter performance by filtering events in the Windows NT event logs so only those events that are of importance to administrators are processed by the adapter. This type of filtering is called prefiltering because it specifies selection criteria based on the raw Windows NT event record rather than the formatted IBM Tivoli Enterprise Console event. The prefiltering is performed before the event is formatted into an IBM Tivoli Enterprise Console event and subjected to any filtering specified with the Filter or FilterCache configuration file keywords.

Like other adapter filtering, prefiltering is specified in the adapter configuration file using a similar syntax. The prefiltering statements, PreFilter and PreFilterMode, are described in “Configuration File” on page 128.

As with any modification to an adapter configuration file, you must stop and restart the adapter for the changes to take effect.

There are four attributes of the Windows NT event logs that you can use in defining prefilter statements. They are described in the following list:

130IBM Tivoli Enterprise Console: Adapters Guide