Would like to be able to create a policy in Monitoring by Event ID(s).
Essentially be able to select or type in one or more event ID's to monitor and create a policy for.
Solved! Go to Solution.
If I understood correctly this is possible to do.
If you add the Event Check you can select the type of the Log to query and then you can add the source and one ID or multiple separated by a comma.
Let me know if this is not that intuitive and what it is confusing in the setup of this check. We might need to redesign how it looks.
I think I worded my post wrong. What I want to do is NOT monitor.
For example we always get a ID51 Time-Service event.
I would like to be able to monitor for everything except that event, or any other event, you get the idea.
Thanks for clarifying the previous post.
Unfortunately, it is very difficult to do exclusion based monitoring on Event ID's. Windows Generates a lot of events and querying them all will generate lots of alarms and on the system, the resource consumption of our service will go up.
Maybe we could create exclusions for the source added. Meaning that you can add a source and some Event ID's to be excluded. Then all events for the source will be forwarded without the one excluded. It will do the same job as you described.
I will forward this to the team and we will see how feasible this is. However, I cannot promise anything for now.