Rodger Keesee

Recent changes to Windows Event datasource filter need more thought

Recommended Posts

From the v75 release notes. "Information, FailureAudit and SuccessAudit have been removed as options for the Windows Eventsource Level filter. Level filters set to these values always had to be used in conjunction with an event ID, making them superfluous."

This is a bad change. It wasn't superfluous, it was clear interface design. Here's the unintended consequences to this change:

  1. 1) I can't have a single windows event datasource that shows both warnings and errors unless I create a new datasource and not change the filter from the default. 
  2. 2) Why have a “more urgent than” setting when it doesn’t do anything? See the table below
  3. 3) There is no way to set an existing datasource back to the default (more urgent than information) once it has been modified.

Here are the options that are possible after the change in the interface.

Datasource filter setting

What is alerted

Notes

LEVEL More urgent than Warning

Will only alert on Errors

Pointless because it’s the same as below

LEVEL More urgent than Error

Will never alert on anything

Pointless because it never alerts

LEVEL Equal Error

Will only alert on Errors

 



Share this post


Link to post
Share on other sites

Hi Rodger,

We've always excluded all Windows Events of level Informational by default.  As a result, capturing Informational Events required you to set a filter to match the ID of desired Informational Events.  Because you already had to match on ID for Informational Events, there wasn't much value to having Informational as a Level filter.  Re your comments:

1) By default, Windows Eventsources should alert on Warning and Error Events.  You shouldn't need any Level filters to accomplish this.

2) The More urgent than operator may not be useful for Windows Eventsources, but this operator is used (and is valuable) for different Eventsource types

3) We intentionally removed the option to set a Level filter to Informational

Can you give us more detail on the Events you're trying to capture/exclude?  

Thanks,

Sarah

Share this post


Link to post
Share on other sites

Thanks for the speedy reply Sarah. 

I think what I want is simple: I want to capture both Warning and Error types in the same Eventsource. So previously I would modify a Windows Eventsource to have the filter "LEVEL More urgent than Information". The way the interface is now, I need to create two different Eventsources, one for LEVEL Equal Error and LEVEL Equal Warning. Are you saying that removing the LEVEL filter is the same as showing all Warning and Error events? 

It's extra confusing because when I create a new Eventsource the filter is set to LEVEL More urgent than Information. But with this interface change, I can never set an existing Eventsource to that. 

Ya know, I've heard from multiple sources that this is just the way it is and to get used to it. I'm bummed at this pointless interface change (because it wasn't harming anyone before) but I can work around it by creating twice as many Windows Eventsources as I previously needed to. 

Share this post


Link to post
Share on other sites

Yes, removing the LEVEL filter is the same as showing all Warning and Error Events.  When you create a new Eventsource, there shouldn't be any filters by default - so new Eventsources should default to capturing Warning & Error Events.  Functionality-wise, you shouldn't notice any differences between your old Eventsources that have a filter set to LEVEL More urgent than Information, and a new Eventsource with no LEVEL filter set.  You definitely should not need to create any more Windows Eventsources.  

The change was made to simplify things, as having Information as an option for LEVEL filters was (a) not serving any purpose and (b) causing confusion. 

Share this post


Link to post
Share on other sites

Regarding this statement:

    3) We intentionally removed the option to set a Level filter to Informational

You may or may not be aware that Windows logs some important issues as Informational events.  See event ID Microsoft-Windows-Security-Auditing/4740 for one example, and this (to me) is sufficient to counter this design decision.  OTOH, that one example may be better handled with a script eventsource, but the point is that it should be possible to do what is needed in the normal eventsource since Windows is not smart about how it handles some events.  It should be hard to enable (Advanced?) but possible.

I would also add a related note that the current FILTEREDEVENTS property filter matches only event ID, not event source and event ID.  The former is not necessarily unique across events.  I think the filtering should be against the tuple of event source and event ID.  Then if you really want just the ID, you can certainly say */nnnnn in the filter.

Regards,
Mark

Share this post


Link to post
Share on other sites

Hi Mark,

It is still possible to capture Windows Informational Events - that has not changed.  All you need to do is add a filter that specifies the event ID of the Informational Event you want to capture.  This has always been the requirement for capturing Informational events.  The LEVEL filter option of 'Informational' had to be used in addition to the event ID filter, making it superfluous.  That is why it was removed, but you shouldn't actually notice any difference in functionality with this removal.  Re filtering based on event source and event ID, you can use the FILTEREDEVENTS property (or and eventID filter) to filter based on event ID and additionally add a sourcename filter to filter based on event source.  Multiple filters are combined with a logical AND, so the captured events will be restricted to the specified source & Ids.

Thanks,

Sarah

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.